Overview

overview

10

Static

static

10

36157893d0...fN.exe

windows7-x64

10

36157893d0...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe

  • Size

    1.8MB

  • MD5

    30742ba610a6e66abe158742a400b5a0

  • SHA1

    2ae4b096bc3cfdc876204597a74a69f7203e1b1d

  • SHA256

    36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bf

  • SHA512

    c4c6da35dbadbf12fba72fe695c056d5dcc5b7793b98ded3c66877f9db4e5360f0371ec08c76ce4f85d6585ee40e3110b41889883f0bc436add314f01cb099e4

  • SSDEEP

    49152:WhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:WgVTVXYNX9mOWSkM

Score
10/10
dcratevasionexecutioninfostealerrattrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
    evasiontrojan
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
    evasiontrojan
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 21 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe
    "C:\Users\Admin\AppData\Local\Temp\36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2968
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bfN.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2124
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3196
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Screen\smss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1332
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4648
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\sihost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\USOShared\Logs\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\OfficeClickToRun.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4088
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\uk-UA\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2252
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\OfficeClickToRun.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4672
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W00dMFxN5z.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:4992
        • C:\Users\Default User\taskhostw.exe
          "C:\Users\Default User\taskhostw.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5628
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8aa7d683-679e-4d4a-9501-09f0880cc86e.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:5856
            • C:\Users\Default User\taskhostw.exe
              "C:\Users\Default User\taskhostw.exe"
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3668
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d0c2849-ab7c-4c27-885b-d81eb9dd13bf.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:4020
                • C:\Users\Default User\taskhostw.exe
                  "C:\Users\Default User\taskhostw.exe"
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:4404
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\da3870b3-c350-4fd0-a5a3-1d4b6e84334a.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5424
                    • C:\Users\Default User\taskhostw.exe
                      "C:\Users\Default User\taskhostw.exe"
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:2464
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6aef004-bced-4287-8c17-8f44b1b3dc03.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2168
                        • C:\Users\Default User\taskhostw.exe
                          "C:\Users\Default User\taskhostw.exe"
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:4700
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3735c479-12b7-498c-9e2f-ed91c4bba3aa.vbs"
                            12⤵
                              PID:4888
                              • C:\Users\Default User\taskhostw.exe
                                "C:\Users\Default User\taskhostw.exe"
                                13⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:5580
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb2c1a9b-059c-48ff-b989-d22f57bb45f1.vbs"
                                  14⤵
                                    PID:5384
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5cfeec40-68bf-4736-96b1-953d0a224f68.vbs"
                                    14⤵
                                      PID:5844
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e30a4dd-ae60-4a9a-9a2a-43f706f83606.vbs"
                                  12⤵
                                    PID:4460
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29f2bd6d-91a6-4def-8a62-fc206b115135.vbs"
                                10⤵
                                  PID:3936
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81e2ca5f-0498-4b1a-a883-6165d5ece440.vbs"
                              8⤵
                                PID:1612
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fa63fe5-f922-4229-b627-ae40e4c50b94.vbs"
                            6⤵
                              PID:5428
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d6cc04f-84ee-4594-8a1c-e82826451a5b.vbs"
                          4⤵
                            PID:5904
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1944
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2168
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3588
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3528
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4304
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\System.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1368
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhostw.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1068
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2096
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1820
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3912
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1620
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:932
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:896
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1144
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4016
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Screen\smss.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1588
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Web\Screen\smss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:920
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Screen\smss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3204
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:944
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4460
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:884
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\sihost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4472
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\sihost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3492
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\sihost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2224
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\USOShared\Logs\dllhost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1612
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4820
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\USOShared\Logs\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2704
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\MsEdgeCrashpad\OfficeClickToRun.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4660
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\OfficeClickToRun.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4056
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\MsEdgeCrashpad\OfficeClickToRun.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3860
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3832
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2568
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:928
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2500
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4240
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\winlogon.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3756
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\dllhost.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4340
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:5076
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\dllhost.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4656
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1824
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1732
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:544
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1964
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:2524
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1884
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\OfficeClickToRun.exe'" /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:1956
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\OfficeClickToRun.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:3032
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\OfficeClickToRun.exe'" /rl HIGHEST /f
                      1⤵
                      • Process spawned unexpected child process
                      • Scheduled Task/Job: Scheduled Task
                      PID:4364

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\USOShared\Logs\dllhost.exe
                      Filesize

                      1.8MB

                      MD5

                      2d9b26d99e98a704e8a32260fe21567d

                      SHA1

                      d4f8692b741db36a43a510effe105f578db39d24

                      SHA256

                      9d65053fdcc9321f0d6998c052a19a102d1f778254fc0291b47babb2dca72336

                      SHA512

                      55761ecd24329ccba42485548bafe1abc48ab62fd306bbba396b41d70230d5ac710bdfcd4e52434cabf65260459223b0328824acf2cc1febc36ef70e79e659b6

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      d85ba6ff808d9e5444a4b369f5bc2730

                      SHA1

                      31aa9d96590fff6981b315e0b391b575e4c0804a

                      SHA256

                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                      SHA512

                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log
                      Filesize

                      1KB

                      MD5

                      4a667f150a4d1d02f53a9f24d89d53d1

                      SHA1

                      306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                      SHA256

                      414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                      SHA512

                      4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      6d3e9c29fe44e90aae6ed30ccf799ca8

                      SHA1

                      c7974ef72264bbdf13a2793ccf1aed11bc565dce

                      SHA256

                      2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                      SHA512

                      60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      d28a889fd956d5cb3accfbaf1143eb6f

                      SHA1

                      157ba54b365341f8ff06707d996b3635da8446f7

                      SHA256

                      21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                      SHA512

                      0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      2e907f77659a6601fcc408274894da2e

                      SHA1

                      9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                      SHA256

                      385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                      SHA512

                      34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      e243a38635ff9a06c87c2a61a2200656

                      SHA1

                      ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                      SHA256

                      af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                      SHA512

                      4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      944B

                      MD5

                      3a6bad9528f8e23fb5c77fbd81fa28e8

                      SHA1

                      f127317c3bc6407f536c0f0600dcbcf1aabfba36

                      SHA256

                      986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                      SHA512

                      846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\3735c479-12b7-498c-9e2f-ed91c4bba3aa.vbs
                      Filesize

                      711B

                      MD5

                      ac2ebdc09cd8737bee956afde84ae546

                      SHA1

                      fc1abc998f26d91a1a7a57c11ee528528a571aef

                      SHA256

                      8153092b7051780a5d4422106f146850f81afc374514f7d8b412f5d92b382a20

                      SHA512

                      64bf9411ed04635d1be39615ad6a368d16e922dbcd3a013335ac90a82ea5f31f228858509fa45f8654664485e1854a9c6e808192566580159ef41cf946b3d146

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\5d6cc04f-84ee-4594-8a1c-e82826451a5b.vbs
                      Filesize

                      487B

                      MD5

                      f0c0496e2b6fb3db1fc4ffb78381d181

                      SHA1

                      f2f0fc3b501f664e205a1faadd2ca267e93a2572

                      SHA256

                      b986c0572b43270f69af728a6c99f6184c9ab924440494b30279fcabc4b3df60

                      SHA512

                      af588f002204e90c03b017b9aaeef9595db9e62399b2ef551dde214264c69e4f6d8829ad6b0b1025e6e63ff61aa8026fdd6b0b25204734aff7e091e23a98558d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\7d0c2849-ab7c-4c27-885b-d81eb9dd13bf.vbs
                      Filesize

                      711B

                      MD5

                      35d3ca613351dca45135a95bd6f73111

                      SHA1

                      e292dc3b763c95020846a723e9bb3b6506fa2935

                      SHA256

                      9cc3622ae27598065e08c79babadd1ce3902619d52113075dbde00e234079cdd

                      SHA512

                      df35dae2510686d63dd64fab56e7aa4a30642d7b35bc96e7d6f684e12ea19d236a321f7e9846a87b927cca99c2422b1a274f9e43d6525db89d9f865573caba5b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\8aa7d683-679e-4d4a-9501-09f0880cc86e.vbs
                      Filesize

                      711B

                      MD5

                      4af8bb7408eabc89835a86f1df5bfb0a

                      SHA1

                      f0fe3832bd51578b13eb025f121acadc08c52ebf

                      SHA256

                      5bc666bab3a0c0240a4eaa753f6e98ec572350702834c0a167e76a80bd926499

                      SHA512

                      54ecad607b05d8fc4c97ae780a4d7180b2938283c544082c6803b8920ef764093d052cd297ece18d6f5621f3825915db7e5f531e0975b0f1bd942d89f36b2f30

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\W00dMFxN5z.bat
                      Filesize

                      200B

                      MD5

                      21a0c51dd29b94dc38e7601d5e0d304b

                      SHA1

                      255003f662970fea7e3186fc5e40ee21a1995192

                      SHA256

                      c658c43a7458983c0f4b5a8cb598985105c23f3da2feefa6a8d53d6f649c6e02

                      SHA512

                      b5f8ec6dec9f53336b0948b8a6f5c99bdd64299c12c4728c6b5c24d8eaafc5083e005bb52d561f57b6b6447f9fa4b0bb100d7e77b8d024308920cb0967a9fbb2

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ze2c5r4x.aui.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\da3870b3-c350-4fd0-a5a3-1d4b6e84334a.vbs
                      Filesize

                      711B

                      MD5

                      11abb1fd15fb97443b002b8045bfa3dd

                      SHA1

                      6913e9404dc35a468bb1900cbea647bf1534c3ec

                      SHA256

                      6438de4e4c44e9e49a3f3dfc5221a066a95beef60b82732051a14a9157f6371f

                      SHA512

                      5fd4ce25078bfc53c9d264fbf5e138603ad2ba1c738d2c1d5b8afa61af27e6f15421b30018b71be95edc90c01f29a6a355b9f6daded49e9529ff72da6cdc5f08

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\e6aef004-bced-4287-8c17-8f44b1b3dc03.vbs
                      Filesize

                      711B

                      MD5

                      675e6ee61e5683dfb6cc9bd7dd81fad7

                      SHA1

                      6b147caea965debcfd832952707cb6342eec7b91

                      SHA256

                      2384b911edb4d775c93b0ccb41d19f11633400630994d87187ee7552e664cb4a

                      SHA512

                      4f8f3cd1be7cd60f557a72c08c2afe584992c1b6d5926404ae60e84dbb3df124df4c6b93e16e88ac90239bf0645791808a708bdce99c8f6299baededca4ed5dd

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\fb2c1a9b-059c-48ff-b989-d22f57bb45f1.vbs
                      Filesize

                      711B

                      MD5

                      787a4b7392746d99053bbcaed08b4ddf

                      SHA1

                      07c9fac84dcdc749c391c053796378690c98d295

                      SHA256

                      d18cd9cbb12295de7f6f42de04265b944224b5a66361204680174b29a2f03cf1

                      SHA512

                      0bbce99158ba784f19189af0638b6e50584e6fb25200faa747cdddf88a21e9fd0eec66597465747415825b20ec74bb12f0bd7d1c86b2a412d92d405772d15e71

                      Download Submit

                    • C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\fontdrvhost.exe
                      Filesize

                      1.8MB

                      MD5

                      30742ba610a6e66abe158742a400b5a0

                      SHA1

                      2ae4b096bc3cfdc876204597a74a69f7203e1b1d

                      SHA256

                      36157893d0fbe825ea17747b97b7eb5893059a6f1aa06080deb87ef47410b6bf

                      SHA512

                      c4c6da35dbadbf12fba72fe695c056d5dcc5b7793b98ded3c66877f9db4e5360f0371ec08c76ce4f85d6585ee40e3110b41889883f0bc436add314f01cb099e4

                      Download Submit

                    • memory/1888-176-0x000002703DF20000-0x000002703DF42000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2968-10-0x0000000002AF0000-0x0000000002AFA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/2968-0-0x00007FFC7FDF3000-0x00007FFC7FDF5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2968-147-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2968-166-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2968-17-0x000000001B4C0000-0x000000001B4CC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2968-16-0x000000001B4B0000-0x000000001B4BC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2968-14-0x000000001B490000-0x000000001B49E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/2968-15-0x000000001B4A0000-0x000000001B4AE000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/2968-13-0x0000000002CB0000-0x0000000002CBA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/2968-12-0x000000001C310000-0x000000001C838000-memory.dmp

                      Filesize

                      5.2MB

                      Download

                    • memory/2968-11-0x0000000002C70000-0x0000000002C82000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2968-132-0x00007FFC7FDF3000-0x00007FFC7FDF5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2968-9-0x0000000002C80000-0x0000000002C90000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2968-7-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/2968-8-0x0000000002AE0000-0x0000000002AF2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/2968-5-0x0000000002AA0000-0x0000000002AA8000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/2968-1-0x00000000006B0000-0x000000000087E000-memory.dmp

                      Filesize

                      1.8MB

                      Download

                    • memory/2968-6-0x0000000002AB0000-0x0000000002AC0000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2968-4-0x0000000002C20000-0x0000000002C70000-memory.dmp

                      Filesize

                      320KB

                      Download

                    • memory/2968-3-0x0000000001090000-0x00000000010AC000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/2968-2-0x00007FFC7FDF0000-0x00007FFC808B1000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3668-372-0x000000001BFE0000-0x000000001BFF2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/4700-407-0x000000001BC80000-0x000000001BC92000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/4700-406-0x0000000002B50000-0x0000000002B62000-memory.dmp

                      Filesize

                      72KB

                      Download