Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 07:17

General

  • Target

    JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe

  • Size

    1.3MB

  • MD5

    84de3f255557da4cfab6e677f221e62d

  • SHA1

    9ee230fa22db98e4d9bd337ad3a7b0727ec1335b

  • SHA256

    cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05

  • SHA512

    dbba67a7d6547cae444edcaf7153200cbe148ef8b6f2b7910c9a408cdddbb42f779546dd673503c02caee0f64f9736f0d23118e7d6ab648b88e1979edade384c

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 7 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cd6167201081d49cc7d345182e37b8c90a9e5e8e59a197c44415832d4d943a05.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2392
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2168
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3032
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1588
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2240
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2012
          • C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe
            "C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1544
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1524
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1708
                • C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe
                  "C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2424
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
                    8⤵
                      PID:916
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2108
                        • C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe
                          "C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2144
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
                            10⤵
                              PID:1080
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:1892
                                • C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe
                                  "C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2572
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
                                    12⤵
                                      PID:888
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:1668
                                        • C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe
                                          "C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2284
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
                                            14⤵
                                              PID:2424
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:916
                                                • C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe
                                                  "C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:352
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"
                                                    16⤵
                                                      PID:1892
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:856
                                                        • C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe
                                                          "C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:648
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"
                                                            18⤵
                                                              PID:2304
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:1708
                                                                • C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe
                                                                  "C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2728
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat"
                                                                    20⤵
                                                                      PID:1416
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:2864
                                                                        • C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe
                                                                          "C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:704
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
                                                                            22⤵
                                                                              PID:2924
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2696
                                                                                • C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe
                                                                                  "C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2516
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
                                                                                    24⤵
                                                                                      PID:1512
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:1648
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2816
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2824
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2440
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2700
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2548
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2456
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2772
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2544
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1636
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1368
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1388
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1812
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1240
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1852
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2492
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2424
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1980
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1740
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1708
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1120
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:556
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\ja-JP\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2844
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2568
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\ja-JP\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2876
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WMIADAP.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1900
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2368
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2512
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:448
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:856
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1920
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1556
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2040
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:992
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2336
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1672
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:920

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          74f688690cf4221e247c460e91dab6f3

                                          SHA1

                                          55b2cb4a21217589e5881c912869f5c77666d05d

                                          SHA256

                                          b43663a3f5f076e5a3e365f5b611510f0977bb6d812b41a348b002f4239a46c5

                                          SHA512

                                          d2a171b725adf2a364f7a0549442953a338f1b8e1fef3bf6c31c7cc139fc50ac2108f2c8afd3cd1a2383fd9fafff7ac2c0f0d3c65d0716919742f28bb1f3dd43

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          081a8810dff1deebb0a8c1ef9db0c86e

                                          SHA1

                                          cf52c79660846f9ecd14abdd3a1d07afc2523791

                                          SHA256

                                          d952651b359c2ea6226e6e4aa267eb4dab1a5a9c4d9ae1ee2883ba84080ce758

                                          SHA512

                                          73126c2e10dfb286f48ce3cacd3ed4d99351048e151b51dc4f1322cde7c299adc8ef951a27cef96f19796d9ef968486658d4715acf1627c4dd31dd8cd6d2e9c1

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          1061c9f482744d47887321ee98899b55

                                          SHA1

                                          b686bf7c3d9da498e3674b96c3699c3cced2a3be

                                          SHA256

                                          66b4ec16ae70529f0d1da6245ee27fad0bb07e018820fd7e66bfc372d2824c5b

                                          SHA512

                                          46e6286229d3df16e598e3ac777066e651e10926b46d5929ac3e7afc2905cb95f64dae9c9d1af5318d6a7d05f26e4bb312ed4857013d5b79011235a8efa76ea8

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          299defd8d54c2eca567d0e08ea1397fd

                                          SHA1

                                          a408441224ac4ed48f74cf23c69733c010ba8af1

                                          SHA256

                                          355b829f879a215e495ded686733b88e11e3b041585cdc570f2bc6ad3dd39a7f

                                          SHA512

                                          788432619167318ffc76d36d3c65bc7c34978c9cea5ec2f32de7f5531e5710d102e4c3285f85d02b7254ca3e736fd9accb280b95e00946bcc3cd683cb20f7958

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          d34a89468383a012575325a6abedba07

                                          SHA1

                                          adc5353a16632f882d4a2bb57df3f065d95e8669

                                          SHA256

                                          41431855bdf249e9f1214c725ca8369c2e0c4c98e0d1b2890265c4b353b2040b

                                          SHA512

                                          be20967308269c24932aae04d5bd5de89b825767acfb5e9334b0d1de9a263538432e597b1351bec3f88d357af59681a2fb7a3907ccfffa1b77d18fda8337405a

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c3a58e5dd67ec23696aa62e2e6eddd49

                                          SHA1

                                          1dceb9c675b95afc4fcf0c0a1251752324474ee9

                                          SHA256

                                          c5e3cd5a08246a14ed1d347fef35b578b7a06366f5d125773ed2c8d5fc7382b1

                                          SHA512

                                          9e96d04a2f563a7ff8bfdf8608d464a3f3b1ca1c2aba75696e8e68b0a157c33e2da71b4ef0f1524e082e69247b5058c47f94c3270c0eebaa7ef038fec389f179

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          8c2211b3a8de48645c2df83fad5341e7

                                          SHA1

                                          9d082752804d32ef7752730c0ef34a3669a8cffd

                                          SHA256

                                          746059169ef91075341266adc65854e8888bfddd567543d1096314cb8571d4ef

                                          SHA512

                                          7fdded7651fb80835b8c7b550b0f76f7daae67f640604a71b912ea602a413addab00464e91df6c5a87139e67c309885452e8598eee53e6faf6e9a63dd14ca316

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          cb3487e02644ecf18c4f8403148d2629

                                          SHA1

                                          88fc3e6436438a8b7912796973c9729766292f09

                                          SHA256

                                          377340792a746375022ffdabafab9ffa409ac89bbea7426649e72ae99e4e92f4

                                          SHA512

                                          af34116bd30e73b5cac36fb26dd372a54e3e1fdfa9e4a537be28d603d4d00d986d9bdc6d57c2ba780fe6e435e11b1b4710f3d4cbef774bd923abe85a6945aa5b

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          4f4d723f1bb8e0d91b82222df00e278c

                                          SHA1

                                          48be3130b4af6e91c66da74b5e36056ce741cea4

                                          SHA256

                                          96611c03093d99767ce41569102273ca250869fe843264b7e7d9bc3d023b8540

                                          SHA512

                                          dc3f95ddc14aacb5d1b7a1553beb2e41e504364272a9d8eeecba8e51b4ae5eb81419c25a1fe9f594d46911ce63860eeb9144344ca83e4ca51f688b0dcb8234ae

                                        • C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat

                                          Filesize

                                          224B

                                          MD5

                                          65c32a1d54a3f3a8301785b83c6e7d09

                                          SHA1

                                          6745c874a08e422ee3dcd067441e08b46acea037

                                          SHA256

                                          01803931c304cc82335391f2b2a7828c506f012789e0ad243ba553beabe8c2d5

                                          SHA512

                                          ac8fa7b3ccaeb93b938c33d0493d0d42e961dbdd40a829fc51dac5c382148837f1e203dc98215feb558ef4a274fab69ecf4e11636187b6ff6554fdb5b1227473

                                        • C:\Users\Admin\AppData\Local\Temp\CabF5F5.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

                                          Filesize

                                          224B

                                          MD5

                                          8e7e546f6d76d78f81a0a2bfcfc67712

                                          SHA1

                                          45dd18134a718c0610c6a65aa25270e8945f3bcf

                                          SHA256

                                          6f7eb631d46c582084d3b7ad8e1f35bf9610d10842ef00b2b6d8e3d76de766b7

                                          SHA512

                                          e65485dbcf57635fb8a0403840159862e3b55e6c83fa708f86f6a5c327a1c5a68ad71c089193242d2229b6899ac4b7f012ef54c8b566447ee1d1a1bf7f69159d

                                        • C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat

                                          Filesize

                                          224B

                                          MD5

                                          9775cc7895a14a950c9fdec78f1cd3d1

                                          SHA1

                                          c6354989f7a85d6518b51fa73d65bae33f1e011e

                                          SHA256

                                          1264848b94c8ed50c783adeb75836e03edd9329a46134a0b021c8f7d3d2f5a5b

                                          SHA512

                                          c1f7fd6fc6866c97f68dd9b47d7cac3c9f54f5024e1e621c8c76c9ea9c8bca6b066732af36238b5a507f82acbb5c8083256f7d4128cfe9136effa1f1ef9d926e

                                        • C:\Users\Admin\AppData\Local\Temp\TarF684.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat

                                          Filesize

                                          224B

                                          MD5

                                          d51f8ff12994b54eec6f0fa640006c23

                                          SHA1

                                          07c6ba48526c268f922b525ad717cfe9646f66a3

                                          SHA256

                                          e705d39484a71b6ba855407b7d08b6d2e9a8eb54ae5593ab677c5720ab6868f9

                                          SHA512

                                          36fa81ba3badad718e915f695adc23f36028376a6432bd192a3a9d8d754616dd97559056ab582298f3da97e4eab3018ef23877ea76985e1ecf09ce50938db0be

                                        • C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat

                                          Filesize

                                          224B

                                          MD5

                                          711223a355999fe4f03997258fe8bda9

                                          SHA1

                                          b0dbe9bc7886b70a750f6477ecf39d40be231fca

                                          SHA256

                                          f3e0e4ed3c59ee1c68e4cb3c8393f754630f53953ffb6a5d352ec62d7bc612e0

                                          SHA512

                                          1a0dca31f6de5a1762f54a8271823212c22d3189c77bd78a1c8434885c1005aba6510772c601373009f68a193e4cde3dba0db840b800f87c12b20198f99ef0cc

                                        • C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

                                          Filesize

                                          224B

                                          MD5

                                          251f4e7820f2b1efc60bdfdf41b9e385

                                          SHA1

                                          6b29d5df176015b3e4809227de0d0d16b95ccd9c

                                          SHA256

                                          eb14d842a50bb11803234608db696d02b77034af4d6477e6c5e908494a19d470

                                          SHA512

                                          cea585fe10e1952ae159753c60f7f051fe684b7f6a2c29eea5474dd52b96dc9a6fc36f6bf68b95ec0234493b6327e925747e293e89b6cd67eb37ebb03d13dcd3

                                        • C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat

                                          Filesize

                                          224B

                                          MD5

                                          6dd4fff609c2428b477d7396ef1fabd6

                                          SHA1

                                          b2432317836bb809947638354f6dc37ef3987d10

                                          SHA256

                                          88d6b26b48cf9ae1b35c7679577e9eb8a46a9b5801ff5aa79cf3087447e09bac

                                          SHA512

                                          aed66ffe35fff3fd714a616abc35922d70a2b1555daf0f441ac2b629e26e7db1af6be85e7d5b139bb8e44d1600b64e6da2b56f40069f1476bf63bf17b1276ccc

                                        • C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat

                                          Filesize

                                          224B

                                          MD5

                                          82a22e70dc93fa42c1a343cb52ac74da

                                          SHA1

                                          67cc5755d1580d37901888f132ce72ce1fe31048

                                          SHA256

                                          90846f14ba2062cf174b00121afe9535f769a01c98e99b52f3f789a6d28e012a

                                          SHA512

                                          1c85ff938bcc235eb76e542546a0737f706dacec9c1189eec432708779e11b2d85c4e25ab568f7c4b38ac2c490e7041b9861c0cba499362898194cb16f1085bd

                                        • C:\Users\Admin\AppData\Local\Temp\tiHtiEmsSK.bat

                                          Filesize

                                          224B

                                          MD5

                                          aa76b6082fc6c647df23c9c30a6cec0f

                                          SHA1

                                          36add3e3ebaf49d8fb38ff6c2a839214e60a612a

                                          SHA256

                                          80f69840ddc95274d3240cd494b2a114e79f8a7ef39cf2e5bef197ce138a1aa9

                                          SHA512

                                          f011f105e01c25abfec373ad0bff3fe09549ee46297ecae0eae698e0d82a598fc845709c44aa43c2833647023a4357d49f9019e1775862d1de5861ab1ff09db2

                                        • C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

                                          Filesize

                                          224B

                                          MD5

                                          92e0252e1b333f38157cb747cc8ac1ba

                                          SHA1

                                          d9d82f8660cbdfb3093c8a048b185757beccd9bb

                                          SHA256

                                          0eb7ff5efbc6965cd3828acf97fd0bce4947a20778da96f17b817c3c12173b00

                                          SHA512

                                          af37a64a324dd2b2380888bff14cd020ec767f0601cdb60cbd18f05424eeea32eeb50fe5a050cddd8deaff1656debfcc5edb4a392223742570ef519daa0e62b4

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          8cac33c1bebb5f0758bb9d5c87ebe863

                                          SHA1

                                          05cf908650957cfc322eb40f4a4244efe5055e5d

                                          SHA256

                                          5a28a0c291e469fa85ee1f16a5cc675491a50e7e131f845a3b8c24b0a4e567ed

                                          SHA512

                                          aef0c9e4f65a5a3d2ed13444f06c6c32b871f2e0ff6eece70c7009901f217a1c04a277094653d2397a2eeb19acefd1f52af8ca9a9c71cc05afd74daee37fae19

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/648-470-0x00000000011D0000-0x00000000012E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1544-48-0x0000000000190000-0x00000000002A0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2424-173-0x0000000000FD0000-0x00000000010E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2516-648-0x00000000013A0000-0x00000000014B0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2572-292-0x0000000001120000-0x0000000001230000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/3032-63-0x000000001B780000-0x000000001BA62000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/3032-69-0x0000000001E70000-0x0000000001E78000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/3048-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/3048-16-0x00000000001D0000-0x00000000001DC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/3048-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/3048-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3048-13-0x0000000000B00000-0x0000000000C10000-memory.dmp

                                          Filesize

                                          1.1MB