Analysis

  • max time kernel
    120s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2024 06:33

General

  • Target

    0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe

  • Size

    1.7MB

  • MD5

    784f5cdc78ca7bf50ad113eb9d580290

  • SHA1

    b93e873ee52b7e462c2de9d12c229e9c4e35a9be

  • SHA256

    0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253d

  • SHA512

    e6d13471a5c2269a9b9ba1e5f4f87662c63cfe87e53631615a45a3e8459f37c285eae13e29d3fe67f6589020cd461267714e27e6d93e7218fca6d1c1012ab7d9

  • SSDEEP

    49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 54 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Drops file in Program Files directory 40 IoCs
  • Drops file in Windows directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 8 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe
    "C:\Users\Admin\AppData\Local\Temp\0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253dN.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4288
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4220
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:1920
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3360
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:5056
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:5068
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:3620
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:4108
    • C:\Program Files\Windows Security\winlogon.exe
      "C:\Program Files\Windows Security\winlogon.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca71778b-0f81-4aa1-b901-1fa1f2a50c9c.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3424
        • C:\Program Files\Windows Security\winlogon.exe
          "C:\Program Files\Windows Security\winlogon.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3452
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc3b5190-1131-4395-81b4-31afc606f554.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2216
            • C:\Program Files\Windows Security\winlogon.exe
              "C:\Program Files\Windows Security\winlogon.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2764
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7150173-4efe-4d85-a33e-20ea39bd53da.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:4728
                • C:\Program Files\Windows Security\winlogon.exe
                  "C:\Program Files\Windows Security\winlogon.exe"
                  8⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2460
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8489687-9588-456e-b33f-520b8c6e911f.vbs"
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3676
                    • C:\Program Files\Windows Security\winlogon.exe
                      "C:\Program Files\Windows Security\winlogon.exe"
                      10⤵
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:4956
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f35f877c-307c-4abf-b93b-79b94492d6c8.vbs"
                        11⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2624
                        • C:\Program Files\Windows Security\winlogon.exe
                          "C:\Program Files\Windows Security\winlogon.exe"
                          12⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:5012
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3de73ccb-233b-4b3f-8eeb-4b65b3906bea.vbs"
                            13⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3276
                            • C:\Program Files\Windows Security\winlogon.exe
                              "C:\Program Files\Windows Security\winlogon.exe"
                              14⤵
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3664
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f99ba17-cdb0-4b16-b271-fcdd3f564534.vbs"
                                15⤵
                                  PID:4256
                                  • C:\Program Files\Windows Security\winlogon.exe
                                    "C:\Program Files\Windows Security\winlogon.exe"
                                    16⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4088
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65a8609f-ad01-48b2-bdac-c74e00cca91b.vbs"
                                  15⤵
                                    PID:5016
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d33bacf5-3be6-42cd-9dd8-9eee418f8d7d.vbs"
                                13⤵
                                  PID:1896
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9bb852aa-63b8-4d0f-9eef-60bf6e1f46ee.vbs"
                              11⤵
                                PID:1900
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ba6a277-cf56-4b13-9bcc-8cfcfda53a34.vbs"
                            9⤵
                              PID:5108
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c67d6646-b11b-4ed3-b815-0609d7da7136.vbs"
                          7⤵
                            PID:2496
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fe861aa-af97-4ee1-a4df-a5d2a03c75aa.vbs"
                        5⤵
                          PID:440
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\959fc25b-4314-4d2c-bafd-1d410b95db32.vbs"
                      3⤵
                        PID:2488
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\taskhostw.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3988
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2396
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\taskhostw.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3788
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4488
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2532
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4448
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\defaults\sysmon.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3840
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\sysmon.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1176
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\defaults\sysmon.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1960
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3152
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2732
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\unsecapp.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2816
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2896
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:956
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4676
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fontdrvhost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4068
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fontdrvhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3500
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fontdrvhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3220
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\en-US\sihost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1644
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Help\en-US\sihost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1104
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\en-US\sihost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:512
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2240
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2104
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1304
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\System.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2596
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1268
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3452
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:5000
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2144
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\fontdrvhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3008
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellExperiences\StartMenuExperienceHost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4168
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2632
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellExperiences\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2540
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4728
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3416
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3392
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:5028
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2044
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3404
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\winlogon.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3868
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\winlogon.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2764
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\winlogon.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1360
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2660
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3288
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2644
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\SppExtComObj.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:5036
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2856
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\SppExtComObj.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4036
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\upfc.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:920
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\upfc.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4284
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\upfc.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3524
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Windows\Provisioning\Cosa\OEM\RuntimeBroker.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1088
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\OEM\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1200
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Cosa\OEM\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4816

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\WindowsPowerShell\Configuration\Registration\RuntimeBroker.exe

                    Filesize

                    1.7MB

                    MD5

                    784f5cdc78ca7bf50ad113eb9d580290

                    SHA1

                    b93e873ee52b7e462c2de9d12c229e9c4e35a9be

                    SHA256

                    0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253d

                    SHA512

                    e6d13471a5c2269a9b9ba1e5f4f87662c63cfe87e53631615a45a3e8459f37c285eae13e29d3fe67f6589020cd461267714e27e6d93e7218fca6d1c1012ab7d9

                  • C:\Recovery\WindowsRE\Registry.exe

                    Filesize

                    1.7MB

                    MD5

                    d551800f32382226bb93564d34477510

                    SHA1

                    9232b7d47840e728f74bf3dd61a27f1c5f7ba3d0

                    SHA256

                    1c9f4295986c8a44571e0615f3df748fe3d6e9400bd80f6b900b5a7b98ff721b

                    SHA512

                    6b3cbf6f30443a6c0264f6aa44841e02dd404bc07195042d0a2ccb07b4a2d7838ff12c6b91cf46341c82c0e1b79e5683b1bc304ac204309b7e70638a642bbf6e

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

                    Filesize

                    1KB

                    MD5

                    4a667f150a4d1d02f53a9f24d89d53d1

                    SHA1

                    306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                    SHA256

                    414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                    SHA512

                    4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    6d3e9c29fe44e90aae6ed30ccf799ca8

                    SHA1

                    c7974ef72264bbdf13a2793ccf1aed11bc565dce

                    SHA256

                    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                    SHA512

                    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    2e907f77659a6601fcc408274894da2e

                    SHA1

                    9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                    SHA256

                    385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                    SHA512

                    34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    59d97011e091004eaffb9816aa0b9abd

                    SHA1

                    1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

                    SHA256

                    18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

                    SHA512

                    d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    a8e8360d573a4ff072dcc6f09d992c88

                    SHA1

                    3446774433ceaf0b400073914facab11b98b6807

                    SHA256

                    bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

                    SHA512

                    4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Filesize

                    944B

                    MD5

                    6d42b6da621e8df5674e26b799c8e2aa

                    SHA1

                    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                    SHA256

                    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                    SHA512

                    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                  • C:\Users\Admin\AppData\Local\Temp\3de73ccb-233b-4b3f-8eeb-4b65b3906bea.vbs

                    Filesize

                    722B

                    MD5

                    a0eb4b1c69f5ee289a2e864b0a2ecb62

                    SHA1

                    a54a7110af6d6f2346fe951854b42a4319fd3e5b

                    SHA256

                    f0fbfdd4a9a1836c042055c2a76f1ce8ce11ea879f127ae902a4baef2c41ed0e

                    SHA512

                    c8565173de8fb22dfd723c7a969375139c1d961e9f06a5a2ed0b5ffc89ea4305ae683469ac480975a8cc8c02e69e672810f290a5243d18da3e4ac02c48db2a68

                  • C:\Users\Admin\AppData\Local\Temp\4f99ba17-cdb0-4b16-b271-fcdd3f564534.vbs

                    Filesize

                    722B

                    MD5

                    2144abf912ea160ef129009880548c3b

                    SHA1

                    c73dcee6305802cdf8fef2d4cd84069623718923

                    SHA256

                    a055e039a1e2375d669ec0cac87b51e825256bd7c80db381b9484a6d9054a60f

                    SHA512

                    8891d5e12b3d01cf6df5a66fdbd89889f09cec928069c38e977e35729c525d3325c9d6603a5a76f8c80f6c7f628df4bda586615e80d1c82e9639ff5d261b86d2

                  • C:\Users\Admin\AppData\Local\Temp\959fc25b-4314-4d2c-bafd-1d410b95db32.vbs

                    Filesize

                    498B

                    MD5

                    85669b40075fd235a767f275d8552c7a

                    SHA1

                    e668845231dbd9cfd14a56470516566302cea5d8

                    SHA256

                    23dbca84d7cd083319ab31a406220963b5c12256fd984fcbab5fa4bd1a9f15f4

                    SHA512

                    c25013ba1ad3319c21e4b16c318624448efdda36ed3ed49643d61ea972dd98b5025f62d9f6ef6e223af2a455fbd2e9769f35b81ab5ab3d3d73f9bdf6b06c36b4

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5yvxehpb.lje.ps1

                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  • C:\Users\Admin\AppData\Local\Temp\b8489687-9588-456e-b33f-520b8c6e911f.vbs

                    Filesize

                    722B

                    MD5

                    3d9387e1f951dadda6b3da824f20ca15

                    SHA1

                    0908153cfec37ca02fc0e2f88ad0a04c781d1b07

                    SHA256

                    11061d74275b9d60270b68634cd62806fb2aef1986708e4c67d2c60209701647

                    SHA512

                    63db1603f40a63dec9240b1d70a849e750be20ff4f8ceb8a6eda8ac3c7247ee8ad5c0176690cd3f40721a14f64ab136cddbef401bf05eed6397d48bc6bc467a2

                  • C:\Users\Admin\AppData\Local\Temp\c7150173-4efe-4d85-a33e-20ea39bd53da.vbs

                    Filesize

                    722B

                    MD5

                    f473add293e5b5c170850a7e9359ff00

                    SHA1

                    fd211358657b1042f6a385f295d85c2de3b9e42c

                    SHA256

                    d0f30f7081b1ed94227312c3b26eec69da4028b324a5a3257067b6fca8003a3a

                    SHA512

                    8e8362c52363f9e933b9b4227050b94462eb5811a1c2c5d7f3695aba9b1492810666fa024f7c03e3f2664ad95d73f7059a014e17444acba2d5766fbf0aad31b7

                  • C:\Users\Admin\AppData\Local\Temp\ca71778b-0f81-4aa1-b901-1fa1f2a50c9c.vbs

                    Filesize

                    722B

                    MD5

                    1ddd6703646fc8792de33010fdf1ae57

                    SHA1

                    55ded029c8ed1c97b3eb25331ed76bc1aeea19bc

                    SHA256

                    eb8d563478ce4ed9d940e747b2361d73dda1c818e4253234dd0567374297136d

                    SHA512

                    d651d3b7537ef7805746ac4c49f36e3c0d20e2fd2157104517e2a4bfbe49dbe37dfa11fbb6cbed39994655a3e4f1f9083caf5fb47cad5c2aedc1bf0bc59e075b

                  • C:\Users\Admin\AppData\Local\Temp\cc3b5190-1131-4395-81b4-31afc606f554.vbs

                    Filesize

                    722B

                    MD5

                    1dd200b71f56cbf9003b0bc4896ef43d

                    SHA1

                    5b08ceecefc312b9d9897b27242b55d55d648bb9

                    SHA256

                    967d9a0b27acae816b1c78c5c8c3916073df07bf4a97f42a38061435e5f9d895

                    SHA512

                    bc648874b26b5d28979fbb5a4f00dea918f2cf202ffb26842801b08963ceba1643e74f0255ab4948f9c5f5d43a2e9dfc4f03af152b3a1a7f742f3477842b889b

                  • C:\Users\Admin\AppData\Local\Temp\f35f877c-307c-4abf-b93b-79b94492d6c8.vbs

                    Filesize

                    722B

                    MD5

                    f5b194b1aa0b64f40fce5d1fda6fd7b2

                    SHA1

                    aa53befb4cd075fa0fb23bd9a1a5cc179a13997d

                    SHA256

                    501ca50b487d16b366e3deea884324c7b7282525ed594cc347bede2d5b534e8a

                    SHA512

                    95137377c069b878b0b4bb2758289ad95193befbfab04f5ccdae523b456d83025a8ff194d50ddd9aee9566ae47a2c0ae6cd18ad872639671b50bf92503ee48ce

                  • C:\Users\Default\Desktop\SppExtComObj.exe

                    Filesize

                    1.7MB

                    MD5

                    0584e3126711959795ba2128ca5b939c

                    SHA1

                    b8cd9446f3d9ec1379958de7aa0ab6ee4c3a5237

                    SHA256

                    848376ef7085e48256c53a4af082b9ff6f3459bf510933e80ebd703e51501f54

                    SHA512

                    da3ccc089a11e0d69bdc3afe326665d3ad4c91ac4295309e209ab06a4bf700555509c0399a5f617ff37f1936cd6d9baab6b12856b1c4f8c3e3f2e0e9f5f86706

                  • C:\Users\Default\System.exe

                    Filesize

                    1.7MB

                    MD5

                    b26f4634732580296369dffd7bc863b8

                    SHA1

                    249d89de5b9a55cd36aa7870b83956449e1cbd9b

                    SHA256

                    e050cade758a328af3c832b1a696344e68f948978ccb8f1358e036c97adf4c29

                    SHA512

                    872bbbbabed2b9d197774b03bd1b266db897104a9b971d7676dda0598ac8cfbd27cade3424faf8126fd4b4a24a2e55c1a63452f16bed1a317e13c19907e5ba65

                  • C:\Users\Default\explorer.exe

                    Filesize

                    1.7MB

                    MD5

                    f94e57fbc891b958d3dca82c771aee38

                    SHA1

                    1db3ac283bcc913d09953cb3cea4c31d1e6eacdc

                    SHA256

                    0a1e776654bcadee936898fa9dc94a3b5eaec647269c85ca4dbadcd8be23197a

                    SHA512

                    df3ca1a02a7f7ca9b437899889ffc6cedefb49e1f1105b212baae9ec29e4f7783d8382e064418bd98bf6efa58dc14887fca62eac5d60684a26096667c455a2b6

                  • memory/2000-17-0x000000001B750000-0x000000001B758000-memory.dmp

                    Filesize

                    32KB

                  • memory/2000-2-0x00007FFD4F7E0000-0x00007FFD502A1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2000-4-0x000000001B6E0000-0x000000001B730000-memory.dmp

                    Filesize

                    320KB

                  • memory/2000-23-0x00007FFD4F7E0000-0x00007FFD502A1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2000-8-0x0000000002C90000-0x0000000002CA0000-memory.dmp

                    Filesize

                    64KB

                  • memory/2000-20-0x00007FFD4F7E0000-0x00007FFD502A1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2000-239-0x00007FFD4F7E0000-0x00007FFD502A1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2000-19-0x000000001B770000-0x000000001B77C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2000-6-0x0000000002B10000-0x0000000002B20000-memory.dmp

                    Filesize

                    64KB

                  • memory/2000-15-0x000000001B730000-0x000000001B73A000-memory.dmp

                    Filesize

                    40KB

                  • memory/2000-435-0x00007FFD4F7E0000-0x00007FFD502A1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2000-16-0x000000001B740000-0x000000001B74E000-memory.dmp

                    Filesize

                    56KB

                  • memory/2000-0-0x00007FFD4F7E3000-0x00007FFD4F7E5000-memory.dmp

                    Filesize

                    8KB

                  • memory/2000-3-0x0000000002AF0000-0x0000000002B0C000-memory.dmp

                    Filesize

                    112KB

                  • memory/2000-5-0x00000000012E0000-0x00000000012E8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2000-18-0x000000001B760000-0x000000001B76C000-memory.dmp

                    Filesize

                    48KB

                  • memory/2000-13-0x000000001C3C0000-0x000000001C8E8000-memory.dmp

                    Filesize

                    5.2MB

                  • memory/2000-14-0x0000000002CF0000-0x0000000002CFC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2000-12-0x0000000002CC0000-0x0000000002CD2000-memory.dmp

                    Filesize

                    72KB

                  • memory/2000-1-0x0000000000860000-0x0000000000A20000-memory.dmp

                    Filesize

                    1.8MB

                  • memory/2000-10-0x0000000002CB0000-0x0000000002CB8000-memory.dmp

                    Filesize

                    32KB

                  • memory/2000-9-0x0000000002CA0000-0x0000000002CAC000-memory.dmp

                    Filesize

                    48KB

                  • memory/2000-7-0x0000000002C70000-0x0000000002C86000-memory.dmp

                    Filesize

                    88KB

                  • memory/2000-192-0x00007FFD4F7E0000-0x00007FFD502A1000-memory.dmp

                    Filesize

                    10.8MB

                  • memory/2000-168-0x00007FFD4F7E3000-0x00007FFD4F7E5000-memory.dmp

                    Filesize

                    8KB

                  • memory/5056-330-0x000002423EB30000-0x000002423EB52000-memory.dmp

                    Filesize

                    136KB