Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 03:45

General

  • Target

    2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe

  • Size

    4.9MB

  • MD5

    35612ca19890339ff523d7a64dcc546f

  • SHA1

    8f6eb8a29167819fbe9b6274b770f2df64381203

  • SHA256

    2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177

  • SHA512

    1ed3e12527195000b086b06fd468e77f6e3364f0ee5de617739c67e7d843e61575d46da91313165b7b21d38e7f7a2587528127e5256c96c1c864ca4d78158b05

  • SSDEEP

    49152:jl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8J:J

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 36 IoCs
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Checks whether UAC is enabled 1 TTPs 24 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 36 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe
    "C:\Users\Admin\AppData\Local\Temp\2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2352
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1752
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2344
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1580
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3004
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2388
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2144
    • C:\Program Files\Windows Journal\en-US\csrss.exe
      "C:\Program Files\Windows Journal\en-US\csrss.exe"
      2⤵
      • UAC bypass
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1956
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f1c13e4-c0c8-4a54-a86a-292f65afca35.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2816
        • C:\Program Files\Windows Journal\en-US\csrss.exe
          "C:\Program Files\Windows Journal\en-US\csrss.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2712
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fe609b4-6da5-49f2-9060-0a9f4a387bea.vbs"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2448
            • C:\Program Files\Windows Journal\en-US\csrss.exe
              "C:\Program Files\Windows Journal\en-US\csrss.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:688
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41771fb1-b761-4b9f-b16b-08f342145f90.vbs"
                7⤵
                • Suspicious use of WriteProcessMemory
                PID:2344
                • C:\Program Files\Windows Journal\en-US\csrss.exe
                  "C:\Program Files\Windows Journal\en-US\csrss.exe"
                  8⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:2880
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e06c2fc-ca93-46bd-9967-5c4c580d59b6.vbs"
                    9⤵
                      PID:2568
                      • C:\Program Files\Windows Journal\en-US\csrss.exe
                        "C:\Program Files\Windows Journal\en-US\csrss.exe"
                        10⤵
                        • UAC bypass
                        • Executes dropped EXE
                        • Checks whether UAC is enabled
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2576
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\82eebeaa-2538-4e5b-be8a-0f74f97d4275.vbs"
                          11⤵
                            PID:3044
                            • C:\Program Files\Windows Journal\en-US\csrss.exe
                              "C:\Program Files\Windows Journal\en-US\csrss.exe"
                              12⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • System policy modification
                              PID:3048
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dfbb9ce-64bf-4e42-96d1-1560dd7e9d12.vbs"
                                13⤵
                                  PID:2556
                                  • C:\Program Files\Windows Journal\en-US\csrss.exe
                                    "C:\Program Files\Windows Journal\en-US\csrss.exe"
                                    14⤵
                                    • UAC bypass
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • System policy modification
                                    PID:2580
                                    • C:\Windows\System32\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c28e1fe7-612c-415a-8774-d421d7d82b02.vbs"
                                      15⤵
                                        PID:2152
                                        • C:\Program Files\Windows Journal\en-US\csrss.exe
                                          "C:\Program Files\Windows Journal\en-US\csrss.exe"
                                          16⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          • System policy modification
                                          PID:1684
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f97bf3a-de10-4db3-97de-5b7f101c3927.vbs"
                                            17⤵
                                              PID:1596
                                              • C:\Program Files\Windows Journal\en-US\csrss.exe
                                                "C:\Program Files\Windows Journal\en-US\csrss.exe"
                                                18⤵
                                                • UAC bypass
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • System policy modification
                                                PID:2632
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad1cc912-6b8e-4056-9915-8f8bf7131697.vbs"
                                                  19⤵
                                                    PID:1112
                                                    • C:\Program Files\Windows Journal\en-US\csrss.exe
                                                      "C:\Program Files\Windows Journal\en-US\csrss.exe"
                                                      20⤵
                                                      • UAC bypass
                                                      • Executes dropped EXE
                                                      • Checks whether UAC is enabled
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • System policy modification
                                                      PID:1976
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f690321-a7dc-4fb3-bd25-59f3a8d67a61.vbs"
                                                        21⤵
                                                          PID:2092
                                                          • C:\Program Files\Windows Journal\en-US\csrss.exe
                                                            "C:\Program Files\Windows Journal\en-US\csrss.exe"
                                                            22⤵
                                                            • UAC bypass
                                                            • Executes dropped EXE
                                                            • Checks whether UAC is enabled
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • System policy modification
                                                            PID:2360
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcd59b35-944e-421b-adf4-154e92bbe218.vbs"
                                                              23⤵
                                                                PID:2508
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f727063-96d9-4a62-b674-283bd2e806d0.vbs"
                                                                23⤵
                                                                  PID:2160
                                                            • C:\Windows\System32\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc6be96d-9109-427a-9c49-24958b5c4bc5.vbs"
                                                              21⤵
                                                                PID:2640
                                                          • C:\Windows\System32\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ca53583-2e80-493f-8637-fd9b6f432fac.vbs"
                                                            19⤵
                                                              PID:2840
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ddb76530-bc5c-4927-9f58-f2f3fe6813dd.vbs"
                                                          17⤵
                                                            PID:740
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d46916bb-3457-40e4-b441-12a687b03dc2.vbs"
                                                        15⤵
                                                          PID:2356
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\419e6393-043a-4f40-ab46-5992bc79c588.vbs"
                                                      13⤵
                                                        PID:1736
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26f1ea8d-f96c-4710-b5ac-aedfc0f7cb28.vbs"
                                                    11⤵
                                                      PID:448
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce024d87-9349-433b-bb00-00e0921120d1.vbs"
                                                  9⤵
                                                    PID:2756
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e293aee4-160e-4154-a611-dc079d5c4eb1.vbs"
                                                7⤵
                                                  PID:3056
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81dc88ad-b4e9-43d4-a2d4-25eb65d86612.vbs"
                                              5⤵
                                                PID:1696
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcda4d7c-ed9a-4cc7-8740-d33f78c99f20.vbs"
                                            3⤵
                                              PID:2948
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2852
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2768
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2628
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2820
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Saved Games\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2792
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:532
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2632
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1956
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1916
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2972
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1040
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3024
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:308
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2832
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3000
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2956
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3040
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1616
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1984
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:592
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:580
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1408
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1088
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1788
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:236
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2176
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1452
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2276
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1072
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2152
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1924
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1540
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1896
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1104
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1708
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1212
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:928
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2576
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2112
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Updater6\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1652
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:536
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Updater6\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1548

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe

                                          Filesize

                                          4.9MB

                                          MD5

                                          35612ca19890339ff523d7a64dcc546f

                                          SHA1

                                          8f6eb8a29167819fbe9b6274b770f2df64381203

                                          SHA256

                                          2595a5990466d02fc47c374c7835b4d5fe3edb5441f95519c82e23543819c177

                                          SHA512

                                          1ed3e12527195000b086b06fd468e77f6e3364f0ee5de617739c67e7d843e61575d46da91313165b7b21d38e7f7a2587528127e5256c96c1c864ca4d78158b05

                                        • C:\Users\Admin\AppData\Local\Temp\1e06c2fc-ca93-46bd-9967-5c4c580d59b6.vbs

                                          Filesize

                                          724B

                                          MD5

                                          904abfa0540b3e1891e88433d12beba4

                                          SHA1

                                          a5bc2951bd8b84ed6ecc8e074367751b760d5dda

                                          SHA256

                                          dee6f4b326cc66e7d5285b3082af88ca9ef671d2d7d3cd1a0ff53fb1560eab00

                                          SHA512

                                          e4094e137262f011f2d8c1e87fe7b2561d1b3848a86809e817ab8d773478ec3d2fee2b1da3b763eed1ee821d19e7f251aa117acac4c1baf65e02f40c39847b57

                                        • C:\Users\Admin\AppData\Local\Temp\2f1c13e4-c0c8-4a54-a86a-292f65afca35.vbs

                                          Filesize

                                          724B

                                          MD5

                                          df867dc6c480b8fb54b3d182bdf7a6a5

                                          SHA1

                                          8ba686aad3adefd17d9af1cd0ef611aa6cc15281

                                          SHA256

                                          01115e2e80f52fb0d346b83374ae319e24d44cc4cdd2af24b939f500e8468fc6

                                          SHA512

                                          7841129b86e6350f4344c05e85533c998f8c592cd2398e2490b0eec84675ba6b7993b35810b7a2696cb08b3ee8ed0e53a1c2d0e3db8a8516b7d458dea1a45f43

                                        • C:\Users\Admin\AppData\Local\Temp\3dfbb9ce-64bf-4e42-96d1-1560dd7e9d12.vbs

                                          Filesize

                                          724B

                                          MD5

                                          0e3c8c98ab438f8a0911cb7d548e7f84

                                          SHA1

                                          361edec27379066cc7080609671b9508cc029006

                                          SHA256

                                          d7f16ea0624d0dd1c305d83ca37624642fd43d9d08a50dcb21ba4e69ce993fbf

                                          SHA512

                                          9283b0089a15d513c022929cd39ef21c0368d6f09d6b93dee9ab10566ed579e9f7b8e3127ddf089485eda14df59394da59b716be436e65fb582c4977cc5b7f6c

                                        • C:\Users\Admin\AppData\Local\Temp\41771fb1-b761-4b9f-b16b-08f342145f90.vbs

                                          Filesize

                                          723B

                                          MD5

                                          d05e7b7fd2edd9ef642d1469ff4da932

                                          SHA1

                                          c09aff4c366385511bffcffc07be0912835f2c10

                                          SHA256

                                          f2756fd109efd37b803b37977cb16dff41d77b00876b377144e1bb47147dea1d

                                          SHA512

                                          7f44ecd006bb9eaee6e1e683015065eca1f641419660b751769369d1833a46939b4fb22ec2db5b656a3a04d7e4dd5ea2ece63b457357698cac1ceec4f9823563

                                        • C:\Users\Admin\AppData\Local\Temp\4f97bf3a-de10-4db3-97de-5b7f101c3927.vbs

                                          Filesize

                                          724B

                                          MD5

                                          95f26621a35290fdbb6543d53793f514

                                          SHA1

                                          96dfca55a89bc5af17a3f915724ef12f96cff41b

                                          SHA256

                                          f5f1d214a3dcf7697cd631d0fd3683c24da047880dac09b4078ab21bfcb596ec

                                          SHA512

                                          ad2ad61cc5fac4badefdec9e5233b0a194745ae094faaca2a498af7dba8d447d7283b3f752b8249696f8b57fec6df582de8b4b318069545e938ed8bbe31d0eed

                                        • C:\Users\Admin\AppData\Local\Temp\7fe609b4-6da5-49f2-9060-0a9f4a387bea.vbs

                                          Filesize

                                          724B

                                          MD5

                                          2105b0f1325bbeebe39035aa77c09c77

                                          SHA1

                                          82e42a175c14d5f81c7e94250fdbbd886f730f55

                                          SHA256

                                          006c5315494f1f009aec21aa861eb42c049be08102b3c121323910baebac35d3

                                          SHA512

                                          6b8c2a537866216b878c7f6eaf08d60a5d8d8aa732712dd7b336c6c7c3463b0305979916ef9fe9d00ed93f309821ebcdbec0369316e7e191f14bdc1c58dffd10

                                        • C:\Users\Admin\AppData\Local\Temp\82eebeaa-2538-4e5b-be8a-0f74f97d4275.vbs

                                          Filesize

                                          724B

                                          MD5

                                          5eb1230a06ab0db76567459ab6d4f4cd

                                          SHA1

                                          f2862a812e0294c4e5f61a0cb3a96e47c8d2bf3a

                                          SHA256

                                          edb3356eb095b5faf241ba1ec4c5232fcf445f67cfd13e3c2f4c2c3d5c0b40c3

                                          SHA512

                                          72e1f271382100fe78d5ecf06ba29fee939b7eace8f6303f60188580b45ab502a9bf46f5a4e569020c364433834eb6b8574ea31aab635775d9e604382587e55d

                                        • C:\Users\Admin\AppData\Local\Temp\8f690321-a7dc-4fb3-bd25-59f3a8d67a61.vbs

                                          Filesize

                                          724B

                                          MD5

                                          52d0648abecbeedc1387977378eff19a

                                          SHA1

                                          87c628afbed47d071620c0ccbfe4253504ad0c19

                                          SHA256

                                          f1cd8971c1884d1d1d96efb202d4e11234966e7b6062753c7085350d5e01e481

                                          SHA512

                                          046ab8fc25b59671a8465a2c9183c30af8ec70864a35a8b894353a5181baa103896504d5cabdb9e865a83c882c0202492c0bf74e4fe036624a7ae0154ef1ce8b

                                        • C:\Users\Admin\AppData\Local\Temp\ad1cc912-6b8e-4056-9915-8f8bf7131697.vbs

                                          Filesize

                                          724B

                                          MD5

                                          c2600df1047bffaccc87e9c9cbdeeded

                                          SHA1

                                          6a6d9a4bb4d66865273ead520db72575292c5a52

                                          SHA256

                                          1730d5c565736bbef6c9fe6f60af087e561b0cab01e61ef69f865b01303d83bc

                                          SHA512

                                          165513a7c58c4608853cf08ac4d439a1487df02ebda2e9a8fdabe70c24c86405b42253b82bb9be02db55112eb28a1c70ea5dd0e52d07bf9b57540b5550d4a64c

                                        • C:\Users\Admin\AppData\Local\Temp\bcd59b35-944e-421b-adf4-154e92bbe218.vbs

                                          Filesize

                                          724B

                                          MD5

                                          e807b57c8a2a912fd1da9082100df129

                                          SHA1

                                          0795f36a4dae9d29bed45caba1361a0d91432a8e

                                          SHA256

                                          89326908662ab0cda29d0959e2bf0fdcf4f1e79aca79b8026d91c9dce939a1a0

                                          SHA512

                                          d87c7d30da4c86466bfc5921bf2e2b1fd5e0a369da88e1f0f5de4ecfbbbe13df0bf59f8593c4d3720facf6250e1f578a41d3500a2200e385b360652726264b3a

                                        • C:\Users\Admin\AppData\Local\Temp\bcda4d7c-ed9a-4cc7-8740-d33f78c99f20.vbs

                                          Filesize

                                          500B

                                          MD5

                                          015a0dc1ab5365677054e68172457689

                                          SHA1

                                          4ee47a594eb6b17a1fded7351c6ee28f024f7ac2

                                          SHA256

                                          51d028cfb0f12caaffff27fc32c24f5c68176718822ea54ff422c5c0f89f509d

                                          SHA512

                                          8a10a001be649bbcd4cb07050e50cacdf009e6eedb1c3f9700edbb19b9c0e33b3d8033bf235ec1504e63e1fe4fc24c5dcb71181ee02a67db90424815090ef9f3

                                        • C:\Users\Admin\AppData\Local\Temp\c28e1fe7-612c-415a-8774-d421d7d82b02.vbs

                                          Filesize

                                          724B

                                          MD5

                                          e190ffe7ad3940ebaeeb1bf048e3e81f

                                          SHA1

                                          9a9f6cf1c54284758ad43d8c873bb001590ff57b

                                          SHA256

                                          54e269f489a0dd2f10eac3ffb94302fa1f6f7508e787d62e57a42b616a7688af

                                          SHA512

                                          1872a9f0677b9ec7e9f91a555341b46dcedfd28053c2babe9c494376c62110453bb4bf1fc1a3fb60d027bbb918d6960bb27d48e29ec31bb63e362297067e76c7

                                        • C:\Users\Admin\AppData\Local\Temp\tmpD25C.tmp.exe

                                          Filesize

                                          75KB

                                          MD5

                                          e0a68b98992c1699876f818a22b5b907

                                          SHA1

                                          d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                          SHA256

                                          2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                          SHA512

                                          856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NKY6FYTH7ERFJFW07Y53.temp

                                          Filesize

                                          7KB

                                          MD5

                                          4f62c4c97beae38e07438745bf27b0bc

                                          SHA1

                                          8d06034d7f6afd9f166df111459598626fc7a620

                                          SHA256

                                          5901173c8e88510c505d5fca87d53b220edbea83e0c8fc0d2b3d163883fe0ffa

                                          SHA512

                                          005fa086f2a94988b7b93140ae8ba180771872173f45aefb6343c8c045310214233655e164d3d2812ff944fed4497792d64dc030a1a91c26a7789266a3659c7e

                                        • C:\Users\Default\RCXB258.tmp

                                          Filesize

                                          4.9MB

                                          MD5

                                          0132bced8ab690c527024097d98b4c42

                                          SHA1

                                          eb05307ff7abdc1b32658ef9fd9e56dfa19a0589

                                          SHA256

                                          629e30889d3fcc89252e75e3d13f337df7e7966b0a89bee66155fe16d740a4a9

                                          SHA512

                                          edf052ec8b916311e8d47939afb43f06ae136a3cdd0c47d45ae63fa7c7554655e5e0627ff71b103f5b2c10527685785265ecb7440ef79044d77cb6178c685d83

                                        • memory/688-259-0x0000000001200000-0x00000000016F4000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/1956-167-0x0000000000A90000-0x0000000000F84000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/1956-200-0x00000000026B0000-0x00000000026C2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1976-364-0x0000000000070000-0x0000000000564000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/2352-10-0x00000000009B0000-0x00000000009C2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2352-9-0x00000000008B0000-0x00000000008BA000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/2352-139-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2352-14-0x0000000002480000-0x0000000002488000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2352-1-0x00000000009C0000-0x0000000000EB4000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/2352-189-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

                                          Filesize

                                          9.9MB

                                        • memory/2352-16-0x00000000024A0000-0x00000000024AC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2352-15-0x0000000002490000-0x0000000002498000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2352-13-0x0000000002470000-0x000000000247E000-memory.dmp

                                          Filesize

                                          56KB

                                        • memory/2352-12-0x0000000002460000-0x000000000246E000-memory.dmp

                                          Filesize

                                          56KB

                                        • memory/2352-11-0x0000000002450000-0x000000000245A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/2352-154-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

                                          Filesize

                                          9.9MB

                                        • memory/2352-8-0x0000000000700000-0x0000000000710000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2352-7-0x00000000006E0000-0x00000000006F6000-memory.dmp

                                          Filesize

                                          88KB

                                        • memory/2352-6-0x00000000006D0000-0x00000000006E0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2352-5-0x0000000000520000-0x0000000000528000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2352-4-0x00000000006B0000-0x00000000006CC000-memory.dmp

                                          Filesize

                                          112KB

                                        • memory/2352-0-0x000007FEF5E73000-0x000007FEF5E74000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2352-3-0x000007FEF5E70000-0x000007FEF685C000-memory.dmp

                                          Filesize

                                          9.9MB

                                        • memory/2352-2-0x000000001B3F0000-0x000000001B51E000-memory.dmp

                                          Filesize

                                          1.2MB

                                        • memory/2360-379-0x0000000000360000-0x0000000000854000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/2576-290-0x00000000000B0000-0x00000000005A4000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/2580-321-0x0000000001150000-0x0000000001644000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/2712-244-0x0000000000D20000-0x0000000001214000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/2880-275-0x00000000026B0000-0x00000000026C2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2880-274-0x0000000000310000-0x0000000000804000-memory.dmp

                                          Filesize

                                          5.0MB

                                        • memory/2936-173-0x000000001B790000-0x000000001BA72000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2936-174-0x0000000002070000-0x0000000002078000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/3048-306-0x0000000002510000-0x0000000002522000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3048-305-0x00000000008D0000-0x0000000000DC4000-memory.dmp

                                          Filesize

                                          5.0MB