Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-11-2024 04:57

General

  • Target

    4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe

  • Size

    4.9MB

  • MD5

    6e7923159a06c48bb09a81080d2d8266

  • SHA1

    a2126afd2d75f3dedb602fd7f63b9940e0b47c22

  • SHA256

    4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14

  • SHA512

    d2ddd13c739e92febab2685f393aeed15140c4b03d3c15ec49c86bac764ab6e3a01982a64118bd9d4e700161b85e1a7f3a91f904322ecc17d6253174a08f4365

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
  • Drops file in Program Files directory 24 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe
    "C:\Users\Admin\AppData\Local\Temp\4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2148
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2120
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1932
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:540
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2200
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2408
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2860
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hs0sn2L6wi.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:2800
        • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
          "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2124
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3cdb8ee-0726-4212-b937-b3beddfec743.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2948
            • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
              "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2576
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b2a2203-4a5d-4a4a-a926-4c350a596aa9.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1612
                • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
                  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:2772
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3a74449-cbc7-4681-8a73-247704307d6d.vbs"
                    8⤵
                      PID:2412
                      • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
                        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:1932
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53e2a958-5a4b-41d6-9f4e-c25d3c55600f.vbs"
                          10⤵
                            PID:2860
                            • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
                              "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1944
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e32edd9-6e70-4578-94ef-ee9f3be44825.vbs"
                                12⤵
                                  PID:2320
                                  • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
                                    "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2684
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e430e252-e5f5-45b6-a030-9a719da2b330.vbs"
                                      14⤵
                                        PID:1600
                                        • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
                                          "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:1136
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32f9b173-8f76-464c-b3cc-53ebd4189533.vbs"
                                            16⤵
                                              PID:2772
                                              • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
                                                "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:2292
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86000b1e-ea65-4f43-973d-d5dfc0415136.vbs"
                                                  18⤵
                                                    PID:2352
                                                    • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
                                                      "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"
                                                      19⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:2076
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb541896-b775-4315-b5ff-f6ea9288c609.vbs"
                                                        20⤵
                                                          PID:2336
                                                          • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
                                                            "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"
                                                            21⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:1860
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e51c0d6-98e3-4963-877f-889aaa8eea97.vbs"
                                                              22⤵
                                                                PID:988
                                                                • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe
                                                                  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe"
                                                                  23⤵
                                                                  • UAC bypass
                                                                  • Executes dropped EXE
                                                                  • Checks whether UAC is enabled
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  • System policy modification
                                                                  PID:1780
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e51f38fd-9ba6-4250-a4c8-2d9006856539.vbs"
                                                                    24⤵
                                                                      PID:2676
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\28733509-40e2-4a82-8428-b0664447d8fd.vbs"
                                                                      24⤵
                                                                        PID:680
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da0aa89d-aa3b-48b2-878c-80493f910f67.vbs"
                                                                    22⤵
                                                                      PID:2376
                                                                • C:\Windows\System32\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b959eb7-5698-48e1-97bb-56085a85d3d4.vbs"
                                                                  20⤵
                                                                    PID:2424
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c2f8a08-4d44-48a7-a649-7178c41ca286.vbs"
                                                                18⤵
                                                                  PID:2268
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\621e4bb5-ea86-4af6-8bbd-359974861059.vbs"
                                                              16⤵
                                                                PID:328
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95932655-c738-490b-b26f-ab1a6bf3f3b6.vbs"
                                                            14⤵
                                                              PID:3052
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e66d39f-fbd5-4c52-970c-e552e9bc9e55.vbs"
                                                          12⤵
                                                            PID:2820
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6946b19-d9f7-43a1-b77e-0b6af9bf0db5.vbs"
                                                        10⤵
                                                          PID:580
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e72ad55-b141-43db-aeae-473cf7b63099.vbs"
                                                      8⤵
                                                        PID:1988
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\71a54d09-d7d0-40f8-99cb-ef77c22aa4c9.vbs"
                                                    6⤵
                                                      PID:2536
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fc57db3-e45e-4322-8a73-b1b80b2d87a8.vbs"
                                                  4⤵
                                                    PID:1748
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2856
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2724
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2844
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2864
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2100
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2624
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2572
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2636
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:644
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2096
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1032
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\OSPPSVC.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1852
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2896
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Programs\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2540
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2800
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2972
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:536
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2456
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1044
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1976
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2756
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1908
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2424
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2912
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2380
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2384
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2212
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\WMIADAP.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1840
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:692
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2036
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1632
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1284
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1544
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1664
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2516
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1684

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Temp\2e32edd9-6e70-4578-94ef-ee9f3be44825.vbs

                                              Filesize

                                              752B

                                              MD5

                                              77cefa19386b86b69fce53e37b631056

                                              SHA1

                                              033e02c5eeec35dbcc2ddedb46f42355757330a1

                                              SHA256

                                              6bffcecdf5645012551787c385e302f5942c5e865e2a03e60d234e823c8f1d48

                                              SHA512

                                              cf8d4ee461649ee05cad98c7ccff3b1fd445dc0e9e025dd310d8daf92edcef4813b783b35882d65223e15c3db869c25f58e3d30a4152f7e4be46a3052d890e8c

                                            • C:\Users\Admin\AppData\Local\Temp\32f9b173-8f76-464c-b3cc-53ebd4189533.vbs

                                              Filesize

                                              752B

                                              MD5

                                              9f11a492b0603d73bbfbb625c3b25c41

                                              SHA1

                                              8cbc0478fe7e49aeed547983229f9abb336fe7a6

                                              SHA256

                                              8be0e250de8c3b01afa6c8306d1159868cd186098baf7706d4915e681416c9bd

                                              SHA512

                                              a1b58fe60affafb7bf3e5e0311190360fca099177b00c12adf61daba6fa2d17e82c8986f1a86f7981f53503ffa707159d4ab082fb51011d3c9cb6e434a5d455a

                                            • C:\Users\Admin\AppData\Local\Temp\3b2a2203-4a5d-4a4a-a926-4c350a596aa9.vbs

                                              Filesize

                                              752B

                                              MD5

                                              cceaad656d19f25ac987f2b83b251f29

                                              SHA1

                                              86312088f14a84ef577ea94a63332a9265628c37

                                              SHA256

                                              5133b1e7c0df63d5991e82180a15afc9582e73ed3942ba269181b8b13d8326ac

                                              SHA512

                                              b893f4033b6978f7150c38c97194b37add52e5a14bc1808fe21d06f3466df74e193bb1a1371f0ecc2a357c1a3500accb79311f3d871e254a36b3e4a3c5cb4fb6

                                            • C:\Users\Admin\AppData\Local\Temp\3fc57db3-e45e-4322-8a73-b1b80b2d87a8.vbs

                                              Filesize

                                              528B

                                              MD5

                                              d40872492033fdc6863a3f6ea94f5e9e

                                              SHA1

                                              4251f7287871540f6c6d2e5bba184c92ae0376e4

                                              SHA256

                                              701bebb58771b0617fcead66fda1c3a93c5b12ccf6fe694650f4a281ec64e7a3

                                              SHA512

                                              f6ed939134deb797da120fb43aed95efbd5b91e7dfd64eb92bdc951d9aa35d94c5b6f3ab52d66ad66096c3cd0651fe484838f028623ba8af16af8ac508bbfb67

                                            • C:\Users\Admin\AppData\Local\Temp\4e51c0d6-98e3-4963-877f-889aaa8eea97.vbs

                                              Filesize

                                              752B

                                              MD5

                                              7b6c3666ce9e445d1f15208ac4c514be

                                              SHA1

                                              71bb09182c207711a93e7652900a320d84d5b1c2

                                              SHA256

                                              b316248992ee5b92d1932279edb859dd986570ce1e8c9120435bcdb38d7c530a

                                              SHA512

                                              74ac0e4827e99fff5897fbb888d9dd677b8b0c9e307443f2f2df41038bf23e2922ff62930e03e1a2f129173cd172c173de21087c28da8e522143a155f9a982f9

                                            • C:\Users\Admin\AppData\Local\Temp\53e2a958-5a4b-41d6-9f4e-c25d3c55600f.vbs

                                              Filesize

                                              752B

                                              MD5

                                              d12a0f0cfb4190390948d83562781d1e

                                              SHA1

                                              cc9294211b3c2c24b0bc76936819ccd6789c961a

                                              SHA256

                                              402fb2ea1ebcec0e2db2754df6e1c0dca341a97e6e4248f761b75441754e6bd7

                                              SHA512

                                              aa22250b61ebb3862c00b739f76b7b00980dce14af878a32a15c3698f0fe6bd62c9b93074eeff1cf2f4d7d68e6791911ea83cbea6ce0f3c4c3b97849e66bfcfc

                                            • C:\Users\Admin\AppData\Local\Temp\86000b1e-ea65-4f43-973d-d5dfc0415136.vbs

                                              Filesize

                                              752B

                                              MD5

                                              bf8c598bdb6755214177f00ff5fc8956

                                              SHA1

                                              13a185e2de9b453ecfd06bd997ef146207fc3402

                                              SHA256

                                              fc39641f8bebf6184ca5ab21657c7e83d4c0cbe0ce19d3e16e2439c0e619d30c

                                              SHA512

                                              5412bc193aa39d58bd08f919c6d7bcbd64d5267c58c2a52c54bd23025f645f6636f63abe4955c3f9d0698ec70f7c477a7047540f745343f1ff18edd88be4e376

                                            • C:\Users\Admin\AppData\Local\Temp\b3a74449-cbc7-4681-8a73-247704307d6d.vbs

                                              Filesize

                                              752B

                                              MD5

                                              7904c55d5f164923e3fc85e32e8d2ec7

                                              SHA1

                                              9980c8880024f9b160a0b42ac9252338e7f46133

                                              SHA256

                                              5b87be83c9c8c599c8e30e4b3b5257e7a28af928afc0b2b1ecb15c7c4808c9f8

                                              SHA512

                                              8f72ce7b4f052243e53727f935440e5452985799597b56a8eed2ffebdf29e61528ea383d786d22bfde39bd92c60514c9decae4180cf291ec0342663d8af3048e

                                            • C:\Users\Admin\AppData\Local\Temp\d3cdb8ee-0726-4212-b937-b3beddfec743.vbs

                                              Filesize

                                              752B

                                              MD5

                                              bd3f74c53f228f7bd3ed7b1f13b5f3eb

                                              SHA1

                                              e9a0a72fbecf1f0b99d10bf7792b1c870b49b084

                                              SHA256

                                              410f95bcd6471ed4b24c695dd58ab2c8495f9f96e2b2711dba958a52bda71236

                                              SHA512

                                              7d9d586d6ad705d9b1cdb99bd934cae5ec5836f1c0125dd748020cfc2bf5c6b67a856814b0baa162eb2d7592cd34761cf6bedeca453a62ec0e5d4fcdb8212c3b

                                            • C:\Users\Admin\AppData\Local\Temp\e430e252-e5f5-45b6-a030-9a719da2b330.vbs

                                              Filesize

                                              752B

                                              MD5

                                              d5c186139e74b1fe59ad6de13331b3ac

                                              SHA1

                                              16e7187a8c1a9118b4dd6e7639892c5071166c43

                                              SHA256

                                              2f7bf5349e18f8a64bb9a9d993816a40588b3a5d169208b8e4f2bb07c6e181b3

                                              SHA512

                                              1fbaec516d998094df33f25cc904f1fcf0498f74893e336e96fa4c0bb00685cb05319f465b7056538e962bd5b8567f531e775f886abb06ee5874c1cddc7d6fc6

                                            • C:\Users\Admin\AppData\Local\Temp\e51f38fd-9ba6-4250-a4c8-2d9006856539.vbs

                                              Filesize

                                              752B

                                              MD5

                                              4020aae06740cb966b8baa521dad25ab

                                              SHA1

                                              a8e479e29ceebdd299995e9f9809089df76a5ac0

                                              SHA256

                                              b6e7e4e2b70a6355246853272fb38d93471d61a76cc6c9db46ab178c119d4a50

                                              SHA512

                                              e3eaeb42bce372a93268615ed02c1ea322e2f4172719105cb33035810dccf5f865e8c9ff85a702f5b2f31c09b83f41b92ffc7570484c3b7b0ee6e4d0fd66ff4e

                                            • C:\Users\Admin\AppData\Local\Temp\fb541896-b775-4315-b5ff-f6ea9288c609.vbs

                                              Filesize

                                              752B

                                              MD5

                                              dc4c43599351d067f4c44ccacddfdf6d

                                              SHA1

                                              61b2bea41fdba7b0ef9c4610ebe0f82d67329414

                                              SHA256

                                              d7b077ea5293f46a2cb9cf039c8f94902e5452d198758eaf26e47040fcdbdae4

                                              SHA512

                                              0538f85577c86038f2dcb54f1528dcc3a3b617551d2b1a24e07362ca166f6281c762b817b5473a61f28f8cbd90d25a2b14ef77b540fbc911701698e4121b9f8a

                                            • C:\Users\Admin\AppData\Local\Temp\hs0sn2L6wi.bat

                                              Filesize

                                              241B

                                              MD5

                                              cf094da7c9fa2ca9ca0ce3eb3bc24905

                                              SHA1

                                              118e08c083158eb8d49a34ab57b732038d7f01ed

                                              SHA256

                                              1a3d5e594d2261b07866caa156976a854bff8f40b03212e37cca9dd4cd7a2991

                                              SHA512

                                              7d712718e53425602a8110181334e3355e674376b7040faf76d7767e15b14198aca906a25095b97798636563c37a1ea1f43cf76e5df72032a16fe28da75595fd

                                            • C:\Users\Admin\AppData\Local\Temp\tmp26E2.tmp.exe

                                              Filesize

                                              75KB

                                              MD5

                                              e0a68b98992c1699876f818a22b5b907

                                              SHA1

                                              d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                              SHA256

                                              2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                              SHA512

                                              856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              628dc3ec330924cd33ec8371221dd65c

                                              SHA1

                                              5c3d88d4618a27908ecf80f98f2d8d473839a04b

                                              SHA256

                                              0dd56785cb0022cb5ab9b99ece4239297248d5065af6a5dece80f9698a619bd5

                                              SHA512

                                              a090664d56d09a181b4710fba9526f379638af0fa7a666ea07569f38e24a4ba5b0ed6b0f24c1b8f5b4768ec3c01c76d1c12c7b164ac77487eb3c2509ac6f0f5e

                                            • C:\Users\Default\Videos\RCXEF56.tmp

                                              Filesize

                                              4.9MB

                                              MD5

                                              2931e6e3e42233d9b7e650bce7435f36

                                              SHA1

                                              34eb80ddcf0438f5627e8b12be7a22a2de2b7a6e

                                              SHA256

                                              d8f391f6ab24765685b90a9815f3ff80dc3825f73dcaecf2aa25d786feb290bf

                                              SHA512

                                              6d3be094a7bc7809bf5bea9271b0dc3ca34ab6172cb33037bbc45385ae483f2a273f36de7aca68a045ace98a99450b1eba8f81686d4b01691375f595c057a692

                                            • C:\Windows\AppCompat\Programs\OSPPSVC.exe

                                              Filesize

                                              4.9MB

                                              MD5

                                              6e7923159a06c48bb09a81080d2d8266

                                              SHA1

                                              a2126afd2d75f3dedb602fd7f63b9940e0b47c22

                                              SHA256

                                              4df2dbcbeb6a3e0e6909c6bf1543308f4de207ee57a904fda2ed2ed0e6522b14

                                              SHA512

                                              d2ddd13c739e92febab2685f393aeed15140c4b03d3c15ec49c86bac764ab6e3a01982a64118bd9d4e700161b85e1a7f3a91f904322ecc17d6253174a08f4365

                                            • memory/1136-294-0x00000000007B0000-0x00000000007C2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1136-293-0x00000000010F0000-0x00000000015E4000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/1780-352-0x0000000000C00000-0x00000000010F4000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/1860-337-0x0000000000330000-0x0000000000824000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/1944-264-0x0000000000F80000-0x0000000001474000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/2124-207-0x0000000000F00000-0x00000000013F4000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/2360-11-0x0000000000830000-0x000000000083A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2360-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2360-1-0x0000000000040000-0x0000000000534000-memory.dmp

                                              Filesize

                                              5.0MB

                                            • memory/2360-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2360-128-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2360-16-0x0000000000A00000-0x0000000000A0C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2360-15-0x00000000009F0000-0x00000000009F8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2360-3-0x000000001BA40000-0x000000001BB6E000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/2360-14-0x00000000009E0000-0x00000000009E8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2360-13-0x00000000009D0000-0x00000000009DE000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/2360-12-0x00000000009C0000-0x00000000009CE000-memory.dmp

                                              Filesize

                                              56KB

                                            • memory/2360-172-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

                                              Filesize

                                              9.9MB

                                            • memory/2360-10-0x0000000000820000-0x0000000000832000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2360-9-0x0000000000810000-0x000000000081A000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/2360-8-0x00000000007D0000-0x00000000007E0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/2360-7-0x00000000007F0000-0x0000000000806000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/2360-6-0x00000000007C0000-0x00000000007D0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/2360-5-0x00000000007B0000-0x00000000007B8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2360-4-0x0000000000790000-0x00000000007AC000-memory.dmp

                                              Filesize

                                              112KB

                                            • memory/2600-152-0x0000000002860000-0x0000000002868000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2600-151-0x000000001B730000-0x000000001BA12000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2772-235-0x00000000008A0000-0x00000000008B2000-memory.dmp

                                              Filesize

                                              72KB