Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2024 00:43

General

  • Target

    77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe

  • Size

    4.9MB

  • MD5

    5e69adf2beb7d1a8ef40e68fc56ca480

  • SHA1

    0c7168362ba93f9b1eab9c7ff836dcd96331bdbb

  • SHA256

    77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745

  • SHA512

    549f8db5372aaa68e948865d5ac688d0db15b7f6c2234638bb17441c99e565756ecc88e9d8b1437ba8073bc1e314473d2107153a085988c778fe55bd29d49435

  • SSDEEP

    49152:rl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 27 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 8 IoCs
  • Checks whether UAC is enabled 1 TTPs 18 IoCs
  • Drops file in Program Files directory 24 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe
    "C:\Users\Admin\AppData\Local\Temp\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:520
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2556
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:664
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2156
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhBZ49x50.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3032
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:1684
        • C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe
          "C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"
          3⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3028
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7cf55efb-0e91-4b71-98f9-05109ee922eb.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2652
            • C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe
              "C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"
              5⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:620
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\deff6f75-f45d-4d34-9bba-f06a9e7df8bc.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:3048
                • C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe
                  "C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1576
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1b104d9-e253-4b42-b42e-e5090ad57cac.vbs"
                    8⤵
                      PID:2352
                      • C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe
                        "C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"
                        9⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:552
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87d1419a-a200-4d3e-92c5-640ba1ec601d.vbs"
                          10⤵
                            PID:924
                            • C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe
                              "C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"
                              11⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:1416
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e36fb4c-7569-4b84-94de-71be27ae3725.vbs"
                                12⤵
                                  PID:2936
                                  • C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe
                                    "C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"
                                    13⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:1632
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d691490d-96dd-4495-922c-fdb6c432e31a.vbs"
                                      14⤵
                                        PID:2124
                                        • C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe
                                          "C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"
                                          15⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:2908
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9463ab25-8e6c-4089-a669-f4de3451a852.vbs"
                                            16⤵
                                              PID:1548
                                              • C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe
                                                "C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe"
                                                17⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:2940
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e3562cb-13b9-49bb-bedf-6f36715a3692.vbs"
                                                  18⤵
                                                    PID:1672
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6b01d28-74e0-43ec-ac44-6cd42b7012c9.vbs"
                                                    18⤵
                                                      PID:2000
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d99d1eac-bc03-4288-8ab1-69b5b97481e6.vbs"
                                                  16⤵
                                                    PID:2404
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a6d866c-06ca-4cfc-862c-09fda5fdce60.vbs"
                                                14⤵
                                                  PID:2468
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c4a3163-a875-4128-ac05-284182cda200.vbs"
                                              12⤵
                                                PID:2316
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89e421d0-3a25-4cba-8b91-e33282f358a5.vbs"
                                            10⤵
                                              PID:852
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a29bec6-3f81-4320-8d99-a6fda73ab1bc.vbs"
                                          8⤵
                                            PID:2356
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60ab0e79-b3c8-4a2d-acca-971022ce81eb.vbs"
                                        6⤵
                                          PID:2848
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1a4fd2c-6e7b-4721-8173-d36979ccd80f.vbs"
                                      4⤵
                                        PID:2464
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2732
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2416
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2632
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N7" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2080
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2664
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N7" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Purble Place\es-ES\77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745N.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2600
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:428
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1240
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:924
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\DISM\taskhost.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2124
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\taskhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2320
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\DISM\taskhost.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1776
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:520
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2956
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2508
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1816
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:664
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1160
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:572
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:940
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2024
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\ja-JP\spoolsv.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2020
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2368
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\ja-JP\spoolsv.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1908
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\WmiPrvSE.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2468
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1292
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2480
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1396
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2492
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2512
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1580
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1328
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1768
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\lsass.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1596
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\lsass.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1728
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\lsass.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1056
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\Idle.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1476
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1972
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1656
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\winlogon.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2028
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:360
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\winlogon.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1788
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sppsvc.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:112
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:556
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\sppsvc.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2184
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:3048
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2584
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2040

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\RCX8A28.tmp

                                  Filesize

                                  4.9MB

                                  MD5

                                  4047837ec637eb87b0319264a16d5990

                                  SHA1

                                  32b05ccd048f55fe844f3ab32d657c57c925e572

                                  SHA256

                                  dc2e53b22c363c0e308be660d2c7ca886997d7ebace63d1baed70dae3b4347f1

                                  SHA512

                                  8e643879580823dc1eddffdd3c23419eaa24e772e6d925124df945c569a42721b1cc17d3e74efbfd271c7118d7b57ec49dcbff8d746b2f20a4ec363ae6d9eb73

                                • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe

                                  Filesize

                                  4.9MB

                                  MD5

                                  5e69adf2beb7d1a8ef40e68fc56ca480

                                  SHA1

                                  0c7168362ba93f9b1eab9c7ff836dcd96331bdbb

                                  SHA256

                                  77dc34adbbb7897de858bd5447a0ff762b6bf7f1465a6cc7046d84983cc42745

                                  SHA512

                                  549f8db5372aaa68e948865d5ac688d0db15b7f6c2234638bb17441c99e565756ecc88e9d8b1437ba8073bc1e314473d2107153a085988c778fe55bd29d49435

                                • C:\Users\Admin\AppData\Local\Temp\0e3562cb-13b9-49bb-bedf-6f36715a3692.vbs

                                  Filesize

                                  797B

                                  MD5

                                  abd21ffbe9fbfa3909117a407e7db87e

                                  SHA1

                                  bd82fb488bbe3ac562b51946ad270199eb64e17b

                                  SHA256

                                  f0574fb1d1ead651fe8453b2aeb97d7b45c09c84a15520f70d8dc8f23476dfea

                                  SHA512

                                  b74c88532feb37137162279ce3d2395e69f3b6bce9853d7668cee2f88c5fa6094302399c33b09071e3a9f82951fc74070e4b38594955977fd26ace3e237b6e72

                                • C:\Users\Admin\AppData\Local\Temp\4e36fb4c-7569-4b84-94de-71be27ae3725.vbs

                                  Filesize

                                  797B

                                  MD5

                                  c038f923346bc8232e9497c5d9bc9f2e

                                  SHA1

                                  7a91cf31eed0ade1d5f08a3ef4cbd9419cef9251

                                  SHA256

                                  19d9d10c37c57eb42c586ef0288476004aa1bae301b61fc558d6be71c360e6cb

                                  SHA512

                                  086310831be07e131cc3ac922d79219a6801b83cbd6bb7a50a67e1499b550345445874fc23bf91363854b94340b84c401a4c32ca149927bddff272dd7fcddb17

                                • C:\Users\Admin\AppData\Local\Temp\6qhBZ49x50.bat

                                  Filesize

                                  286B

                                  MD5

                                  b9a08b55ac64fd827ecb887b2a820a3d

                                  SHA1

                                  56669a5cfcada434639db61b1a38232664a225dd

                                  SHA256

                                  c4a2809820ce2e5c7695e5e0100245ccf9f31d4bed2fcfb1eaee90561950c3cc

                                  SHA512

                                  6dcc254af79f0f41abe884d3ae841c168f9856356c83da46762bc89775917ceb0f3ae9de591d9d88676ce9307ed2888fee6872a2f38cdf57bdd6d6c7f69d233e

                                • C:\Users\Admin\AppData\Local\Temp\7cf55efb-0e91-4b71-98f9-05109ee922eb.vbs

                                  Filesize

                                  797B

                                  MD5

                                  ed169682cf45aa30bfa3c7a19246f40f

                                  SHA1

                                  e3904493b78df9fe9ead0a00979405348303e4aa

                                  SHA256

                                  032e6202a048dc70d4592bb79e4723a941e8e0d0737586a421833c44d8fcf0e7

                                  SHA512

                                  454e1242677922caf4a416d22808a6d36dc21bd1366019599fc58f518be5b9c9591500174768457abb9c9341f2852c7ae8440e38586503de3746930d840deafb

                                • C:\Users\Admin\AppData\Local\Temp\87d1419a-a200-4d3e-92c5-640ba1ec601d.vbs

                                  Filesize

                                  796B

                                  MD5

                                  0571051d538074f6a1c737961816cc08

                                  SHA1

                                  167074f4f49dd0b73e01e09ecd44dca3d4fdf0f6

                                  SHA256

                                  91cfa9e3b6d9e6d56f5dea7b297efdb8cc01902e88e5292b787901beb3c65e26

                                  SHA512

                                  e2fc76be67507666f6f242a77df37be439f82209fb56cfc78a9864ae69b48b3ec071a7955de3bd9db9ee1801a553170c1d4ff2a1016baf35e1bcf9a09aac31ff

                                • C:\Users\Admin\AppData\Local\Temp\9463ab25-8e6c-4089-a669-f4de3451a852.vbs

                                  Filesize

                                  797B

                                  MD5

                                  9d62e2d5a9ffbe01d1ec7bf3c8663af4

                                  SHA1

                                  e522ccd48fe74b55d541e4556d9a11f27603e8d6

                                  SHA256

                                  8f40cd8e29526669ea6b640de0630ab48c1c373d7336d9f58cfe9458c1a67002

                                  SHA512

                                  62dc865099ddf920ed75732d6056b4338eb01540b24627f6523a05becd67fc5a397357339c97df584624ad173e7097b9467e7db455d14b890947e37f0b1860c1

                                • C:\Users\Admin\AppData\Local\Temp\a1a4fd2c-6e7b-4721-8173-d36979ccd80f.vbs

                                  Filesize

                                  573B

                                  MD5

                                  e4c727501f53be3ad0664e7009973a92

                                  SHA1

                                  0cdc51f58285456858ffbe51afa4ac80d5fdb580

                                  SHA256

                                  8a62054a2da0f5c9e89a940f5fee0b1818ce7ce11cb6cebeb246e228b1882edc

                                  SHA512

                                  d3c97322408b0359372bf4c7418ecd3aaf5c47549fad0e8e264e03dfd6ca936198b54a744195c71ceaf8a13b8bb8223e61742493c5612eaf6c47bc3ff20700e6

                                • C:\Users\Admin\AppData\Local\Temp\c1b104d9-e253-4b42-b42e-e5090ad57cac.vbs

                                  Filesize

                                  797B

                                  MD5

                                  2a45807e755b024b69070aea2bcfb4fc

                                  SHA1

                                  3d429729983072a8166b567e0592ce09551e1530

                                  SHA256

                                  67c0ab16a7054a5d4f05cfdbead22ff27bca768b6bd06c6266b309d4cbb33fcf

                                  SHA512

                                  8a157ce924042da56daf9784070f4cb3b81f4aa552c87062a3cb4dc6ca669ca376cfee007c93602e32228e8098356d9efe02ac88363e4ab59e731bc072df03f0

                                • C:\Users\Admin\AppData\Local\Temp\d691490d-96dd-4495-922c-fdb6c432e31a.vbs

                                  Filesize

                                  797B

                                  MD5

                                  7f3e7a437fc0eeca90931c5af79f99fd

                                  SHA1

                                  c69d345d2753ab725e162011a904035f5b7f4e01

                                  SHA256

                                  593b9975396592b4736bb92b87a370e2c04fc819c9faed04ee7f6c8d0320a9e9

                                  SHA512

                                  904fd286c992aa1836171b0768e1d9393e540a11ee92b632f5fbb835152c252975f464a04d3fb1db26ede9361efd219b12c3593a401bdf4191da8d2036ed852e

                                • C:\Users\Admin\AppData\Local\Temp\deff6f75-f45d-4d34-9bba-f06a9e7df8bc.vbs

                                  Filesize

                                  796B

                                  MD5

                                  50bfa69d80ac0addac4be9b0a04e6d65

                                  SHA1

                                  91fb740cbed299222a761596ab75ecf80b863c2d

                                  SHA256

                                  a5f7c7bbbd68578d4032dbf0e18b4c5bd726b5e3032f62531ff6e5c624d41d04

                                  SHA512

                                  2a77cdb8c9791bcebb593c1772ff9b93a84be413ff82157d347df14d08a9ec28a4cd19dea4e69f56b1ed9abdcfe72fd272000c95193636ffebb52627812e07a6

                                • C:\Users\Admin\AppData\Local\Temp\tmpB30A.tmp.exe

                                  Filesize

                                  75KB

                                  MD5

                                  e0a68b98992c1699876f818a22b5b907

                                  SHA1

                                  d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                  SHA256

                                  2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                  SHA512

                                  856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                  Filesize

                                  7KB

                                  MD5

                                  4ea31ac0d90cb08187429d4fcd1db697

                                  SHA1

                                  cfa63bffbaca94d47cfe9ed684de805d154a680c

                                  SHA256

                                  0764f9d2e2251e88e3df3ca5ff2e4fcd165cbcb3d3fe7bb6ce33651b39acdb8e

                                  SHA512

                                  9906d7403c6b640752d2fc3c4e2c4d6be67a4a9a41cae7c80ec97fa51d75313c203bf5d740db7efbb6ef319eac8069cf1e2f8c3bcc989ae1c22e0da9c9602981

                                • memory/552-277-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/552-276-0x0000000001260000-0x0000000001754000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/620-246-0x0000000000CF0000-0x00000000011E4000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/852-227-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

                                  Filesize

                                  2.9MB

                                • memory/1416-292-0x00000000007D0000-0x00000000007E2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/1576-261-0x0000000000010000-0x0000000000504000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/1632-307-0x0000000000A30000-0x0000000000A42000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2156-228-0x00000000022A0000-0x00000000022A8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2728-11-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/2728-6-0x0000000000B70000-0x0000000000B80000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/2728-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2728-14-0x00000000012B0000-0x00000000012B8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2728-1-0x0000000001300000-0x00000000017F4000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/2728-10-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

                                  Filesize

                                  72KB

                                • memory/2728-9-0x0000000000C90000-0x0000000000C9A000-memory.dmp

                                  Filesize

                                  40KB

                                • memory/2728-8-0x0000000000C00000-0x0000000000C10000-memory.dmp

                                  Filesize

                                  64KB

                                • memory/2728-12-0x0000000001250000-0x000000000125E000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/2728-7-0x0000000000D90000-0x0000000000DA6000-memory.dmp

                                  Filesize

                                  88KB

                                • memory/2728-95-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

                                  Filesize

                                  9.9MB

                                • memory/2728-204-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

                                  Filesize

                                  9.9MB

                                • memory/2728-82-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2728-13-0x00000000012A0000-0x00000000012AE000-memory.dmp

                                  Filesize

                                  56KB

                                • memory/2728-5-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2728-16-0x00000000012D0000-0x00000000012DC000-memory.dmp

                                  Filesize

                                  48KB

                                • memory/2728-4-0x0000000000AC0000-0x0000000000ADC000-memory.dmp

                                  Filesize

                                  112KB

                                • memory/2728-15-0x00000000012C0000-0x00000000012C8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/2728-3-0x000000001B4F0000-0x000000001B61E000-memory.dmp

                                  Filesize

                                  1.2MB

                                • memory/2728-2-0x000007FEF5F60000-0x000007FEF694C000-memory.dmp

                                  Filesize

                                  9.9MB

                                • memory/2940-336-0x0000000000150000-0x0000000000644000-memory.dmp

                                  Filesize

                                  5.0MB

                                • memory/3028-232-0x0000000000820000-0x0000000000D14000-memory.dmp

                                  Filesize

                                  5.0MB