Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 01:40

General

  • Target

    JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe

  • Size

    1.3MB

  • MD5

    b3f1e2d771d3a289db9e796f07ce13ed

  • SHA1

    cd9676fe6b6a69709b31fc302993afc7c047a731

  • SHA256

    3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc

  • SHA512

    07a495edd762db87ffa0c8ec2aba82405e4cbdd7d67a2d34b9fd0cf0fc1081b0db0543f17e9c4ed7028be6ca8e22a210fc5e3c5ea9d97ba7738d5a77621b765d

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3fb015ec42272b4a1a8655f808bcaaf351cf331dbf8ab5d9dd14e5e83468e7cc.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2244
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1276
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:1728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2292
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1588
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1600
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\fr-FR\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2128
          • C:\Users\Public\WmiPrvSE.exe
            "C:\Users\Public\WmiPrvSE.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2684
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
              6⤵
                PID:1768
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:3056
                  • C:\Users\Public\WmiPrvSE.exe
                    "C:\Users\Public\WmiPrvSE.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2228
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
                      8⤵
                        PID:2036
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:1792
                          • C:\Users\Public\WmiPrvSE.exe
                            "C:\Users\Public\WmiPrvSE.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1888
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
                              10⤵
                                PID:908
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:2232
                                  • C:\Users\Public\WmiPrvSE.exe
                                    "C:\Users\Public\WmiPrvSE.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2524
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"
                                      12⤵
                                        PID:1580
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:1968
                                          • C:\Users\Public\WmiPrvSE.exe
                                            "C:\Users\Public\WmiPrvSE.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2136
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat"
                                              14⤵
                                                PID:1584
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:2628
                                                  • C:\Users\Public\WmiPrvSE.exe
                                                    "C:\Users\Public\WmiPrvSE.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2116
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
                                                      16⤵
                                                        PID:2244
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:2900
                                                          • C:\Users\Public\WmiPrvSE.exe
                                                            "C:\Users\Public\WmiPrvSE.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2268
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
                                                              18⤵
                                                                PID:2132
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:2532
                                                                  • C:\Users\Public\WmiPrvSE.exe
                                                                    "C:\Users\Public\WmiPrvSE.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1740
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2640
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2636
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\Application\wininit.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2784
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2608
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2684
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1172
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3064
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2688
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1140
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2676
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1224
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1960
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:988
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2600
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\wininit.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2920
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\DllCommonsvc.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1660
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\DllCommonsvc.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2452
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\DllCommonsvc.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1664
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\winlogon.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1448
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2200
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2480
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2436
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2216
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2172
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\csrss.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:628
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\csrss.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2504
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\csrss.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1972
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\OSPPSVC.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1884
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2268
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:844
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\lsass.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:676
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:936
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\lsass.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2428
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2596
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1920
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:960
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1524
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1788
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsass.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:880
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2352
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2444
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\lsass.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1420
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:876
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:3020
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1028
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\fr-FR\dllhost.exe'" /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1684
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\dllhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:1932
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\fr-FR\dllhost.exe'" /rl HIGHEST /f
                                1⤵
                                • Process spawned unexpected child process
                                • Scheduled Task/Job: Scheduled Task
                                PID:2556

                              Network

                              MITRE ATT&CK Enterprise v15

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                342B

                                MD5

                                8fea94048937e5f1345d0910b673f409

                                SHA1

                                3080be1beb862e927db301e0dfadf02dcc2b3f20

                                SHA256

                                164f2d45fc01a9488968e07b89604d9dbcb18cc358b3988067624fddb14f4955

                                SHA512

                                7928f179b4ae7fce25a27a7a188a4ea4b1bf0c551cb20fb1f39e5ee5fdd4dc68b57756efcc8bdce1003bcfedc6cce57e2772cf61f8e700728e4b718c9c56f803

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                342B

                                MD5

                                7d3f1053f7cb682050e8829f37e7ab96

                                SHA1

                                e355783e69dd6eb1d811246674a258cf0dc1fe6d

                                SHA256

                                54cc7db34c1c6dd8122e39d2f7ccd2c1965beb87366cc6c1492ba5f3a00dadd2

                                SHA512

                                55011ebfec7223bb903ab976f0999ac24a62d6173902c3bcd964a14247a4456e4f07b5f0cac20f14ed29a1fb695e9d73315fdfed71a051383bceda510b5383d7

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                342B

                                MD5

                                6c0890cd93f942141bcc906a4550a332

                                SHA1

                                2842a5033e6e077ce88ced02d0c20f1769f2f0a3

                                SHA256

                                5257e779ea12f8e1e3f1eb0ae2cc70d42209b5ef40c5492ddbe34f9b068f35e0

                                SHA512

                                ac4f10d482e0a51a035233b2fe21e371b013ab32a69b4710d005df5f33987310f00247fbae463087c28430ee55c2effa9bf4c61a91e30791442d1674a43eb428

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                342B

                                MD5

                                d4b644c2f965e892119d7e1e8e797f83

                                SHA1

                                b7ded42ced95d6bc98d7481cb50715e0d50fc819

                                SHA256

                                9315a82b2612b585724bdb8fe190a1fef1f591e615e47b722229836d79f15b51

                                SHA512

                                7ef9dd0bb326e3a2a0a3289cabda1e57afcf995616e8c5ef8398f8cd011f9d9d8fbaa40cabbf7a4efdc736c9c5a69bb81c0baa2b630107daecb52b11bd4e03fc

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                342B

                                MD5

                                1908e1b42457e04b278eba34ed200453

                                SHA1

                                9fa8f62134c87d88dcbfd2b840ef82c55b0f91db

                                SHA256

                                da3e552a54ba5773b02f25d0d02cfb64781d7a40c0128cf07eaac2991b51bd09

                                SHA512

                                0bfebb6956a7367bb26a572a6e718043a12ee75483d4617b4dd01d85a83ebb8f18001ecd068882d162ea62a9a49318dbfe003d6015386586785de01298a3b93f

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                342B

                                MD5

                                3102089699e93e666b1a1260fee87928

                                SHA1

                                d1af01f4c6a5b0575cae661077ae4a9a7aa25091

                                SHA256

                                070485a9603607d06bcb23d3cf23506eeda93e8a51a5cc9d702efb41229d2375

                                SHA512

                                37d87f6c494f67134ad6d2fc2c95117ffcfa6825fff60253432887520e17214f60f6695577be51a0f3948fd566ba078891e77b344c8bba29dc8df9ebddd3a042

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                Filesize

                                342B

                                MD5

                                0385e64679c6679cc32f863ef8f86a7a

                                SHA1

                                5d12cb2c1a138b5107e51e901ea76445f0ed9fec

                                SHA256

                                d3e4249893a8dbf2cc4df39de91e6a56d485ae181d8ebf3c7c6ba5fc97202c78

                                SHA512

                                05f5ac31bfb1e2095c2174e977bee01b66577f917a22f8246bcfcdc514b6ecd0a20ea4045276048ded0989ef7c0b25dbfa4b3b95cc14a020c4d8d34071704032

                              • C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

                                Filesize

                                193B

                                MD5

                                53fa7be9017937306f13eab549a47779

                                SHA1

                                9dc56684562277ac8c20feebbc4efde7591efff6

                                SHA256

                                d4c4f884a71fa4b1c74189e0a17a161967c4e1b2bd10de380f3642764b376ef5

                                SHA512

                                48e70a3b7c352cba63d8bdedc664729d1dda8d9d43e06d102ce4c211e7dc121867cfbfff89e3e247ff1804452436de5f976927e0c537bc2fba1ff33ecc41517c

                              • C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

                                Filesize

                                193B

                                MD5

                                fbee62b3045dbfcc3ead55b74e39e51f

                                SHA1

                                7e6fe24e7fc881a62985ebea023f1530a50a7275

                                SHA256

                                51831061ca271c72900fdaff50bf67ba5b91eb93115b46c791785d9b5cd5c200

                                SHA512

                                03939b569a85ffe2d28ad264a30b0978bbf724fe27c7d6f1c7f37e15e92145ea55262d2e528f3e8076c7f3dd97c55b357fe499fb545748233ca2460b81a6873e

                              • C:\Users\Admin\AppData\Local\Temp\Cab772.tmp

                                Filesize

                                70KB

                                MD5

                                49aebf8cbd62d92ac215b2923fb1b9f5

                                SHA1

                                1723be06719828dda65ad804298d0431f6aff976

                                SHA256

                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                SHA512

                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                              • C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

                                Filesize

                                193B

                                MD5

                                f66a631ec3e33c61b397bc31c7362d06

                                SHA1

                                74a72a1913d2041735dc213675d5253e0325bb7d

                                SHA256

                                8f37ee8e8c6bbc57af69e50f79e73d24f7e7e9cca92a86c24b2fa350f1b09cb8

                                SHA512

                                2374e673920d7b15873e1a6b0c1327889c12a2e2b685d6fbf61dec75507a7eefb4f7e6c879c36aeb8eaf0e268a1b5dbe6100547f11f8487683a734d5d46c1aa4

                              • C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat

                                Filesize

                                193B

                                MD5

                                b512114eaa4e4664f4d60621aeea5f0e

                                SHA1

                                deb5d08ac62a31c3e50c02774b477b789f9ce77b

                                SHA256

                                67fcccfa5bd5d308fee7174c542212c45ce9e5f029f7c56809d7ac1544fd5670

                                SHA512

                                458ecb4e17175b2a0cecff84597094214e5f84eefe7ff8ab580f83e37e86b4fd41f50fa651f0f9cd75e0f61ab461baa2b3b4d1825f628fd18efcc3891172ed76

                              • C:\Users\Admin\AppData\Local\Temp\Tar785.tmp

                                Filesize

                                181KB

                                MD5

                                4ea6026cf93ec6338144661bf1202cd1

                                SHA1

                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                SHA256

                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                SHA512

                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                              • C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

                                Filesize

                                193B

                                MD5

                                1e9fabd2ef53e9ad54fc6ca603642ffb

                                SHA1

                                2d46aa8a640f7ee2e9a499c267ebacf97e865eb2

                                SHA256

                                09772d75eaf17fd2565aa1c63b95b5d58bcc02f8f52d00a9e4ab21c284b14d37

                                SHA512

                                39822fb7dde32958825634a326b797f7027223b249930bcd2e9649bf7fb4e10276dc1f6b8a0d678b924c79e021655595c8d5d7001bf178e02ca310d54ef46b3b

                              • C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat

                                Filesize

                                193B

                                MD5

                                b70b3c1f5dfd2afe48533f96a979378c

                                SHA1

                                c81efe6b834c7498a5fe252a7a53169f4fa618c0

                                SHA256

                                bb18e160c53eabee4e65d11baf50cd177548cd2a438500264c5365abb14750c0

                                SHA512

                                a015e40b9ff288047c9f081a5efabc07ee39535da4821df30b868b5ab98807aad4d630124642d8e7e01d3f751d09fcae7a942ae66ef386539a0669ec2d4c087a

                              • C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

                                Filesize

                                193B

                                MD5

                                f8ecd3c429cbc3f9a08a9199f10ad09f

                                SHA1

                                81deb0293fb1ddfe3b3e77ff65c2a059c90daca4

                                SHA256

                                84a43e2895592778e0526c108827e6216a92f22eca37e6a01d34397b0734ac85

                                SHA512

                                1368230dd7e6928d11bebaacfcd6bc873ba5431971c1662c04a7ce6cea260c84068f7e266c48bf59b800b77a9200422fd328042e971006625b566e26ff5c0e17

                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                Filesize

                                7KB

                                MD5

                                5b4ca64cebde55358c9a980af37de488

                                SHA1

                                a9288612d1a00e9314bdf827eb8e8aaa8c886654

                                SHA256

                                6bca805af721fc2e054ec22a107a78dca19f1598161ed8faade618e8ebf6e95f

                                SHA512

                                58d47deebf0f694727c4108b447c007b4a265b0ea344c0597f528f8f43866c4631147b89e86e890e9259b40563fa8bdc357181652c906973f2dd5fb77d64ad8e

                              • C:\providercommon\1zu9dW.bat

                                Filesize

                                36B

                                MD5

                                6783c3ee07c7d151ceac57f1f9c8bed7

                                SHA1

                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                SHA256

                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                SHA512

                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                              • C:\providercommon\DllCommonsvc.exe

                                Filesize

                                1.0MB

                                MD5

                                bd31e94b4143c4ce49c17d3af46bcad0

                                SHA1

                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                SHA256

                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                SHA512

                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                Filesize

                                197B

                                MD5

                                8088241160261560a02c84025d107592

                                SHA1

                                083121f7027557570994c9fc211df61730455bb5

                                SHA256

                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                SHA512

                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                              • memory/1600-75-0x0000000002760000-0x0000000002768000-memory.dmp

                                Filesize

                                32KB

                              • memory/1600-64-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

                                Filesize

                                2.9MB

                              • memory/1740-555-0x0000000000440000-0x0000000000452000-memory.dmp

                                Filesize

                                72KB

                              • memory/1888-257-0x0000000000C20000-0x0000000000D30000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2136-377-0x0000000001190000-0x00000000012A0000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2228-197-0x0000000000320000-0x0000000000430000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2244-15-0x0000000000550000-0x000000000055C000-memory.dmp

                                Filesize

                                48KB

                              • memory/2244-17-0x000000001AF80000-0x000000001AF8C000-memory.dmp

                                Filesize

                                48KB

                              • memory/2244-16-0x00000000007F0000-0x00000000007FC000-memory.dmp

                                Filesize

                                48KB

                              • memory/2244-14-0x00000000003B0000-0x00000000003C2000-memory.dmp

                                Filesize

                                72KB

                              • memory/2244-13-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2524-317-0x0000000000250000-0x0000000000360000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2684-88-0x00000000001B0000-0x00000000002C0000-memory.dmp

                                Filesize

                                1.1MB

                              • memory/2684-138-0x0000000000550000-0x0000000000562000-memory.dmp

                                Filesize

                                72KB