Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:18

General

  • Target

    JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe

  • Size

    1.3MB

  • MD5

    5f8aa2c9c933251a7030f4ccd52d9144

  • SHA1

    576b128311ebfaefacb64699b0b215a659e0f74a

  • SHA256

    c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670

  • SHA512

    64a88caac69853524b7604140aaeeeadb93cfcc4e05176bb07f14729a494f8196ea354281da6305c237bc03a06599572fe40c97b629b428d13bc5eb45e115b4b

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2288
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1416
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\it-IT\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2236
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\fr-FR\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2204
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1088
          • C:\Users\All Users\audiodg.exe
            "C:\Users\All Users\audiodg.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2704
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1968
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2052
                • C:\Users\All Users\audiodg.exe
                  "C:\Users\All Users\audiodg.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:448
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
                    8⤵
                      PID:2064
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2888
                        • C:\Users\All Users\audiodg.exe
                          "C:\Users\All Users\audiodg.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2204
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat"
                            10⤵
                              PID:1416
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:2520
                                • C:\Users\All Users\audiodg.exe
                                  "C:\Users\All Users\audiodg.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2236
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat"
                                    12⤵
                                      PID:2684
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2944
                                        • C:\Users\All Users\audiodg.exe
                                          "C:\Users\All Users\audiodg.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2732
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat"
                                            14⤵
                                              PID:2088
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:836
                                                • C:\Users\All Users\audiodg.exe
                                                  "C:\Users\All Users\audiodg.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:864
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"
                                                    16⤵
                                                      PID:2636
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2156
                                                        • C:\Users\All Users\audiodg.exe
                                                          "C:\Users\All Users\audiodg.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2336
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
                                                            18⤵
                                                              PID:2080
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:1588
                                                                • C:\Users\All Users\audiodg.exe
                                                                  "C:\Users\All Users\audiodg.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1456
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"
                                                                    20⤵
                                                                      PID:2460
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:2568
                                                                        • C:\Users\All Users\audiodg.exe
                                                                          "C:\Users\All Users\audiodg.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1308
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
                                                                            22⤵
                                                                              PID:2120
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:1136
                                                                                • C:\Users\All Users\audiodg.exe
                                                                                  "C:\Users\All Users\audiodg.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:560
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
                                                                                    24⤵
                                                                                      PID:2580
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:2104
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WMIADAP.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2592
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2580
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2764
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\en-US\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2556
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2588
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2636
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2420
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1028
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1404
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\it-IT\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2884
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ehome\it-IT\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1220
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\it-IT\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2544
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2852
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1564
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1180
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2920
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1436
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:860
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3068
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Solitaire\es-ES\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3064
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:328
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2524
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1820
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2432
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1604
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1060
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\fr-FR\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1456
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppPatch\fr-FR\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1204
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\fr-FR\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1592
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2220
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1728
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1740
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1384
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1752
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1412

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          91c75befc5f7b58632b2a517aa060fc6

                                          SHA1

                                          6e7679f832ad6ee845629c1b77dac34aad3858cd

                                          SHA256

                                          73f2ec4f9765a5a4e96e08b986f5c8cb78e9e5d1bce95d9a53ff114ad8613cc7

                                          SHA512

                                          07e5a0c4110fc8435eb6f789bc0f54079449fc19fd7b48487f9bc8d551768f11c1f0950b04a45af6ee6403a474beda75196fc3273124676a1640985733e1f32c

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          546493144b463b045436457c7e420950

                                          SHA1

                                          e4558499e7387a89ebbad03c6e5b8278d6396f51

                                          SHA256

                                          7b30f636858b5383a593f9c1dff8ebdf9b34249978c68d0f6c379152c5526be7

                                          SHA512

                                          707edaed62375875692305e694ca23319d0819c2801e90e480806cf577a8ddad301c5dc0527cdb80ff213a06bfc9ea07e8675d355b475431265da8fb0506ee75

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          1a2d866c55cb0b8ddef161d259753296

                                          SHA1

                                          a4276708da79bfe6bb0102748260601d1a5b026c

                                          SHA256

                                          4f3a1d61b75d8bce6b5b8b9a42931ecccfd0d17a4a27e2330b50ed6fa5f26711

                                          SHA512

                                          ff062c3db7b8f31c7798c1ec195664a34a152eb95e1acff890c06b99677bf2eaed4060a2ce62b34deead0c6db1ec26c102d9f456aa22f2a9abe3beb2b0b455c6

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          dd3a8a20e93d5e3b829a2c007be73b10

                                          SHA1

                                          89a27e21a0f7ea41ad2e0277799fc35d5d497d18

                                          SHA256

                                          fc92da839bf53d239f0033b2913d8c370aad2714eb259b902fee046bafe9f369

                                          SHA512

                                          185ac26685be0a58c215820d793c563aa4a37b9c8f5a89bb79db4c341f7c4001661aea4a8bb62200435530a76e0a6802bd091508a2857c123193fb1f024640d7

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          9fb25a16e411439364073d7ff5d299ef

                                          SHA1

                                          fcaa8c58c35142a5c1daedd2b2ddc67b5328735a

                                          SHA256

                                          a4a7e8c14bd6909fe7c7a615e4e99f65646d4a1c0802dc296c5e4df70e4c966e

                                          SHA512

                                          450212e11f6b605b55ba8ff9e0a9c46bfcba8ff72ea09c7b9dcb7a0d71b7993498dd4c0580173bb32bfdb1d62a325af2101233773c70fed62985d15911c4c1b8

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          5c5d1847891f6cd82798e7c2d7d5e9ce

                                          SHA1

                                          2dab39ca428ba341d5f569f67977d0c7c27a9dbe

                                          SHA256

                                          1458666b0d08cf09768d8b12577db9523a18a04498f4ba6353e1b6e832ed474f

                                          SHA512

                                          33736873cd5e28c9ebac11551f6ee4eeb92e96613fe92e4e33f8d3443fdcc36ecacf6baaa2b8a76797038259e0c87c27f2fede28442c9568b1ce5b01f31ecbd4

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          193e440a65dbb69f3f2d51c24e1d2537

                                          SHA1

                                          95d9cd22c88d644a2d0946f9132f31014c581edd

                                          SHA256

                                          942d6759354dee278c23572c42085cd6f4904d77b88db0ac0904fc645e65662e

                                          SHA512

                                          afb9d1028a9c15893ceb50c6ff5a0903b5f760b9e753d1ba9c2d86321813ab7ebe798f52a2df6375ab7f2888f4188ae110b88934ff3f19f4913e786d090d55e1

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          533d7ef0472994ba03b6a36b0936f8df

                                          SHA1

                                          00d95e1780bc2a4b787a53270162ec722396356d

                                          SHA256

                                          c8de3387fb9038f84b8ee31c785fdefc25940ddfe6d4ce53f66fb1a2494bf62b

                                          SHA512

                                          2b2a12316fe54ed7ff2c3b943497e64a1e9e514155a5e0f1d5ec53169af60b2023cd47684c552e8d114e92e5ec62afd840ac444685b97f797f5129a7f92d8930

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          e0cd8705490193da4a1144174830ac92

                                          SHA1

                                          56b2cfc48f34e8672536011f62b635ada7402785

                                          SHA256

                                          39904f69301ede8ffe5eff3c6167608bd0df92399168492e1b57c115c760667b

                                          SHA512

                                          d1181c94d03b2a33da4e11610751a2e0e927d7030ee54f11b41ad4ded629a21a84e0e406e33d811d2a762310a4fa5e5358daab0bf2446f9c21f9f1af86f09b06

                                        • C:\Users\Admin\AppData\Local\Temp\CabB97.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat

                                          Filesize

                                          195B

                                          MD5

                                          d367dd5cb11b15a36dbcda53af72aaa7

                                          SHA1

                                          5d04940db20abb91d579e8131d73a48125070ce5

                                          SHA256

                                          5c77cc314b8e8d1e31ebfc87f2c1fff48815b6d9b2c75ed39b7877426993d51d

                                          SHA512

                                          0380e1934781f3be4a6d8da4adec378dbb07301fad174e2b85a7671ea64567ba4af9f70176932603d8115bad10fef4a1a54ef279980de99d42a44d2a5f35c2da

                                        • C:\Users\Admin\AppData\Local\Temp\TarBB9.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat

                                          Filesize

                                          195B

                                          MD5

                                          ced0ebe80d287bf0aae4ee98d8821153

                                          SHA1

                                          ba4e61efde40a1b1d171b4c96115948a92ba7202

                                          SHA256

                                          93f8aa80023f01fa9ce1a8dfce6c7b072d93d65233696bf1515453fb65e0dc25

                                          SHA512

                                          bf6ce4057596392abbd8cafa17477a299bf64c57c248c580b197ec8cdf0e1f0a3e6b304fe5a0f3f8edb9b7d14080ac1c2be45f8eb8c73a2581d1acb0dd10fa2b

                                        • C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

                                          Filesize

                                          195B

                                          MD5

                                          76e7a69595f78d3ab3386dadc1536d5f

                                          SHA1

                                          a4c3c04cfaf80c0ef492cc8184f0ab4fcadeeaba

                                          SHA256

                                          7e248f1501dc9758e027f94f50d5a6b211b804a511a7c7e0b466094022ed0b9d

                                          SHA512

                                          2de1dfb7f77de852065a857999b301d6a0aa630192bcd86c1f62e5871809096b0b6952ef0680329fbd0a5fee4cf3de8b258cfe5824ce8f053148ea06709ff224

                                        • C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

                                          Filesize

                                          195B

                                          MD5

                                          d9e210de73454ade6667ed8ebacaad57

                                          SHA1

                                          e7e161624032027224e520222e4fafa96fe5dff2

                                          SHA256

                                          3052d050f65c4f048d60246bc5b3de0843bafc44fc7f7e0067a3dc76388e9952

                                          SHA512

                                          c429250f6b13848e08b356a5bb05b4878a5a165509faee3d65bb4ca9874d2e7ddc900c86d06efaa023067ed6acfced30ddf99df6759f59f0cc0edebafbcd5f7b

                                        • C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

                                          Filesize

                                          195B

                                          MD5

                                          f9240bcf4568fd7293d92aba7fb6fe6d

                                          SHA1

                                          ad33fdaffaa04e03abe93901994f415c9bec39c8

                                          SHA256

                                          24f885559ebb232f8778ba950df81737d04466900c17f3bc8ade2416c5712d73

                                          SHA512

                                          5c596676f48a69e837165dbe08e0a03cd213ab123efd02b98c391aa37054c0bb9fbc18a1e90d49284ac91d3521416e2f518bdc85f88643d3f74477c541c78c95

                                        • C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

                                          Filesize

                                          195B

                                          MD5

                                          0c0bbd2c1ab2d2f94dfb178335bf88eb

                                          SHA1

                                          dc80453db985f0404e750b319492143f69f9f877

                                          SHA256

                                          deb74eae27ebbe125cf6df3f9bfae4fa56171bab319cfc953eaaabebed37fbf0

                                          SHA512

                                          cecd8d74a10daeb2ade2b0930caa8a4b2feaac7acf0f1511fedd82734ac5a8115c4449a8ef288c2e25f384d89b9d44ef43ec661c5bb85ca3fb9eef94dba9df32

                                        • C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat

                                          Filesize

                                          195B

                                          MD5

                                          28111f9c565fb00b126b8579fe89038e

                                          SHA1

                                          d2a10955d0d1a92c154138ab4af125bc68eb2b0a

                                          SHA256

                                          6bfc38d2521d0925cfb66fa31b0af61bc8d4d531cc7e69f6a25589aad7416c4f

                                          SHA512

                                          c21c57e9479be8cf58dadad0c5d93a34634699854fb808647cf91805ef18ae3ce54b4d8a717ede1050e9e00c829ca7eaf7cb79d053ad359de549f971afcc18fd

                                        • C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat

                                          Filesize

                                          195B

                                          MD5

                                          75bb0690aa27fb2a8c5231ede4164eed

                                          SHA1

                                          7e2032386f3af2171479598dd2305ae7ff075e7e

                                          SHA256

                                          7913b39728b5ae8f8295a21a788b8110633bafae3c93b64cd4a6a562aaded460

                                          SHA512

                                          30998344e6cd95dc85ea1d7fa8bd45e0028882fdbf7beb699c63141fd7d29f763ccefda7a1f3f2d89a3662f8e58b497b23e37f1fba447acfc38bde8eb2bdb005

                                        • C:\Users\Admin\AppData\Local\Temp\pksuDlslcW.bat

                                          Filesize

                                          195B

                                          MD5

                                          6d5276638e9f6dbb0ed07b46dabec55e

                                          SHA1

                                          a1b554a1374b7edd17821b826b592f36cc7f6f6d

                                          SHA256

                                          b367c419f72ca1a3c18408a5de18fc586d1b5db82e15e201edb0ec05150f2096

                                          SHA512

                                          b314016185009c71ea53e73ca0eb436851b5e8d62ce85a12b2af305ba6eaaa3b8229a2eeb750db525763d7a6991a7f433ee551e5a8ddbe465972ec377a539078

                                        • C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat

                                          Filesize

                                          195B

                                          MD5

                                          a8fd0462d7adb49736496777fd95a7f1

                                          SHA1

                                          3a75ff524c00a9318c7d614e69d4489b937aafe6

                                          SHA256

                                          165af01afc1c6245660eb670e7feebab2a6f51df23d2d161c1197f4924a3a937

                                          SHA512

                                          ddc59a39813660627aaacd74ba8b090f49fe3b76e69929aabd4538996dfd5a142ed71169c7350f78569e740ffac6bcbe8a18fb8044feaec52e27070766842325

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SCCDE22QEBFI8KO83V2K.temp

                                          Filesize

                                          7KB

                                          MD5

                                          61b4b2b52a37096894a6931dbcf736a7

                                          SHA1

                                          07afef45a22a4902b33b2f032835bb8a92cb6680

                                          SHA256

                                          87673569ca4ddadb8c1b3df8501212d1ebba9341591648258394d7694bcdf716

                                          SHA512

                                          615ea5f8e215b8bddc7597111bcfbd1d4c788bacc4406821df88d4956c5edb68303abe4177d6c3cdbeee346e496276e98f3ad275f2a69ab26d100d2ef0460063

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/448-176-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/448-175-0x0000000001270000-0x0000000001380000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/560-657-0x0000000000FD0000-0x00000000010E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/864-416-0x0000000000810000-0x0000000000920000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1092-59-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1308-597-0x0000000000660000-0x0000000000672000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1308-596-0x0000000000160000-0x0000000000270000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1416-52-0x000000001B600000-0x000000001B8E2000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1456-536-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2212-13-0x0000000000030000-0x0000000000140000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2212-14-0x0000000000400000-0x0000000000412000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2212-15-0x00000000007A0000-0x00000000007AC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2212-16-0x0000000000780000-0x000000000078C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2212-17-0x0000000000790000-0x000000000079C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2236-295-0x00000000012A0000-0x00000000013B0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2236-296-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2336-476-0x00000000002D0000-0x00000000003E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2704-60-0x0000000000950000-0x0000000000A60000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2704-101-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2732-356-0x00000000002C0000-0x00000000003D0000-memory.dmp

                                          Filesize

                                          1.1MB