Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 05:43

General

  • Target

    JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe

  • Size

    1.3MB

  • MD5

    41cbb8d59a3587705c3ad07b9799811a

  • SHA1

    d40744a16badbe139b09fb0d904ac2c134ac728b

  • SHA256

    034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d

  • SHA512

    9c97191a0ca2a2ded86476272dbfd60b197416020edf9176dda875ad115bb0081b6048531eecf7eef7b4721b5766f5dc79bdf48be7cfa2ffa487826624e5f768

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 13 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_034b2a05353c57c99a509eb4ec62b41d0932b39223089bd1d41243387858c58d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1104
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1020
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1176
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2244
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1584
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gKSvXanOy6.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2368
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2752
              • C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
                "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2484
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2764
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2904
                    • C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
                      "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1648
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
                        9⤵
                          PID:788
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:2216
                            • C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
                              "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2064
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
                                11⤵
                                  PID:1772
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:1632
                                    • C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
                                      "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2140
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
                                        13⤵
                                          PID:2840
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:2844
                                            • C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
                                              "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2144
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"
                                                15⤵
                                                  PID:2592
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:2092
                                                    • C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
                                                      "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2908
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"
                                                        17⤵
                                                          PID:2128
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:2784
                                                            • C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
                                                              "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1980
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
                                                                19⤵
                                                                  PID:2528
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:1172
                                                                    • C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
                                                                      "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2576
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
                                                                        21⤵
                                                                          PID:2104
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:1580
                                                                            • C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
                                                                              "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:3068
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
                                                                                23⤵
                                                                                  PID:676
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:2192
                                                                                    • C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
                                                                                      "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2748
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
                                                                                        25⤵
                                                                                          PID:2468
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:2028
                                                                                            • C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
                                                                                              "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1568
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2752
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2620
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1980
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2940
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2944
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1888
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3048
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1272
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1728
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:716
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1312
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2380
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2076
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2904
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\bin\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2880
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:332
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:556
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1956
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\it-IT\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2412
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\en-US\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1988
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2180
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\en-US\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2404
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2436
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:776
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2448
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:676
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1396
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2528

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            de8651c657b33a3dd39f0a541f5a778a

                                            SHA1

                                            f8a0c185abb724a51934c2717c73022389d64a0f

                                            SHA256

                                            c4018e3aab784ea121836b355be3ff02bb9625b20ffc4284ae7a3b5ed5db759b

                                            SHA512

                                            9a890dc149f9d2266386a32beb78e3a75317900def5ea982be8eeda2971dec14855777a3ca2d50c36367a3d3c093818e29c73181ecae3001f1e41a2cd2ae19ef

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            0949d9486e9712e68b148616e270f446

                                            SHA1

                                            bd469c3442e6b26cd4f41268d35f46d4c1fc813b

                                            SHA256

                                            ea4d09e98ba956f0648bf62c35d780b5a92e326a9524d9ad4e936d407be1947e

                                            SHA512

                                            20a329d18a4784035d9e0b7c71076d170a7d904bfafee1abc4f0f0893f235b9bbdcfb60774ce2d2ed45199633ed3706fcd67a1a20c7cedc2e984271fcb8e0fae

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            cd6ec6254875b9624f714c5e0ecf31d9

                                            SHA1

                                            87182f2a065a8a23c40d6b13dc4143d7468223a0

                                            SHA256

                                            f6109810e6020c62c901b0e932d474d71a34db89600144b6ec7cdf1d419db02a

                                            SHA512

                                            c7b431e6ff13a7be08966a0ffca7d0fdbaa58b21b343436b1295d83317e2653731b556c257132fedeec471fbe1f5f9ddce9dc843f6575d11cb58be6323347546

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            21f01a88e6f2af5d859ee62b8ab47336

                                            SHA1

                                            6c9777b6eeb02eb22ac3f8f9db19677a5c90029a

                                            SHA256

                                            f4d8bb6172a6b63d4d825fab3c477a9ef098f0a0ce54f11e316f275304dc9a49

                                            SHA512

                                            f2d7facefe2d4a947825e57996943f12c564e69324935917fdd4f6575475d67c5b61c5948f7b95bcb6cf164b1247e6ea910f975c928026fafe03d56006e9efa8

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            ffac108fc1b46784f06d37a82ca74da4

                                            SHA1

                                            d75af0f1b64922912b4ae59164a23b8256f49130

                                            SHA256

                                            b4f777535bbfa3211c535637edbd1d7232fcb4dfec5559786f543d1c8d247959

                                            SHA512

                                            ae1bbf46d35507b7ae3b49e81ab8557a2227d7b9f00dc3cbdb8f44686852f8005a24aa8f6169ba8e8ae7cbdd0746b597bbcc357a185363cc07dc5d08602b7a80

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            e0a47425315d902847cd71e1803eb7ad

                                            SHA1

                                            e0d5c66d1a387486db9d398518672ca4fb9d8f2e

                                            SHA256

                                            1ea5b32d825a5cd4d7aa1059bab596fccbe01ec7aba38c89597960d81921340c

                                            SHA512

                                            fe6022e02e8a128ad76b8595ec3a9e2c66638a369b6a0a70a6f017d7bb6fd11ccd7cbfb7843d0c0e96ddd73cf99eea726e16c2744daf18f397187b7e5da7d2cf

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            590063f1b84d768de243c3369fe0988f

                                            SHA1

                                            6d4231ab535ccffa151da90034f66a72d2c67582

                                            SHA256

                                            edc1b31c051aecb868f68d05a082da2e78cbbabf249d879b8a45090594f0e5d9

                                            SHA512

                                            457574fbe06ab3f586768e7406a90a247906cfb50da131c4714369b10fd4a3e4e61b7a9a7b44f4a1365d198dc0246b5118b03294338d6093e40b7b064f351345

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            d4382bb9ee779f241b4dcb6bbf275860

                                            SHA1

                                            e39511a8c9a76f9c6c33f3626debeab0f5166cd3

                                            SHA256

                                            ac068c8917f81232efa296069303c3778ac691ab4b235f61598c8f22c3621637

                                            SHA512

                                            dc8e9911fc47a7a0e4c2e8d4530bfd047bff8055f90562654c831955e890c9c968655ea60c05dc59b9a7d528b35eb8842602849e5ef0186fb40716a4b767fa62

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            cc3fe3b7690ae5f561a80c1e7a7b88ac

                                            SHA1

                                            5f151be09533f53965fbe98ff0f90c588acce7e9

                                            SHA256

                                            3c14af03c4d4df6573542b7e12879207f57ad64fbfd71e2ff72d5d2e1bef0c47

                                            SHA512

                                            969b721cacef74253e865450e88409d75f2e5234c618d4e718cd3e727ee52d6424fa7e437921ab2d832ba21392eecbe3f8e3c2d891a6ebec7c810842a652c057

                                          • C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

                                            Filesize

                                            206B

                                            MD5

                                            ddf096ff3667b3a3de8bc4938b9d29e4

                                            SHA1

                                            3c9a0d814b977c5b8fbe83b4231228bc5bd794e9

                                            SHA256

                                            984dd4602aac8839788bb2001f4a25c8bd04bc9dca09944e1a53c02c16a39975

                                            SHA512

                                            c929712ef7288593bead3084b8b3c2ea325025bb3666b57e3741aaf7acaa1f39d0b5b1b4d3674b22024c8473e5fae2da2135f3440d0bc1cce82d2d0c1bd2327c

                                          • C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

                                            Filesize

                                            206B

                                            MD5

                                            61a7174328df8178a42c4058b60d4439

                                            SHA1

                                            c8df417e7ed957c906da1f1930f1f63c4773f577

                                            SHA256

                                            c2264bf4384eab33d6a926de8927d19c3d0d848c6cfef991b5f90b1309a7174b

                                            SHA512

                                            093e2d383c0567ab1d6e0bb084492d52735314d88d14fde135b664737c360250fa1aab2d323cbfa59a86ffd51939daa36adac4f9ec25c50e30e0bd4be4dd2ef3

                                          • C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

                                            Filesize

                                            206B

                                            MD5

                                            6176254d138991649293a75aaeb7fce9

                                            SHA1

                                            bf354f06b222865e91cd786560cadeb547edb6c6

                                            SHA256

                                            f7356e9ea76ae8bdb0c32757e4238606491995ba1560aee9c657188a624b744a

                                            SHA512

                                            372977fa3676278980fdd6869a591a0e9a3becdf7daa1347bed03ac6d89329578e504b5895ced52736da17df540bb7e06ff454e595f52a7abd14482141f6d97b

                                          • C:\Users\Admin\AppData\Local\Temp\Cab3258.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\Tar327B.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

                                            Filesize

                                            206B

                                            MD5

                                            71b20212f9aad7b171e8d5da2757e949

                                            SHA1

                                            42d77b945a2030d6676466881bb95d40c9a4e64b

                                            SHA256

                                            9db5f599003d6f7c070dce8048d109e9e14c59d201b5b3b44451a5d5e598f098

                                            SHA512

                                            7cc272dfad08c34e77ae01d435c93684cf2e2f4ce7427d19c55b407d68981864bcc054d053901545f25723251be40187d894db13ffa3fd669db4ae49eeb0d2e4

                                          • C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

                                            Filesize

                                            206B

                                            MD5

                                            6dc3f5812a310e2533a5539f60c4b6d5

                                            SHA1

                                            e76f249f9f8c6eccf90550f082e7e378692cb9f5

                                            SHA256

                                            62c0673cc3584ca08c8788b3251c4095d4a77f4e81c60bc22b9a07b7e31f73f1

                                            SHA512

                                            da57b7d6124839a70d522af9a1cab3254867f46c22050479da77fb2b17a7de12e4eabee1fbb15008a4fc6121bc879afff8b7f6adb75828393dc8bc6f2c64f0c2

                                          • C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

                                            Filesize

                                            206B

                                            MD5

                                            eec10e31db1028f03fecd8049a1733fe

                                            SHA1

                                            acd700c380a349538b66b78887498da148a6cad9

                                            SHA256

                                            537d8acc2c293783ab381ceec5489b8d02c6d491450b10affaa5896aafac34a7

                                            SHA512

                                            86db958bbe377566b1cf1d894ede5b0275a1c16e81a11efc9206137814d737255214b712df7b3c578eb63b366b4b90f84911a45babef9cea1459948f788cafe8

                                          • C:\Users\Admin\AppData\Local\Temp\gKSvXanOy6.bat

                                            Filesize

                                            206B

                                            MD5

                                            739c3c28d2051ec9a5449cd8943cb6f0

                                            SHA1

                                            f18b06b566af405c7c55962ae79361a5da80e382

                                            SHA256

                                            41d107e5efc79994ba9ee18e6ee29bd00449da7e15f5ff88772a6868e6ff5c00

                                            SHA512

                                            dc72d029e74f1c27a00ba92bf8d9cca740ea61ac4d4c8079cade87b9cdb0692fe8f4238af9bfccab2fb427735fbed010b3f799dfdf704eb94a80bb47783eaa20

                                          • C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat

                                            Filesize

                                            206B

                                            MD5

                                            ff302f7f005ab533268d5f800c24b1e7

                                            SHA1

                                            b7191c894742f5ed3b5342a3a394c7191e377957

                                            SHA256

                                            e8a7e4842a27040c9160498918e1c48a6c8adc322f0224d1a4d37bae20aca548

                                            SHA512

                                            4c3cae811d16a04581ea0cef9a665cf602d76029e00a4862ad3ab66c74b3bff954f05431602c9bcb379550e525e8114eab55e26dcaf70c784eab1558bcc49d3c

                                          • C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat

                                            Filesize

                                            206B

                                            MD5

                                            252e7a5dff84c9eb6d8e5ac6dbef6b83

                                            SHA1

                                            e5e250290acd7a2464c577a9c414daf882576b26

                                            SHA256

                                            d35ff8c56872de057ec247442592083b6a5f6eeba76d83159cae2970ebd460c0

                                            SHA512

                                            2e2bdd12d42c263c6eb42c33503e2ed91b17dbfd37539082e3bbb74bbb013f8ede13dca0442c165c15934b431c5c82c96b6885a817be1d20b9bfd8ebf04fcff1

                                          • C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

                                            Filesize

                                            206B

                                            MD5

                                            6516e58e9a0115e9a382a1795dcdcda9

                                            SHA1

                                            e41b7b6162ce0e118e394d3779937faf73a70262

                                            SHA256

                                            0a6b75130f8478a03e3d15c4860ae86c3307ddad9e8f48f829d96e9ec4231791

                                            SHA512

                                            702902bffe8c655ee335e66db6a2b9d839ee3fa5f2bd4044c233888cbb44515d0bb9cbe73c6f5ee8c282408aaf54f77dfd007f07484f73db374f20fbd3a73de5

                                          • C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat

                                            Filesize

                                            206B

                                            MD5

                                            89ab5aefd66c89b03b1b26b8549c75b4

                                            SHA1

                                            27f39d6d52bfa95df666b3ef301ecf9ae9481137

                                            SHA256

                                            27dd48ada81dadf8ae171f4375749bedc441c503751b28dd17a51dac0d513385

                                            SHA512

                                            42052ee136e59288f03fa27439f949e0210fc43c6aff6e264e0100f58aea1cf2b12e3b32be1cfa242319d9f8d50666e57d58025b5d9a6eaac82b43cc95c88138

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            17a900ac5341f6d4c51dbb78c612a421

                                            SHA1

                                            091d935809ad88b0a31a524ceb4c4cdd2b26daa0

                                            SHA256

                                            e4f11f6561431f4970b723a71731ae1d9f55f38f2c776db5b4e60691f28d5d7e

                                            SHA512

                                            304e72010cb408c99ee17cb5a559a3f7507d14ad86cb89480376590dcda90cf7dff7e82e7c7df24eb42e1a29102f0dee982249f092f7386cd91fb2f97bc671d5

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/944-66-0x000000001B570000-0x000000001B852000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/1568-701-0x0000000001080000-0x0000000001190000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1648-160-0x0000000000090000-0x00000000001A0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1980-460-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1980-461-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2064-220-0x0000000000C30000-0x0000000000D40000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2140-280-0x0000000000230000-0x0000000000340000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2144-340-0x00000000009C0000-0x0000000000AD0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2244-67-0x00000000029A0000-0x00000000029A8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2484-101-0x0000000000B80000-0x0000000000C90000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2576-521-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2748-641-0x0000000000F60000-0x0000000001070000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2784-16-0x0000000000620000-0x000000000062C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2784-13-0x00000000012D0000-0x00000000013E0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2784-14-0x0000000000480000-0x0000000000492000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2784-15-0x0000000000490000-0x000000000049C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2784-17-0x0000000000630000-0x000000000063C000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2908-400-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/3068-581-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

                                            Filesize

                                            1.1MB