Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22/12/2024, 01:49

General

  • Target

    JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe

  • Size

    1.3MB

  • MD5

    bb440de4d62566b7a239336d53696af3

  • SHA1

    d160ba34e88346262ac1fdee2b9c7f989760d176

  • SHA256

    21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba

  • SHA512

    570d608ce02f5c0a7376d6f925ac8370e3f37cf01d8d38be61c7a0fc5b098b548be9ff8bb02884a3c214f362d1e4980a17bb62e3034e1af7ce66481d195bc807

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_21df2e725a749ec56929b0dc07518ed46630743f427a199301e7d2564b9ee0ba.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1968
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2492
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:608
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:848
          • C:\Windows\Migration\WTR\spoolsv.exe
            "C:\Windows\Migration\WTR\spoolsv.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2012
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2784
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2696
                • C:\Windows\Migration\WTR\spoolsv.exe
                  "C:\Windows\Migration\WTR\spoolsv.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:1912
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1440
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1524
                      • C:\Windows\Migration\WTR\spoolsv.exe
                        "C:\Windows\Migration\WTR\spoolsv.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2404
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
                          10⤵
                            PID:2936
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:2612
                              • C:\Windows\Migration\WTR\spoolsv.exe
                                "C:\Windows\Migration\WTR\spoolsv.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:580
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"
                                  12⤵
                                    PID:1492
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:2920
                                      • C:\Windows\Migration\WTR\spoolsv.exe
                                        "C:\Windows\Migration\WTR\spoolsv.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2960
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
                                          14⤵
                                            PID:836
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:2572
                                              • C:\Windows\Migration\WTR\spoolsv.exe
                                                "C:\Windows\Migration\WTR\spoolsv.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2812
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
                                                  16⤵
                                                    PID:2424
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:2060
                                                      • C:\Windows\Migration\WTR\spoolsv.exe
                                                        "C:\Windows\Migration\WTR\spoolsv.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2132
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"
                                                          18⤵
                                                            PID:2076
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:1932
                                                              • C:\Windows\Migration\WTR\spoolsv.exe
                                                                "C:\Windows\Migration\WTR\spoolsv.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2920
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"
                                                                  20⤵
                                                                    PID:1708
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:2664
                                                                      • C:\Windows\Migration\WTR\spoolsv.exe
                                                                        "C:\Windows\Migration\WTR\spoolsv.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2696
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
                                                                          22⤵
                                                                            PID:2088
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:2092
                                                                              • C:\Windows\Migration\WTR\spoolsv.exe
                                                                                "C:\Windows\Migration\WTR\spoolsv.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:848
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"
                                                                                  24⤵
                                                                                    PID:2352
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:2224
                                                                                      • C:\Windows\Migration\WTR\spoolsv.exe
                                                                                        "C:\Windows\Migration\WTR\spoolsv.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1592
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"
                                                                                          26⤵
                                                                                            PID:1252
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              27⤵
                                                                                                PID:1784
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2508
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:908
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1440
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1648
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2904
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1628
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2636
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2088
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2600
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1476
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:644
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2608
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1784
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1644
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:572
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2640
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1668
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1888
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1884
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1676
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2284
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2180
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2408
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2224
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2372
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:352
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:896
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2124
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:948
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2484

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  a8cd60a65efc5a5b7de365b88701a6c0

                                                  SHA1

                                                  a90f7f63b57e473f1db12906103bf23046da906a

                                                  SHA256

                                                  1dcd863fed6b08288ca6f551df4359118f810fd4fc621ce7b3815fbc1759f7c3

                                                  SHA512

                                                  f0196b391e9557e5649afc4ce530b07edd5f2a1ff6609375d7567e9a908faa63d696af84e670d6b97f6e842ea4d8bca3cf8e932c8c9d6c8e5c81304a81861746

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  f4ae38f273f8c15935808f8303409762

                                                  SHA1

                                                  0b035d0a55712512a3cd83a8bf235c5616875725

                                                  SHA256

                                                  4e4e6fa49321fc602af98f5f55fafd4f33a8f48d7e1e021a07cea0d2b77fd2b8

                                                  SHA512

                                                  2290c0e672c5e6043cc56e7a0757104a480d5e1fbc447b68924f68813f81bd71fb36944b485a92178e895cfa80ae805b2608d5bf9f9d8ffbbe3d4353f43014b6

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  6c19b4231ef418232debfad57a5cb814

                                                  SHA1

                                                  4e0df53545f0aa1562c309b288c6d478a8fe7b5d

                                                  SHA256

                                                  60dd8f47690996b1d661b2429bffc57b78f1e2b62dfe055b3a62892486d41d35

                                                  SHA512

                                                  a0962e1b7978f7c95784397ec8bd3658fd3aaab86d727514d7730857b3b5bdf35f096bfbbd0255b5ac39042f3c083b1cf7502a5a40235bd9361e371478a936eb

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  15caa0096855b0590e42f71fea4c655f

                                                  SHA1

                                                  a66c8eab34e8aee2e168f4b566e6eed33aae446b

                                                  SHA256

                                                  b7995f405d53a49da5c2e57815e3dded074ffe2e101a1ab3480af90927268924

                                                  SHA512

                                                  6392f02dc73767890ce71695f6f11722aae1438fd1d00d3b4598996cc4dea7aa735c6deb61beb86ca4474bfaecef2dab2470929c941451ceaa69fa4ecfd9c698

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  1eff0d3fcc49ba126d2e2ef2ab381224

                                                  SHA1

                                                  3c87b7eac08b144a37ec6310a34be8c095f3d8ce

                                                  SHA256

                                                  de2701ab9a93387bb00498f6b83470389a87d2ceb777eb2a851e8a22bc989131

                                                  SHA512

                                                  1b45492d25f4c431262bc8ce927159fa091f8dd4e4c82d3ed3c12ea96aa6a6a120d46dee6f34a885e3485b3a4561ec0b6f0822e65558557ccf435188bb9f47c1

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  40555d4998a243873e45cdf91b1691b4

                                                  SHA1

                                                  a7f92123cc13ccc0ccbc26ce8bbf39d564f44313

                                                  SHA256

                                                  047b9d351174bfb385e02859531e82b1a727bff5849b2277b137dea1fdf0e06c

                                                  SHA512

                                                  baac231fc73d7a1230efe1ef16fa8fdd35f8e2a7cf425b1b96f282a28fd0421f2125285ca376b6d2705c50c0b68308678e6d42217fd4abc922a3268c7930cc49

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  662afdd7969d81801e26e065f20104d7

                                                  SHA1

                                                  fd2814f8aa71a12b6a5c8c69e29022a043386453

                                                  SHA256

                                                  d625e492dc2a9be55513fd9dee29d326b961102b89c931a55b6e665a586fcfeb

                                                  SHA512

                                                  da930ee6b47f7a7b3d79e85c2c2002d5f8cee200ec8aa08b313b109c4bf7065b301b7329cc625d7e4327dd0c26c8538fff06c1fc8c2a998f09fc14f41b6de891

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  daa89bc6dfcc50080fc21fec969296a7

                                                  SHA1

                                                  28488c470c9343baea39dd5c9a3102440547293e

                                                  SHA256

                                                  93d3d12ce1eb164cbe129d7ff23d8d6b05c961b2dcd9e37668bed0c53a6306aa

                                                  SHA512

                                                  b14395059ed9d2ab90209630612dbad1e5dbc63de0cd2682d04960c733d18d33f249d06542d922c4330fe4878f1f1639f93acd4297a973df1bb0cafca2ff9324

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  e7b18e44b03b4f6332bf508330ca77ab

                                                  SHA1

                                                  431bd1688152cc5393d240a48c661a86f7ab566c

                                                  SHA256

                                                  d06aa22028ff944eaa9534d61f2161be4fb8e2e550c003fd2e156ed2e70160e5

                                                  SHA512

                                                  be95ba5d4c66da19393c7003a66ed3accb9a463e2536bcfed64b5f131e13056468b70ca6b6ee70fca026940505114a2478dcc52ff9008e29b4b438dcde8fd79a

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  8835244ec2b3a95946e17c88d5a96022

                                                  SHA1

                                                  76d1b85382842d73cf7d5da12a6e6439d927a624

                                                  SHA256

                                                  0a066433556d899236e514376d5e212ddfc1444df2528371a0db2e9e80d47397

                                                  SHA512

                                                  1ff018fb1b3718973511739aa1cbfbc858e9cc47be0ae7552cfa46856e167010c3f229d02484b219b34e7fe0a12409a922ef1416a265ebc7722853e2319d0e83

                                                • C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat

                                                  Filesize

                                                  201B

                                                  MD5

                                                  fa542c039ba49e2860a7d218e550392c

                                                  SHA1

                                                  074d8efa67d4abdd3e00a051339518b5f81e95d0

                                                  SHA256

                                                  b27db17587d6634379c5bab5af493299f7c10a06d0a5d9436d7bbd84a1eea730

                                                  SHA512

                                                  8b1e0f8a51582c32a29769e69f65efa3312b5683c4a72d9328d933ec39c00d46eb01df8fe6546bea743bc9aa9594f7046133fd1fe268d7777b7073fdae853789

                                                • C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat

                                                  Filesize

                                                  201B

                                                  MD5

                                                  4eae7210786e7623f1f5a4eacd47161e

                                                  SHA1

                                                  d77866258cf7b2d8082fc8893163014329b236d7

                                                  SHA256

                                                  3eac2b32109c74f8515c4f35ede5f0cf9c37694c46e88d4c04f4546516d7b194

                                                  SHA512

                                                  15b4204ef8ace47b93e157940c1955ee03ae1d5e39224779d0e26ce9ca1ef6d716bff8b5ff81db968596086bda4d8de5ca6871c5ef76ee9b6397eba8f1bebab9

                                                • C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

                                                  Filesize

                                                  201B

                                                  MD5

                                                  79043bca086b3e8809b87856a843d7ab

                                                  SHA1

                                                  a956c87bbf3196d0520f468f12c67844af8face1

                                                  SHA256

                                                  5bdb94d29711b0a6bd3bcb1e79cfec064c3d614b8f519d7bf5a26e3767cf89f5

                                                  SHA512

                                                  01f510855a315624f68561c70516185cd3a5674f6cfb8dd2634c2893f27722eba92df8106260e3227778ee6721a2762948b3a5ca53c67039c24af765056be552

                                                • C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

                                                  Filesize

                                                  201B

                                                  MD5

                                                  869e5b89e91693c6e0265c4f7645a809

                                                  SHA1

                                                  ca3e642f1e4e12dd67d6649b7df814ba42f56803

                                                  SHA256

                                                  cc2135203f95d98891371e8a1e325b032fb6fa7a7f1bd2955e2351d66234e451

                                                  SHA512

                                                  b19f70b34a20a242d4e2b0fa7e58d4d5c705081efe71a17400c4cbba9f2bd406fbcda9a7d7fc2291115698c8b427f63b779bf14536548009f31f655c06b20a79

                                                • C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat

                                                  Filesize

                                                  201B

                                                  MD5

                                                  b327238fbe99b385a7611140c8aac91a

                                                  SHA1

                                                  44e632a219c1d63aeca8085dbe281097e1be00b5

                                                  SHA256

                                                  f8071d4e76bb6caa6272f9db9d24ecdb1c4c257745acdff3580eda1ab52edd12

                                                  SHA512

                                                  d97cc7deb0c51acf8638cb82eb5a1107dcc26b7aacc90d6760d2ef2e94b915c3d24d87c13a9d0bb55bb5e2ec666267990d0f4d79f8f3563bad0662e2799859ff

                                                • C:\Users\Admin\AppData\Local\Temp\Cab204F.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\Tar20BF.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat

                                                  Filesize

                                                  201B

                                                  MD5

                                                  bb7e67f401a919d7735da64a760108a2

                                                  SHA1

                                                  72febbb5e3312651dd5a097753f38c6b796259bd

                                                  SHA256

                                                  8c8820a4fd016539469376dde995789f8f849884dd9d2e090d7c98998529d4e6

                                                  SHA512

                                                  8fc5f5aea64fc131198e7fdc8cb4dcda2d659cc5b589982027b2e385f25ea3a15d2407cf8c6ff7980dd1d1179bab5e76e8fbc57754dca6f330f3e919ba72496e

                                                • C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

                                                  Filesize

                                                  201B

                                                  MD5

                                                  598933d1ed14851ba2d35d0550a3897a

                                                  SHA1

                                                  47d1d98e7167e11a4af59a291df6e13ac7b01001

                                                  SHA256

                                                  beb9894e961abfc0252d484be845e0bb7cfb267bf2fc836b056abcbf4d616f66

                                                  SHA512

                                                  a81aba0e71ae34d864c1b44c524e6e84536f5accdffd446ca6250d9a75d0f4faf3305574f6579249f1cfe07569392efb365d58bd3845ad27b5316f64873f0ac6

                                                • C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat

                                                  Filesize

                                                  201B

                                                  MD5

                                                  663ce120e78ff835f314cd21b5a2660b

                                                  SHA1

                                                  a2f445da70ab4aaa94a07e176f586d9a542a3ef8

                                                  SHA256

                                                  2f7d6bb8ec8e8ab894710141c0e8db2010e1f12f4aa9220ac8d486848b8344f5

                                                  SHA512

                                                  f9f73ecdfe66a572e0c3acff85d42a238cbf36adb3271e2ebb88e2bd0d92176ce955875bf3551eed3577d2fd42d60db28271aca1bd8361bf894e9d9cc3f3d58f

                                                • C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

                                                  Filesize

                                                  201B

                                                  MD5

                                                  d946af11fc93caefb9d614e0b3703a03

                                                  SHA1

                                                  f0484e8c5e2aecb66c81985d9591ea6b37c93d5b

                                                  SHA256

                                                  4055fbf30b27542d49a50e870950f207764d947bb258f696b859d2cb23b1f298

                                                  SHA512

                                                  0a50d6c54964d475e3947f8234a4d34a1c2be7ecad6f276bd7efb046cdd100ecc2f695c75d7b34c3c44b4f49f8fe26dc797622debb8e91145b9f1629f1390243

                                                • C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

                                                  Filesize

                                                  201B

                                                  MD5

                                                  5c3f58bb69e04c5280cee31e49b7c575

                                                  SHA1

                                                  bc842141de6de8bd94cbe802cf73bbad13464ac7

                                                  SHA256

                                                  7a19298487582dee5b414679683d96e303a97e2fe367c48399d16be9ff82d2d5

                                                  SHA512

                                                  a468f3dce348f22f69b7e101cd6e4fbc8b174454bc528553db0ead64de436bd57472d1470daaa140ba02c822828bbf3c87154d3301118f2ac82b03727d137ff5

                                                • C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

                                                  Filesize

                                                  201B

                                                  MD5

                                                  0dc67e3b5e3921410a6e083dc22fe3f2

                                                  SHA1

                                                  21034dc13f2e52a5465a9df59d8d8980ae089742

                                                  SHA256

                                                  58306f6e90688d16d9cf61f51e70572cef0e5a542d5e0ab77bcac642aca55755

                                                  SHA512

                                                  153108fc624a3e57a2555efc3e62e6b94dad47700542fac9263b7334152a63481a7b4226aad2a24e17a9fb56892ace80d5432258bd73c0dbcb2338259643a0bb

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\45U5YBLY2UVZS3V6BSCG.temp

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  d909ea6fdbdda76e138283370a364f28

                                                  SHA1

                                                  c5175806b67e6eeddd8f0d0d85b5cd0d3c314ede

                                                  SHA256

                                                  4138d09ee845956cce4a9b35beff2d6888dc4927fa020d62882cc53a7331ef75

                                                  SHA512

                                                  307649c3071b1bd57707e9c204adef2b936542f73c723b2cddb2897e78d29dc2703228246b7e14069b70cfa272021cf840b1262ae1d9984e5553351b41833b78

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • memory/580-277-0x0000000001260000-0x0000000001370000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/848-634-0x00000000003E0000-0x00000000004F0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1592-694-0x0000000001300000-0x0000000001410000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1772-56-0x000000001B700000-0x000000001B9E2000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/1772-62-0x00000000028D0000-0x00000000028D8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/1912-156-0x00000000011A0000-0x00000000012B0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2012-44-0x0000000000D70000-0x0000000000E80000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2404-216-0x0000000000320000-0x0000000000430000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2404-217-0x0000000000560000-0x0000000000572000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2872-15-0x0000000000460000-0x000000000046C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2872-14-0x0000000000440000-0x0000000000452000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2872-16-0x0000000000450000-0x000000000045C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2872-13-0x0000000000E50000-0x0000000000F60000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2872-17-0x0000000000470000-0x000000000047C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2920-515-0x0000000000150000-0x0000000000162000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2960-337-0x00000000013D0000-0x00000000014E0000-memory.dmp

                                                  Filesize

                                                  1.1MB