Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:16

General

  • Target

    JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe

  • Size

    1.3MB

  • MD5

    9708e132f7decac513ba63b18c3bda83

  • SHA1

    bf0716a01c4809bcdcaa17071ba15dd1259cc4e5

  • SHA256

    498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1

  • SHA512

    7efa95c47e1f7f9b2e822ef32f04aa6978c0cc8e2006f54d3b5df694d644ec38c350094cbfe4607031fcab903325494883184058c32eae82d011a9415bdc4aad

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_498eb41fd1ac0afa219fcbb97f19095ae673520f3ba940037cde4ed367ab89f1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2388
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1304
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2232
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2196
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2760
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1264
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2744
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\laZcHbiAhz.bat"
            5⤵
              PID:1076
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1728
                • C:\providercommon\lsm.exe
                  "C:\providercommon\lsm.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:688
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
                    7⤵
                      PID:1964
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:3028
                        • C:\providercommon\lsm.exe
                          "C:\providercommon\lsm.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2988
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
                            9⤵
                              PID:2528
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:1992
                                • C:\providercommon\lsm.exe
                                  "C:\providercommon\lsm.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2936
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
                                    11⤵
                                      PID:2276
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:2524
                                        • C:\providercommon\lsm.exe
                                          "C:\providercommon\lsm.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2680
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
                                            13⤵
                                              PID:2692
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:688
                                                • C:\providercommon\lsm.exe
                                                  "C:\providercommon\lsm.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2856
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
                                                    15⤵
                                                      PID:2016
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:2468
                                                        • C:\providercommon\lsm.exe
                                                          "C:\providercommon\lsm.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2784
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
                                                            17⤵
                                                              PID:1668
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:2708
                                                                • C:\providercommon\lsm.exe
                                                                  "C:\providercommon\lsm.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2388
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2188
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2904
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\lsm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2668
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\csrss.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2584
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2548
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\csrss.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2608
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2580
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:976
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\wininit.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1684
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\dwm.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2772
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1664
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1636
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2836
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2516
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\taskhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2356
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2768
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1336
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1760
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:560
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2928
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2920
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\dllhost.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:660
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\tracing\dllhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1788
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\dllhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2004
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\lsm.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2948
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\debug\WIA\lsm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1836
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\WIA\lsm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1484
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:448
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2512
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2336
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\smss.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:948
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2120
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1008
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2040
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:684
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2376
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2248
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1368
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1284
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:752
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1140
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2452
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:292
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1964
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2616
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1028
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2364
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\Idle.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2128
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1600
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1604
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2352
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WMIADAP.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2472
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2412
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\WMIADAP.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2108
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2312
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2676
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3000

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                342B

                                MD5

                                e58033018dd2de4f7e354dde9e55699c

                                SHA1

                                35f895a5fff018f2121b929101027ecf74cfa6cc

                                SHA256

                                7e9d334aa79340451e2fc30d3aac6c3b0af2ee162b87bc933e2d67c4ead91336

                                SHA512

                                30b31a5986f3907cec7cc5c2b332caeb1c82564bc5ff6cd9aacd32aa630828089e45a7bb93965e8968bf8a4e8874d1472918ed676cb0e1a9a29a629d9e15425c

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                342B

                                MD5

                                91e10bfdff0182f4d866cb0af4a412b9

                                SHA1

                                3b27e314fa4f170ee4cac8ac83781c3962a39806

                                SHA256

                                34f58ee517a1ffaf013304ebd87898002d49e944b2f1dad2cd23f1731687d43e

                                SHA512

                                2f1d8a8b4403af700cabaa192be70795a349990c6cff0f2a3736d2c39f3f6fa318c0d66d0ea8abeff06f9c92d5052dac1d227e81a9614201d9d47d3010bc6bbe

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                342B

                                MD5

                                3b1af541748470d7f588b0d362814f13

                                SHA1

                                2116c736a7ab3aeaa538a3f5cf0d21e74bb74c37

                                SHA256

                                ea7c7d889809e469a4a4952183fad81739d4df94903cad1a5d409147a5303167

                                SHA512

                                e8f0d69b3f498ee979fc2f850bb07c85876b3042148b15fccfef0df4d8f70d281a17de1fd14ad83c98073288491459dd1f604c9f2bd8b75a877bd413449d7752

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                342B

                                MD5

                                43a411ec52ee07205f1125f647af7a91

                                SHA1

                                d516f78ca7b85c33be6d4b74dc14ea594e7cadc6

                                SHA256

                                1bc0cc6c860b9c42f2ffeb5532e94eeae0f7ba190f0fcb5f0f9f6ca8170a0185

                                SHA512

                                705480ce4a8f7588891fb55addb98e139e5f0bedf8d35a47268de5a8f72db855dd27f6735fbfef943f2ed6892e9ca5406e55ed435219cf3f506b8a5baa8636da

                              • C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

                                Filesize

                                190B

                                MD5

                                122e64a8ac106d88f3f55a50c2187eb6

                                SHA1

                                474b0dceb9b3ea05e418a596fb8d0115bf9492be

                                SHA256

                                ad63fbcc697a4de02949e250b36e564c1508a01d9597e9c42d8ae455b1859aa1

                                SHA512

                                f253732f1bda4d7fa16686c676dab3e286f17e02c135d2bf775ff80fc63fe5fae9556e64bea42210b8afb9ae0d4b5ec9a9dce3b975c2e206e1597df5be15efd6

                              • C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat

                                Filesize

                                190B

                                MD5

                                e54962540193c813d3d956f7e1469ae8

                                SHA1

                                86838fa90f8e039f008ed56c0c46ff87ce380ff8

                                SHA256

                                cc0f2932695259c74de17cb25d8e464942f9513bdbf5c778a5f01218f9d2a31c

                                SHA512

                                870e499e640b833706b4c5bb2e6db59e37011effbaebc9443ffa56e0fe42e450fb975f12c7cc9d71c9f9120690cbbba83fcf913b7186d55ffec38b3c4ab1ca9a

                              • C:\Users\Admin\AppData\Local\Temp\Cab3A54.tmp

                                Filesize

                                70KB

                                MD5

                                49aebf8cbd62d92ac215b2923fb1b9f5

                                SHA1

                                1723be06719828dda65ad804298d0431f6aff976

                                SHA256

                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                SHA512

                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                              • C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

                                Filesize

                                190B

                                MD5

                                46c9a71720f51ff534edc4e895a7db37

                                SHA1

                                9f1ae6cee766b89e94d97557872705bc6b17d342

                                SHA256

                                aa2d41d4555cfdf30e9937f38957def17c45ca52c45f12fb161c2fb6f9211249

                                SHA512

                                7f591fc7714adb08e24fa2e5c449b4163484ef4f15aa93b412075de75b1b9956cf1bea279176162e13e6b868c7a28445fb11162e94966429d9e8edd1f5c0b529

                              • C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

                                Filesize

                                190B

                                MD5

                                f8f95ca3e3e69d94c1df493c71e00c08

                                SHA1

                                ac061ba39f813a6bceefbc5226bf13cfcf3c1546

                                SHA256

                                91aa33d97c57e2390e1bb3b436a6afcff86a13d6b6787051853d866eeb183123

                                SHA512

                                fb30304eeda7cd6e09ded5037f0f2acd6c67b61736b5c13455960780b2312916263787689b13ddeaa115d7924d859dbb99679f0748315e068b78f8a483318180

                              • C:\Users\Admin\AppData\Local\Temp\Tar3A76.tmp

                                Filesize

                                181KB

                                MD5

                                4ea6026cf93ec6338144661bf1202cd1

                                SHA1

                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                SHA256

                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                SHA512

                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                              • C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

                                Filesize

                                190B

                                MD5

                                7fbb31440009d0adb305e224d133b744

                                SHA1

                                d8e8bf6317713030081cf88bb9a71b3a43061a2a

                                SHA256

                                30f7ca319687a576f3056610a0d6a706d3dfc79247e23de55a398b9a7359c10d

                                SHA512

                                f4c745cfa1101ea4959197481dbcb94ba8a004b803dc9ac815089eae6a8cb7b7a8075588cd5267c4a5380708422d579e45373cb5783840b7c3248f3af4200e23

                              • C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

                                Filesize

                                190B

                                MD5

                                47f1079db5ea331ef816f56e24dd086a

                                SHA1

                                a1501c3ec067ad48897d278e9c3f5136064d0c4b

                                SHA256

                                ffaf82a7483986caac8c6e96a4f7ea4490dc60886914c95b38bfcfb85fbaf48d

                                SHA512

                                361f7c72db1ee35e371c11b338899baf7c41460daebbcc40d95cdc476031bd855a3029e0635f75858804f560dcde75c4cc840d7af327ba6f43003fb54f88b56f

                              • C:\Users\Admin\AppData\Local\Temp\laZcHbiAhz.bat

                                Filesize

                                190B

                                MD5

                                ec3075a6742a2092952f874b58bd1dc6

                                SHA1

                                bd0fa38138cba4bd7b29b1afdea69ca3d80ffdfe

                                SHA256

                                1abd3f9ef4bc6de7e3bcb1709ac78aa27d01d749cf71567feee4cf87c9ba1c89

                                SHA512

                                e818e75ac5af0caf2faee6ce3892f4cc7c1164ed1196e53d368d17907cfa5c872833679d17181c41672bc7a73a6e183e1517a99634476df8bae836340cc459ea

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\97DJ1JZ3MSRDO4CIQT4S.temp

                                Filesize

                                7KB

                                MD5

                                afdd8399b839306fa15c86fe8df1f720

                                SHA1

                                48f2c9c88772f8d59f0989a3604500b206f6b951

                                SHA256

                                59a6e30b208dc90b0a48b45a8531984c98d07ca533aff4e85e802639a7243aa3

                                SHA512

                                2804a00f4ddf014ef197ed90e89a5531ee49bbd571c08d24d35723ef138beb22a84a3fe2f8fd84d0336bfae8df3d08ee10892e147978fdec4c1d7dd3c567ee64

                              • C:\providercommon\1zu9dW.bat

                                Filesize

                                36B

                                MD5

                                6783c3ee07c7d151ceac57f1f9c8bed7

                                SHA1

                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                SHA256

                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                SHA512

                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                Filesize

                                197B

                                MD5

                                8088241160261560a02c84025d107592

                                SHA1

                                083121f7027557570994c9fc211df61730455bb5

                                SHA256

                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                SHA512

                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                              • \providercommon\DllCommonsvc.exe

                                Filesize

                                1.0MB

                                MD5

                                bd31e94b4143c4ce49c17d3af46bcad0

                                SHA1

                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                SHA256

                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                SHA512

                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                              • memory/688-153-0x0000000000D50000-0x0000000000E60000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/1304-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/1304-17-0x0000000000570000-0x000000000057C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1304-16-0x0000000000450000-0x000000000045C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1304-15-0x0000000000440000-0x000000000044C000-memory.dmp

                                Filesize

                                48KB

                              • memory/1304-14-0x0000000000430000-0x0000000000442000-memory.dmp

                                Filesize

                                72KB

                              • memory/2196-68-0x000000001B810000-0x000000001BAF2000-memory.dmp

                                Filesize

                                2.9MB

                              • memory/2232-69-0x00000000020D0000-0x00000000020D8000-memory.dmp

                                Filesize

                                32KB

                              • memory/2388-480-0x0000000000120000-0x0000000000230000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2680-300-0x00000000000B0000-0x00000000001C0000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2784-420-0x0000000000D30000-0x0000000000E40000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2856-360-0x0000000000C90000-0x0000000000DA0000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2988-213-0x0000000000440000-0x0000000000452000-memory.dmp

                                Filesize

                                72KB

                              • memory/2988-212-0x0000000001090000-0x00000000011A0000-memory.dmp

                                Filesize

                                1.1MB