Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:28

General

  • Target

    JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe

  • Size

    1.3MB

  • MD5

    22abe89f8f3ac704829c29e7197e0fd2

  • SHA1

    2913dbf57df2a0c2ab5040e2563daa07026a9b68

  • SHA256

    72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a

  • SHA512

    58013ec6b158dc0d403e04e790d17093b48361108e2652f74749dcadab86f3f6f92e63443797dc6918019dcde594e98f36eb346dba449d195fd0b5edcfd5fcb9

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72bfa5b5d6eca3e0eff61f3aba597749c3ea4fa180d6d6de14b92b8d505cfe1a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2636
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\Downloads\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:792
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2460
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1736
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2332
          • C:\Users\Default\Saved Games\conhost.exe
            "C:\Users\Default\Saved Games\conhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1724
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2948
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2252
                • C:\Users\Default\Saved Games\conhost.exe
                  "C:\Users\Default\Saved Games\conhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:908
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"
                    8⤵
                      PID:2828
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2272
                        • C:\Users\Default\Saved Games\conhost.exe
                          "C:\Users\Default\Saved Games\conhost.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2024
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
                            10⤵
                              PID:2340
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:2320
                                • C:\Users\Default\Saved Games\conhost.exe
                                  "C:\Users\Default\Saved Games\conhost.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1044
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
                                    12⤵
                                      PID:1256
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2588
                                        • C:\Users\Default\Saved Games\conhost.exe
                                          "C:\Users\Default\Saved Games\conhost.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2840
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
                                            14⤵
                                              PID:408
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2036
                                                • C:\Users\Default\Saved Games\conhost.exe
                                                  "C:\Users\Default\Saved Games\conhost.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1756
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"
                                                    16⤵
                                                      PID:1040
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2320
                                                        • C:\Users\Default\Saved Games\conhost.exe
                                                          "C:\Users\Default\Saved Games\conhost.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2716
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
                                                            18⤵
                                                              PID:2696
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:1652
                                                                • C:\Users\Default\Saved Games\conhost.exe
                                                                  "C:\Users\Default\Saved Games\conhost.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:752
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat"
                                                                    20⤵
                                                                      PID:2360
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:1144
                                                                        • C:\Users\Default\Saved Games\conhost.exe
                                                                          "C:\Users\Default\Saved Games\conhost.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2660
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
                                                                            22⤵
                                                                              PID:2636
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:1276
                                                                                • C:\Users\Default\Saved Games\conhost.exe
                                                                                  "C:\Users\Default\Saved Games\conhost.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2992
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
                                                                                    24⤵
                                                                                      PID:2928
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:2632
                                                                                        • C:\Users\Default\Saved Games\conhost.exe
                                                                                          "C:\Users\Default\Saved Games\conhost.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1592
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1396
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1984
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1996
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2960
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2220
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2396
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1124
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2244
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2848
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2868
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2448
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1028
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2744
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2948
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:668
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2436
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2480
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1432
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2532
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1252
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2412
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2276
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2408
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1596
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2200
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:448
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2232
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2428
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:948
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1860
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2240
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1272
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Saved Games\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:592
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1780
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Saved Games\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1544
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2060
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2500
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2468

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0cc7722359c220f6733ffdc41ee507b5

                                          SHA1

                                          a27f987347a1a9dbc4c5fec45f064d32bb4de80f

                                          SHA256

                                          7a5459f345ef32362fca8c8ad678bdd22b88210c7f9eec4406771ab366ba1811

                                          SHA512

                                          4afaf69626d9c27ee606252a706080a42bd1dd39eec511c5e0ba09f73b99107ae1845df19c4e6578d12d367366d926066fbe23ca4d0c49efb3ed630b9bf45986

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          262785f2d0cdd33d60a11dc1c0e90aaa

                                          SHA1

                                          80b7a57281564062bda428fe0040055fb0c2bfda

                                          SHA256

                                          08c6994c9756e8d69a22a0436e0f79bafbd95b61ea2212a4dc8e8c957b41088f

                                          SHA512

                                          dbc507e3f2500c02ffdbbf19c1282d66d1e3ea3e751b53e8b3b8d7db0d2d37f8f55f9bb49bea4fa5d52a8a013e1485f949b1d76700494653683d0337aff105d9

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          65758a7c9ac9ccac02b480d919ea19cb

                                          SHA1

                                          351f411c2290857e38fc478bb44f321ca04c4040

                                          SHA256

                                          ae12e7e578b4862ffae06bcce92dcd252b041374bfe3c15013b4be84a0322ea9

                                          SHA512

                                          a03210af44ade5f387cc6b0a53f281ba3c9a706594a66a35d7a5735d4afcc3d0be2e27de54923f8b1735376c0d2cc5824a13246de580711d736dfd9cd1859d5f

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          f8c7b7711e97af0623b5e7c42a85fad9

                                          SHA1

                                          6bb56e099c017489757d6cac0b4038ca15d3746d

                                          SHA256

                                          57f3ddde002c579774517a9295b072b1051c064a026eb0c2a00c5159c4f1b6af

                                          SHA512

                                          680b4997c0179204d53b0568e6ecc88b4b182afdf5be51de1e863cd2344e3a58366b9f398a8f593587fe8807c79e0ab54bbc8d4b2ad4ab10b361030c036b87fa

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          2eb100d33fea0b57496d2ac8215ae94e

                                          SHA1

                                          56edcd6bf36cc72e18de0ec2359f59d1284317ff

                                          SHA256

                                          57f6a8341e8836c2f27cfa64fe64a67c120837834ef94646a225c3001622d5f1

                                          SHA512

                                          c8f4940359b0f7046f86e7106966b8e6252d969acce3de928e4c8401afad69318908f9d395576335b3b63c7f9a01e4d057550513c31d3ab3c2e2ec7292b24716

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          bb0ac56c695745d1e8316136d1af8a9c

                                          SHA1

                                          938e5a911651d368cf92ca81948bae1a7c4a4e19

                                          SHA256

                                          457e12104acb78b3622b4f4b6e8bd6cb99ba1cbf4efe76a04080ed0809f05765

                                          SHA512

                                          70db47d588c257d664a79ec861883fb33523c7c3b0373167de33401a6fc0a44c34f7ec4c4253b9522921f884afd28cf528731f5d047dfd5510b3fefd3bc508c2

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          74fbf33e46e9bea841fe15bd44a9ae3e

                                          SHA1

                                          24dc248933a4aca855b8d253949368d082b7e9d7

                                          SHA256

                                          7100fb3907168f055cc38177a6d025db0c96600453783b386e8e8d7b2c34054a

                                          SHA512

                                          ff4c438e40e07d71d09daf665d224c5595bf5b6c5a8f9c74cf3a5927413460bf560fc9a7357b813237b8f6b4a963ce6a2c471cd7c0f4d3867b7bd2ccd513678d

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          ab51c4aa6bf74fa55289158f1f5e1474

                                          SHA1

                                          e2e4bbd3892440852d269aee02b20d7ee286f1ec

                                          SHA256

                                          eb21112313b2cb0ffa6b64b229fb2c2c989a3ca6eea23a6819a5a0bd1a4226cd

                                          SHA512

                                          ce1584c835eb478070042b037a334ec16a2f769d2a5bd17f67703fe464f51849dcf33a81fb857d495e4dd87acd3a718d043e426a959de7f3afd4604ca7d87194

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          835e5f25f98073c8173d03c2acb2e2a4

                                          SHA1

                                          497e813d1cc4002bb426c3a73931ffee86dbae43

                                          SHA256

                                          755d976cdbaf0f06aff8be02b6c85c7d2db4f3340cca97aa797a7b5d7e6871e6

                                          SHA512

                                          02cec903c693a0e49eaff5867bffd7b4886798ce357e418a6f23ec80fd9197b1e9713b1685f1aeb5ce35593d22458711b97281d5cf8ae85107f4ab51252ad02d

                                        • C:\Users\Admin\AppData\Local\Temp\Cab1FA3.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat

                                          Filesize

                                          205B

                                          MD5

                                          52ca382ff1f169edc97e1e8e8684943b

                                          SHA1

                                          a2ef5232be405c068bebaf083fbe8f0a1479a1df

                                          SHA256

                                          06a0aac5ede47f5a147548517e72f0f80836290d5510e4296f84ba5a49557b14

                                          SHA512

                                          8369212523f41573f3d61232e6ec3cf48c7d46f19bf87127fff274a071351491dc22ad3624c9e9a62449faf53a2ecf6851b2f10044ccaf01ae43058f0fc9e5ec

                                        • C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat

                                          Filesize

                                          205B

                                          MD5

                                          beb01a124006986c593a2533e739f031

                                          SHA1

                                          32a3e9ea2044266b753166b239382099aabac9f6

                                          SHA256

                                          a0cad74a77d0e10a920059c396753fe7fb6f852d072d730e8053ec0e73e44d12

                                          SHA512

                                          7825f9d5ddf89600409cdf111dc0fc7464cbb53a123373a9609e930631fe13b14e5d3f80e87269dd1dc5d0e73565470a2605d3030e3fc80b1521a2af717ab3c4

                                        • C:\Users\Admin\AppData\Local\Temp\Tar1FD5.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

                                          Filesize

                                          205B

                                          MD5

                                          92483724a8f38330100bfb4184abaee9

                                          SHA1

                                          116f04752790414af8b8184afa722e408114ca7b

                                          SHA256

                                          04b3ae414838919ae361e589e2561d1cec1ed3edb4103a3af4db6a77883636d7

                                          SHA512

                                          1e14f764441fa1d7a2ec17f1d2001ec6500f44c229f3030f4954c405446a30f25802a8fa7d3226b34f1300aa7693dfcf8c762ef7ece98b4231ef93c0cdceadf3

                                        • C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat

                                          Filesize

                                          205B

                                          MD5

                                          4716ada92e78ca55066f9dec6ebc2182

                                          SHA1

                                          ec7e953471308595d3722209c9daf3c9558b87b6

                                          SHA256

                                          b5b1bcf52883db1913f78bfdf73e665869492a16c668266a613a8310c0e4fec5

                                          SHA512

                                          a24d3274c9e1e30698656a2d7d12e8f58efeb897b9737bce1cd3d2b23baee5404b8e4cf577cc85349334a27f5a1e5a0ad4922f930c672be1e1fb28494fc4c258

                                        • C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

                                          Filesize

                                          205B

                                          MD5

                                          a3144049b3320458263b463770f75b1e

                                          SHA1

                                          13b5127699ec39a1f779b4994ad9864b6614abe9

                                          SHA256

                                          55ad7c6cd7436963e870ea636d08d51d696f4b713b72650ee0ce990a6222485e

                                          SHA512

                                          0be97abf839b7229c672aad4f159c84bfab2d7868439354f8d86ea5dd9b9e8feafd20f5f52d88bb5e59cd9f6fb7ea3292a4cf0cecdd6b3e24424f3cf2ee3a61c

                                        • C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

                                          Filesize

                                          205B

                                          MD5

                                          2a8d2e94c89589cd8861b0d03fd3fae2

                                          SHA1

                                          d0f4204a16343320360a347b2bd6bbbc473e165a

                                          SHA256

                                          4ce4e90ef58890c8860a28ea61c3887321550c5b5b5e77c64aab27f7e28a4ede

                                          SHA512

                                          91657c2925fa8717ea33ca56085e7fafb16cf5ffc3d9c1fd81bcdb7ee32dc8976a5c1d4a619d3496092eeaef5f733c1c4f1cc0a72a939b8b1dbf4c50d4315293

                                        • C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

                                          Filesize

                                          205B

                                          MD5

                                          91c1784fd000423a0aa5a8b9562098c3

                                          SHA1

                                          fdad4bd4494d74f31efc315f6406b0ccbfc035fa

                                          SHA256

                                          c23967695cad4846b4d3a657cab17a82d233ed3f3ac33c0ba8fb846b1e58b4ed

                                          SHA512

                                          aeaaa73369fffa1314bc4daaf0d441ab6bbd1a8c8d9e1aebae8848afe1e4b030bc4f326b139adc1e51e7570e1929217b4e7765231d0da799338ce940a0e148a8

                                        • C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat

                                          Filesize

                                          205B

                                          MD5

                                          8a58978ec08432ed15df1bb9f7c98a76

                                          SHA1

                                          7e4c8b984981b1aa034c9c32be501592339b11c0

                                          SHA256

                                          44fead1d56bcfec669cc97a7043007c3851c5806f2f59c5c2591a5bfc9fde2ae

                                          SHA512

                                          0f6fae46177c015b610d42d836277ba08e68a76ae277b5c965da5c37164194eb4b8ca3c121158dfb9bdfb9ac2af3746e35ebcfbc9fb0cca8b04f8243c7433a4c

                                        • C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

                                          Filesize

                                          205B

                                          MD5

                                          e9210e8f0cac0b5dd47674c7f17822ef

                                          SHA1

                                          4966232ae763f15dab17f5ab683b997deba0252e

                                          SHA256

                                          5e5989e2389c905e9a235840c818b3dc425e463c8bc74c261fb683a6265952fe

                                          SHA512

                                          8c852391e208023c81dfc4c28737fc633d15e7d8e22f9a1701f0b734b353f266b028cba49a8593946f22ac6d9110805ba468d0bcc47b7fd1a56461fe1c335ae7

                                        • C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat

                                          Filesize

                                          205B

                                          MD5

                                          3655158360690a6e2193037721e2f5ce

                                          SHA1

                                          b1a0b4f08162318bc9760b40de4ad7547c5118a8

                                          SHA256

                                          04552445126d82e2d8a4c46d5140892b1eb536a6aaf011857ca3c1773081003e

                                          SHA512

                                          0a2531f24ee83ad2c9ee86260abf8aad509780f96a250453b540b12a740c3e1ce80d95b1e65056dc8bdbdf076e4b05fa8a3f95a2a859773444e758a508fcb619

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          15763f6aef065933d29759e9eeb1d3b1

                                          SHA1

                                          d9684723873c4a3d370cf6874454c9f307c753cc

                                          SHA256

                                          379715990abf5ffd885806afee4e270b057568ef28bba1b8d354f633136f55c5

                                          SHA512

                                          b1a49c8c4b48325cd8c46d841173f99a761c7261da204f9c3bab30c1623d42a1fddb1d16f9bbc092614b21a99ee7cfa3f077dbd1e3588fed3953fa4fb9c96722

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/752-538-0x0000000000A00000-0x0000000000B10000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/844-94-0x00000000028E0000-0x00000000028E8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1044-297-0x0000000000100000-0x0000000000210000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1592-718-0x0000000001280000-0x0000000001390000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1724-50-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1724-93-0x00000000006E0000-0x00000000006F2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1756-418-0x0000000000230000-0x0000000000340000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2024-237-0x00000000002A0000-0x00000000003B0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2268-67-0x000000001B670000-0x000000001B952000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2660-598-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2716-14-0x0000000000560000-0x0000000000572000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2716-478-0x00000000000A0000-0x00000000001B0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2716-15-0x0000000000570000-0x000000000057C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2716-13-0x0000000000310000-0x0000000000420000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2716-16-0x0000000000580000-0x000000000058C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2716-17-0x0000000000590000-0x000000000059C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2840-358-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2840-357-0x0000000001020000-0x0000000001130000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2992-658-0x0000000000450000-0x0000000000462000-memory.dmp

                                          Filesize

                                          72KB