Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 21:46

General

  • Target

    JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe

  • Size

    1.3MB

  • MD5

    0880167e5ec03a35ec7e473d933337c2

  • SHA1

    e722babb9516e2104a996fc349f68be4d386d246

  • SHA256

    20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461

  • SHA512

    27df89a4af55fedc53ab98916b1fc67908e5caab307971d303c4cf9a081c97c4e55a6398e620ec4eecbfccb35334a3368821f25b109db04ce7851efbdbcbc65c

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_20aba09a3266759e8b0e2c8868082a31f541cbc0b6b233b18e24face77320461.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2172
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2452
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2180
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2936
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3000
              • C:\Program Files (x86)\Windows Portable Devices\conhost.exe
                "C:\Program Files (x86)\Windows Portable Devices\conhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:484
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:580
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2104
                    • C:\Program Files (x86)\Windows Portable Devices\conhost.exe
                      "C:\Program Files (x86)\Windows Portable Devices\conhost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2240
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
                        9⤵
                          PID:1912
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:1864
                            • C:\Program Files (x86)\Windows Portable Devices\conhost.exe
                              "C:\Program Files (x86)\Windows Portable Devices\conhost.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:556
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat"
                                11⤵
                                  PID:2268
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:2060
                                    • C:\Program Files (x86)\Windows Portable Devices\conhost.exe
                                      "C:\Program Files (x86)\Windows Portable Devices\conhost.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1364
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"
                                        13⤵
                                          PID:2164
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:1456
                                            • C:\Program Files (x86)\Windows Portable Devices\conhost.exe
                                              "C:\Program Files (x86)\Windows Portable Devices\conhost.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2320
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
                                                15⤵
                                                  PID:2884
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:1380
                                                    • C:\Program Files (x86)\Windows Portable Devices\conhost.exe
                                                      "C:\Program Files (x86)\Windows Portable Devices\conhost.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2440
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"
                                                        17⤵
                                                          PID:556
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:2060
                                                            • C:\Program Files (x86)\Windows Portable Devices\conhost.exe
                                                              "C:\Program Files (x86)\Windows Portable Devices\conhost.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1064
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"
                                                                19⤵
                                                                  PID:2744
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2148
                                                                    • C:\Program Files (x86)\Windows Portable Devices\conhost.exe
                                                                      "C:\Program Files (x86)\Windows Portable Devices\conhost.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:864
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"
                                                                        21⤵
                                                                          PID:1708
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:2100
                                                                            • C:\Program Files (x86)\Windows Portable Devices\conhost.exe
                                                                              "C:\Program Files (x86)\Windows Portable Devices\conhost.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1328
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
                                                                                23⤵
                                                                                  PID:2528
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:1196
                                                                                    • C:\Program Files (x86)\Windows Portable Devices\conhost.exe
                                                                                      "C:\Program Files (x86)\Windows Portable Devices\conhost.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2296
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
                                                                                        25⤵
                                                                                          PID:2648
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:2112
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2980
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2988
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1516
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2880
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1500
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2408
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2060
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1536
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1612
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:356
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:584
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1504
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2348
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2848
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1336
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2924
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2404
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1488
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2104
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2080
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2208
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1004
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:448
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1932
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1316
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Recent\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1000
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1992
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1616
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:960

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            8589915ee61a28b43a8ee05913748d58

                                            SHA1

                                            3a4a792bef671336a4ee3478bb21acd17852f46d

                                            SHA256

                                            f46d5de6927d5bbca420874a3d9520a5bbebed41110743e2c6e5707781b3b111

                                            SHA512

                                            5e97a6e57b66d5063b2d115315c242d3a3cf6c765f3df43e21141382085062aa5bfcb6c874cbf8b402e060375dfe06889fbf24d55955e9bfbe34c7bc976d5d54

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            8613dc71c978866197202f609cb066d4

                                            SHA1

                                            c2e678810dd5a2ccace762d761c1adacb6674ba9

                                            SHA256

                                            71336ee6c1a03a429b8e69949fcc1e1f332622912bea74149c5a85c9edea0cbe

                                            SHA512

                                            34063faf893229dd20585b4716a3c14b1981812755f719691a106de0d3239179c37b07d52d1c2499909ed8c4f86101d4c640a6818606aa4992f01110b41e0104

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            0a0ec45c4b203ff290fc910130da09ba

                                            SHA1

                                            3f6cdc5fffc1216563271c37ca81bd0ea2a8d7ff

                                            SHA256

                                            8c199fdef21a43d4673b036ef3b1fee1ba5d68777b6bbbbcc3c6b0c3b1c9f5ca

                                            SHA512

                                            690af86e2c3889dbf4c3dc715071cf89c5c01f35166e090d14c53f0b06ce6803aa4b8b23aa502c85f3b2bf3726c0adcf7cf59b5e27c60a11ded19e9335712d94

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            e8504f8e3a48a74ff9367f31a2d9a822

                                            SHA1

                                            857c5bf30069db016bf1a3a86d9379bf6f49309d

                                            SHA256

                                            830c2c8d1ad42bdd0233b4873776273cc8349009cb84ef73f5bf40d4eaba0eb8

                                            SHA512

                                            d9767b847d4e10313f640f967784a68d06d12fa92ff0698d1abb692c4ef68747b3b00db5a769c3c72b7a2080812045978a974546fe86742ac1e934b5560435c0

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            9783cd5a7dd92fb62579b500c486ad07

                                            SHA1

                                            82003b081231ae112f2758accb0cfa385028e52f

                                            SHA256

                                            265c95f5e9c0e0e2ec0f6c0de94fe883f983dc020b76f5da5e0fd6888e984778

                                            SHA512

                                            ca02a8e8c5a9e038f7af65679d3c13e939131b284b39c28aba82efff87687f7ad21aeb05ee7a38e534f014e42818952c99650b8193d1b93cfefda66e4b187740

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            d5db22e3ba5c7a95482fecbabe61305d

                                            SHA1

                                            2c01e18b179ead8cbd10fa6253d2d4946a062a84

                                            SHA256

                                            3eb2dd52cbf417cdbeb5d04a9d76e2aee40eb412cb64b3081b59550c0ef1f1f7

                                            SHA512

                                            f6f0e510e1d5fd5d41a188a3d61833a550a823d2642083c35a487a6b52b25de744855b4a53744490d92df3913e0e85f5f2441e61bf1f5bfc6c0dce1514b2ddfe

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            7dcc832619d1b8fe2c76dd04b4426f3f

                                            SHA1

                                            ebd73f7a720526ea033eff8dfe0f791a23d450d6

                                            SHA256

                                            2a02cfedef196c732b0f76912e9d8f3b197a89530752434d88135ac16ab00368

                                            SHA512

                                            42bac88c750b37db92141055da3803880d4657525ac7989163178176028090ca37c588db8cac9e03ed494b6085ad21a7fd98dcf404748644e7314c8277759b56

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            15adf464b4fa1a2e709552c63ca9bfc9

                                            SHA1

                                            abd282c7533fd05e82f0bc8ad49800f8f78468cc

                                            SHA256

                                            0d1d514113c2af58ad497483f61c35e022a22d77c8e20b152e8d7a2816063e0a

                                            SHA512

                                            0786e26cdb3fbe0f9f0d416e96e9ea80b47063ab50a4b99421f6b7b04b75f39a000b52982baf294b37d0c0b18ea0161c85249a762a188ea925c7cfbbd0545560

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            8b6c6737e86b48a5e52d60ef405d75fa

                                            SHA1

                                            c0317b1ed4b896d7951c8b05df957fa9648ab89d

                                            SHA256

                                            597a9f7d4814e607a505e76a9909d01b6be061b4e7eab71e2fd9bc7e7bd5a3f3

                                            SHA512

                                            9e447be08f76c458340c400efb438d08786b662dc164510a44844d5fa3eec217b70e9c055948ac6f67afb7e3302c593222fb9ae81b85450f92c9ea6bc3c345f6

                                          • C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat

                                            Filesize

                                            224B

                                            MD5

                                            cb61b9741224884c1ed00b195f303bd7

                                            SHA1

                                            649b73f09c0c2cc2454443b166680f9a21cbec8e

                                            SHA256

                                            cd95e67e4ea25f0b259857d23541224f5c7bebcd602b4868c4f98224f24f4bb0

                                            SHA512

                                            3be309c81bd2faaae42276fc08a8a2f9f3e28e9794d41f241642ae12edabee56de2d3a158b5b359faef01b96d69ac43c7f4a18e5c8b5324c2367f2e2eba09fb6

                                          • C:\Users\Admin\AppData\Local\Temp\Cab43E5.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

                                            Filesize

                                            224B

                                            MD5

                                            efa4df56183c157907366d7d36a25741

                                            SHA1

                                            b3af5ecd9ed101cf16d5c1d2c652436e693371d0

                                            SHA256

                                            93dbab4aea60233b631008e3711a433a13267ab510c2a737b0b8220e0b844798

                                            SHA512

                                            3c161c0a940525b421ef9e4a57d782dbc800ac50110bc5c445521466d3cfdb454eca0ef6cfbbd75686b83ce8928c896f39238ed3b554467c598d411d3dfa6d7d

                                          • C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

                                            Filesize

                                            224B

                                            MD5

                                            9199850201a716e184d33689d427a645

                                            SHA1

                                            f36d465828f0c53c394b9fb6fd9262e0f4f5be1e

                                            SHA256

                                            3d2dc28b3e319c627beb85fc9e0a99d60c7fcd993b2312be66f5c95b1eaf4d99

                                            SHA512

                                            0117b1ca0ff4a5f0e1cca4fe2b8b6a2b5f59ad6b8066eb98afe1bbe882ee6aba48a0c07418c9fd3c9c29b9887eda2e25f57e50b6d4218b17952f5bd1889dc9b7

                                          • C:\Users\Admin\AppData\Local\Temp\Tar43E8.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat

                                            Filesize

                                            224B

                                            MD5

                                            43f6ced0f879fff47f1b0dac619c9732

                                            SHA1

                                            92087f521f7b0885479c9e87e4a085b670b22ec2

                                            SHA256

                                            3eb43bdcf35b868840a2d20a939d2ba553d81ae607f06824c80c872b92fbd72c

                                            SHA512

                                            a921e95f9f3f48b958fe6dd6861155f628d5433433ffb07213654f1f48854e9858b80db9e34e69f2956b9173cdbb3cdcc030cd3c1c2c91bd37ab89abd6642f9c

                                          • C:\Users\Admin\AppData\Local\Temp\gMBHdlpNUB.bat

                                            Filesize

                                            224B

                                            MD5

                                            540b0d902e394db1bb87ff27e7e84711

                                            SHA1

                                            7abbd46a053b4194b127b86508f8780749490f44

                                            SHA256

                                            c982bc6d5583cc395ee699b7928983256f0fe66d1e32bb0e68026687bccf394a

                                            SHA512

                                            bc60e3051c56d2690e92fab3a15daf2f3b5d0f9c3e299db30232fe0cc5aeffd016bfa57f97466d154642f4917039033d4c9d070d6a91300fa4b92e8e6f75d53b

                                          • C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat

                                            Filesize

                                            224B

                                            MD5

                                            b680ae0b46d3b864eb14fab403f7ef83

                                            SHA1

                                            1864450203b0f83006bd7a83837d39fb38be443f

                                            SHA256

                                            6bf3e48f66b225298cf17fe2f631157f87e7370f2b235455d3980944b846a1d5

                                            SHA512

                                            622f1d1d918b73ae7403bafcaf2e8daddc7bb655b9f2aa3134b07eee1602b34136b787a18c889cbb2e574e8d0fe1cae162c7c5c17d1d6c5adfa61eea8dbe4cc3

                                          • C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

                                            Filesize

                                            224B

                                            MD5

                                            d3bbc0664bd06716cfaee523166bd061

                                            SHA1

                                            1d0ba89cdfeadb1d1b1420f9b2deda6bba513105

                                            SHA256

                                            2e75fdc4b9acb12bfcf82cb05448277b71f23c7672134f994abb04adaa2326e8

                                            SHA512

                                            dcddeacae3b7befaeb1eb64a9c13e269d3e1942c6848c3622da8d2d8176dd4351825fc557a4cd34367cb80923f063c32e36f14caf86d98765a3b57b533d857a6

                                          • C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

                                            Filesize

                                            224B

                                            MD5

                                            2d8b519bc5881d50ada4601635c57e67

                                            SHA1

                                            cabbd52e8dd4126dc5f1adfc951ab57be7f3b3d5

                                            SHA256

                                            5ea606b1c82a0da0ca749e56d4d82980f635bc5c283a1aef77a8c098935e306e

                                            SHA512

                                            0b33bfc97fad7c8ce4655b300c44720c741dc727bba7c0e07877ea74025b5431189a6af703755b06570f762f45e5ec098ec4d2bb7d09b4a41ed9a5596ff4d0cc

                                          • C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat

                                            Filesize

                                            224B

                                            MD5

                                            ec8f682efa23fbaf68ef9d55cbf867e8

                                            SHA1

                                            7f8b0ddea9fa0e1bbab3312ecd1fbc4ebd87a217

                                            SHA256

                                            8633082eb6771bb139bb04b7be6d9401788ec26b5be998bf2d5d3f9747696025

                                            SHA512

                                            ea717f64a2badc2f49f7543caefe2b9ab51435818d29b41917e99f4a1f5b7e998e80be84d1782a352e0641a494c44fb82a3107c1b1088be1e1b4d4b8c2b748e8

                                          • C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

                                            Filesize

                                            224B

                                            MD5

                                            c1ba726c0ef39c8b8367ae0974a60cc0

                                            SHA1

                                            adc9f5dc68ced5a8193d97910ffc5cb1b37d23ec

                                            SHA256

                                            f8678d77d5854fe65720cecf8ca9a1b94bc000fa700ba15c1ba9fe595a9b5949

                                            SHA512

                                            5137dfecf85376aa654c82d0bb76ec289c0118066c1fc89e938064c7f79d0897880170c59dfd12c763446fb9cc2d6798d5bb2c856fe0a5f10e81c6750543c32d

                                          • C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat

                                            Filesize

                                            224B

                                            MD5

                                            17cb328085d6a58b6e06ac3b5f20d629

                                            SHA1

                                            64c86f468b02f29d717be2997b5cb08402f5794a

                                            SHA256

                                            e3c61c2096b4c49882c1aa411af97eb5d9a386d6ab8de1565fc976fccffaf260

                                            SHA512

                                            ce7a90d86b3ccf02d2f68bb336f272ab862a44b61764d225fe1643705d5fcf16a24cb31aea17ee36c985ea44ad90cbc0609a043dd952a3e7ec312880316fda0f

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AK2Z63FW49FNHJW78EKO.temp

                                            Filesize

                                            7KB

                                            MD5

                                            80f2ebd8de3ccfce738846fb61783c67

                                            SHA1

                                            df6675ebe58b1775b6a10ec496d742717f9688a7

                                            SHA256

                                            75d1a072164b78ec781f69f9e329cb457d62b662c9250c64f53ff2e52cfb4f6e

                                            SHA512

                                            805c247a49268c052a44ea6a74cc07ddc37c48ebb57b510e7a0e600934401c8b30db768262481fe2994605396c5274cb35b94a57ab94537e2ada274f459726f5

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • memory/484-110-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/556-229-0x0000000000850000-0x0000000000960000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/864-528-0x0000000001120000-0x0000000001230000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1064-468-0x0000000000450000-0x0000000000462000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/1388-53-0x000000001B780000-0x000000001BA62000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2240-169-0x0000000000800000-0x0000000000910000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2296-647-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2320-348-0x0000000000C70000-0x0000000000D80000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2440-408-0x0000000001100000-0x0000000001210000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2452-54-0x0000000002790000-0x0000000002798000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2580-16-0x0000000000360000-0x000000000036C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2580-15-0x0000000000470000-0x000000000047C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2580-17-0x0000000000370000-0x000000000037C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2580-14-0x0000000000350000-0x0000000000362000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2580-13-0x0000000001200000-0x0000000001310000-memory.dmp

                                            Filesize

                                            1.1MB