Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:38

General

  • Target

    JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe

  • Size

    1.3MB

  • MD5

    d9468ae2c998694c7d94edbdbe9e2e26

  • SHA1

    ed6b929cb36c3992dbd526c70977c067f2a54966

  • SHA256

    79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138

  • SHA512

    b2d2078abaf2a2bad4e195afeb9c119a1f177442e4abe3ce6126244af588994b556f9b1703034c027e55cc35976dce3200bdfd362c1cf441fe83c3988a09bbe3

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_79b1493352e30f733c560b0137bad63e4daa67a69b66c5654831dfe94634e138.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\OEM\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1636
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\MCT\MCT-GB\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2292
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\tmp\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2284
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2308
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BesxsIGQPd.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2528
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2796
              • C:\Users\Public\Pictures\lsass.exe
                "C:\Users\Public\Pictures\lsass.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1580
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
                  7⤵
                    PID:1000
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2280
                      • C:\Users\Public\Pictures\lsass.exe
                        "C:\Users\Public\Pictures\lsass.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2336
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
                          9⤵
                            PID:908
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:764
                              • C:\Users\Public\Pictures\lsass.exe
                                "C:\Users\Public\Pictures\lsass.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2244
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
                                  11⤵
                                    PID:1800
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:3004
                                      • C:\Users\Public\Pictures\lsass.exe
                                        "C:\Users\Public\Pictures\lsass.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:888
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
                                          13⤵
                                            PID:1336
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:2168
                                              • C:\Users\Public\Pictures\lsass.exe
                                                "C:\Users\Public\Pictures\lsass.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1708
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat"
                                                  15⤵
                                                    PID:1788
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:2228
                                                      • C:\Users\Public\Pictures\lsass.exe
                                                        "C:\Users\Public\Pictures\lsass.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:584
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
                                                          17⤵
                                                            PID:2548
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2108
                                                              • C:\Users\Public\Pictures\lsass.exe
                                                                "C:\Users\Public\Pictures\lsass.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:904
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"
                                                                  19⤵
                                                                    PID:848
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:2676
                                                                      • C:\Users\Public\Pictures\lsass.exe
                                                                        "C:\Users\Public\Pictures\lsass.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1224
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
                                                                          21⤵
                                                                            PID:2428
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:2388
                                                                              • C:\Users\Public\Pictures\lsass.exe
                                                                                "C:\Users\Public\Pictures\lsass.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2360
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"
                                                                                  23⤵
                                                                                    PID:2728
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:2184
                                                                                      • C:\Users\Public\Pictures\lsass.exe
                                                                                        "C:\Users\Public\Pictures\lsass.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2084
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2812
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2136
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\OEM\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2716
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Help\OEM\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2600
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\OEM\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2656
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2268
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1816
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:476
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1040
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2424
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:592
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\MCT\MCT-GB\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:708
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Globalization\MCT\MCT-GB\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:352
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\MCT\MCT-GB\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1060
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2592
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2080
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:272
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1748
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1688
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2960
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\tmp\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2932
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\assembly\tmp\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2116
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\tmp\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1704
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2396
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1800
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1560
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1588
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:840
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:324
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Media\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1532
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1360
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1812
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3068
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:284
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1788
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1676
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1680

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0a3d23de50ea2c802539db8415ecea03

                                          SHA1

                                          3bf19f7ba886e2ac85b0ff1c9311fab5e2fcf43d

                                          SHA256

                                          8a205bf4cb887bb492896d08ee8ab0990af067cbc397c6466ee689bc73d0cab0

                                          SHA512

                                          bb7bcf9f8c20ba71f6c16a682032406e54099ea31976934667b9ff5845e2793e083c3770be12d17daa8340b28990cf9e4ca0b6775b15c27f6225180b1126d9ba

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0b215cd2cfd1a0c2396458465c7b7c59

                                          SHA1

                                          64737d636ddb565e13693f133a2b25826e54bf5a

                                          SHA256

                                          af5bcd0a419a37cb53153db5310244ffe869d7daf92e87766dbaefc77a008574

                                          SHA512

                                          7d74ebfe87381521f5160e9362c86cd1b6842d140c2403b5400b9a4d29f712d286cc878063e0bf9cc1e977a53ae6ff801ee7a0552bdee51c9fdf7e8b2526f0ba

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c2317194edeb6374a5bab3266313e772

                                          SHA1

                                          d07d0a69fed17bdabf26dc4317ecbff2c45a01ad

                                          SHA256

                                          73e23bb8174a2dcac58113e8279e3323fe9bce981df7b904d94d991158f76c64

                                          SHA512

                                          1b3bd19dd2c66713f01dcf8d6c1389c348d12637ca89ca7800b7c103098b0c7ea4adcc3d9a23d348261601cdfb0d4222d0664bda1bb0c4917e3aa627ec268969

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          bcb9246e1cb4f085cd4f9d570dddf669

                                          SHA1

                                          474883ab4951130616531dcb646118a56f54429e

                                          SHA256

                                          2177a734b7f58459da1e68ff35f154f56cda260e38f765a1dd8ee4b9542b977b

                                          SHA512

                                          fa978a325ae3fea30ac822f5380a413f93401037b1f18c9c4d0bc6c2b3e12f58a574ed12524582cc06bf70469502b71112add56c5e368b84eeba1334925bd9c3

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          652f4348e289b87a80b588536cdf9f47

                                          SHA1

                                          dddd6e6eb0f8f898ab9456dbac181e787e97cb2d

                                          SHA256

                                          94ff0c6dd8764b11792a6a8b443236128232643569310c63bad8db71abbeff13

                                          SHA512

                                          2b088e90d11e45b37c81b5966f72580b830c8881fc714bdef1f5bb0a1dc3a89620b09589f64344c0e413810dcd5958fe7cc7d8c179dadb265bb71aecbcd87943

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          d519c068c3b4b37419041b63258a618b

                                          SHA1

                                          e863a5647b90b8da6db92d2ce922223e52c33bea

                                          SHA256

                                          2002eae0654fb1d3afd91dd94bb6527b4a94c5e95b14c25296a2fa0af2db8e99

                                          SHA512

                                          edfa1659ad2e1e59656e3ea64e4ca18e405626aac08863cc1fe3af2446a55e38e67d9ac4a523ed0b29b5c81328f648c5f500a245444e6474f7537d2bdeaa88ec

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          46dc9598e4c27beb58a85385c93da994

                                          SHA1

                                          c8d07f283ae807939c53c6d1f6a035b351990b86

                                          SHA256

                                          2a008c483288088da4c50c4fdd4e5812e7a244e74a4c95520f3db41f43d33040

                                          SHA512

                                          537ad738bb89a7f17d25bf748ba607d1ce96019d26a5078e42e90453898ad134e36e20f1ab74e14f6b38cf54cab709cfb058cdcecb1c0242c0f6a9b2a60a656d

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          405d25748e15c33bb311f959f0d7e36a

                                          SHA1

                                          bee9fb8919441ae52f9fad33844599f12c48c26b

                                          SHA256

                                          b33a74c7294277f9f10756fde4724f16f998a4f763ad8e76c665601793aa6a52

                                          SHA512

                                          e71b5f1da3bf96b7e62a47f0a506730349543e55f5df39b9cfc9542c87005ddc1c474a384c45572a97ada9154209a06e1eb9c95b1fec8c4257511105f530b219

                                        • C:\Users\Admin\AppData\Local\Temp\BesxsIGQPd.bat

                                          Filesize

                                          199B

                                          MD5

                                          d0888ead80ed93bcccc9370c3845abf1

                                          SHA1

                                          595f04bf1fa1be99060aa4429a0071075e55969f

                                          SHA256

                                          0a426ac6fae42c1c9158de61530ad0ccd2c40667752410ece83310b225a72647

                                          SHA512

                                          1a3457ca1e5797e859964e8f0bfd85a0dd704abff6ff18a3987f3a49ca5c2aeb28a02a12e233e6e80d46a9d9c6cfa72d444129c4a739c39b685c6f2345a0823f

                                        • C:\Users\Admin\AppData\Local\Temp\Cab22.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat

                                          Filesize

                                          199B

                                          MD5

                                          bf0afadd24df7b2f76c300dee475845c

                                          SHA1

                                          7facf3f3df99ed50d21f3cfe936f26b2169c8037

                                          SHA256

                                          10b9bbd28ccb7033bbcf7e392124907470e530128878024558e804e1a6264cbc

                                          SHA512

                                          9f2b9659a816d8d9f1ec09b622ab2dee4f884f3c2874088264a7a7d8085e4777246b885d08a40e3459334b364431384f7e55dcda920f56e0335902e1e467708d

                                        • C:\Users\Admin\AppData\Local\Temp\Tar35.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat

                                          Filesize

                                          199B

                                          MD5

                                          7c8e675e3667e364588a26f10f204f04

                                          SHA1

                                          897b07cbe2deaa84d81cfa1663abbde68050f9d2

                                          SHA256

                                          3c3287a0cf0df7fd74ba3cb5c8ca5a9fa3d7319f09c5c5980c470d43d295caa5

                                          SHA512

                                          f8f811438be701839fbf3ae4e48902fdab6bad7d3773a5ae28506057de084ef8bd43ca98ca02cca7c15421ed4545610c0ea469ec910fd9f632f4fa3c05bfb849

                                        • C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

                                          Filesize

                                          199B

                                          MD5

                                          b939b4f4015fb73b5bd3210b59a8039f

                                          SHA1

                                          a965e6213b2da5261c7491cae2e6d82677ea5b20

                                          SHA256

                                          c0e0454364bafb46da74516701798cf1db684d20c5d587e808f2554c362b6a91

                                          SHA512

                                          4cc9a2f141315c8de2f8a3092b26cd3faee163c108579b4b243edff6d1285d0f5974fbe700b5ed77602d17fad63f9760bf40cdca13a566957f8bb0d696081613

                                        • C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

                                          Filesize

                                          199B

                                          MD5

                                          a13577e7f89d96e4a4c672afae4c3f4b

                                          SHA1

                                          5313aba7a6221cbec8afe6b709d8dc36835d5eb7

                                          SHA256

                                          b465e14643680caa42d972277ad9b2ff3129a724ef51192136b0d6b6d35ec81a

                                          SHA512

                                          87a6a5183e8d1e172c97d637a37f651633d95ce1f3f4a967226a32221ecf942a6a6f90c6b31b533097b334f2f3eed47ed0854e9d86afa40d0c46333891187bb6

                                        • C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

                                          Filesize

                                          199B

                                          MD5

                                          5f5c5c28244e5e8ce344b2f48652d9ac

                                          SHA1

                                          8a5c2c86371269f571e341e767da857673e21842

                                          SHA256

                                          9e679c698a96b8fe415d0d9331403c44f10cd41507917b7c85b7d65aa49ac47b

                                          SHA512

                                          8878db3090e8954b111a626e652378fbe1de71af0432e7e59905884fc810f4263d9a09311734c32795a1c2722b7110a7d4ff1a14585ef8eed77d5c6d99245347

                                        • C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

                                          Filesize

                                          199B

                                          MD5

                                          6ea4b393e1fea0f2fcaf2a9363ba0d4f

                                          SHA1

                                          a6f363571d91f209ab9c92507fc87ef9a9a17ccd

                                          SHA256

                                          37fc181b9686a2390c73f743f4276e2a1bbc8c943c06b79db159fb41c31ee474

                                          SHA512

                                          a502f0a45ef9823e5945bc655a42df028204092142c9aaddfa9029c10973b39de2e835c0f31dc5591def27c3b4bc1c8687a9683a82c7ae83e78defce7caa1cd2

                                        • C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

                                          Filesize

                                          199B

                                          MD5

                                          d1351c8c2372fb64187662127fbf5d3a

                                          SHA1

                                          1c505472aebaea1db33a3a22ee941774c7725694

                                          SHA256

                                          c0e07f5467c2b7f94e9f857c544658b72ac02f10128d2977b7330d8b0304ec3b

                                          SHA512

                                          65bf6f80b891a44d119d99d2925e687e01e7710a706a6502fd164875e54f14fc610e81cb3977f16698fd2e02ebb7457533a250bdcbab0b0dd6249dedeeab972c

                                        • C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat

                                          Filesize

                                          199B

                                          MD5

                                          4dace6864ff695f5dbc0702fb44b6376

                                          SHA1

                                          0c0a71f0f1b6aeab37c162809af25745d806f5f0

                                          SHA256

                                          aa2bb7eb222952e7cb15b1abb93b0213050b3e34587942614bedfb75e4d18e58

                                          SHA512

                                          0119783df8583c08bf51c3c445ce8dffeb8eb911ab4054928787fe23fb21f3beef575388103db2aa5adfc38682953237846e44ed6c9ff34964b6c58f632520f6

                                        • C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

                                          Filesize

                                          199B

                                          MD5

                                          2a7ce42f43a3623a002602db7c0e6976

                                          SHA1

                                          70b5835da51098fe8cbf74ada8b2f4ba824b60f6

                                          SHA256

                                          5b769f1a2f218a5045b3d7cce57a25eefc0d1ec190ddfde6939e010d51f0c63a

                                          SHA512

                                          f00ee28601dde92eac5a2ff3e17fb4d765f691e327b04ce7fb7ca00ee068a3730ef9528c5ef435763f85b6e3352a9fe5282e0abaec4dbd5b7c9899ce2a385c8a

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          0140ee332ec87c4fcbbdfc7f3717fd19

                                          SHA1

                                          ca4c92bb73ed7d4c1ee72c747ad35727b253bfb9

                                          SHA256

                                          7f51d10d824ef43dc1bee60b05d08a6bd6c952a825b0a8114dd840f01ea4c754

                                          SHA512

                                          37e3eae54f381d345b0134d8243e776b4c4c64fd880135d80e3a79e15028dc52628ed14b20c98c8f81ea8ca9e455bb5d078959784311814fe3927b41664d4c47

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/584-422-0x00000000012E0000-0x00000000013F0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/888-302-0x0000000000030000-0x0000000000140000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1580-122-0x0000000000020000-0x0000000000130000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1636-58-0x000000001B6A0000-0x000000001B982000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1636-63-0x0000000001C70000-0x0000000001C78000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1648-17-0x0000000000360000-0x000000000036C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1648-15-0x0000000000350000-0x000000000035C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1648-16-0x0000000000340000-0x000000000034C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1648-14-0x0000000000330000-0x0000000000342000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1648-13-0x0000000000F60000-0x0000000001070000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1708-362-0x0000000000D40000-0x0000000000E50000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2244-242-0x0000000000350000-0x0000000000362000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2244-241-0x0000000000040000-0x0000000000150000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2336-181-0x00000000001A0000-0x00000000002B0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2360-600-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                          Filesize

                                          72KB