Analysis

  • max time kernel
    142s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 12:06

General

  • Target

    JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe

  • Size

    1.3MB

  • MD5

    2d031c806a969795b90cb3cea133b80e

  • SHA1

    23b3130dcf218b1f8c6ace8c7485cfdcd47d9163

  • SHA256

    45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f

  • SHA512

    a1bb5ce339ae792c10152d7a00013d5ef662cbde68f8da3be5d8fe156b0e8798ca4f16505f10d52e96eae7ce4b8ba8aa4752b715ffdee3c72e4adb8c78d44d1f

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 23 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_45b1101db40862e508da8c1023e7b0feb3800b58366fc668d94f1dda43ccc80f.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2052
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1464
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2204
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:236
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2880
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2236
              • C:\Program Files (x86)\Windows Portable Devices\lsm.exe
                "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2116
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1736
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:3008
                    • C:\Program Files (x86)\Windows Portable Devices\lsm.exe
                      "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1472
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"
                        9⤵
                          PID:1560
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:2084
                            • C:\Program Files (x86)\Windows Portable Devices\lsm.exe
                              "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1448
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"
                                11⤵
                                  PID:776
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:1168
                                    • C:\Program Files (x86)\Windows Portable Devices\lsm.exe
                                      "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2184
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
                                        13⤵
                                          PID:1720
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:2100
                                            • C:\Program Files (x86)\Windows Portable Devices\lsm.exe
                                              "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2116
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
                                                15⤵
                                                  PID:3004
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:1248
                                                    • C:\Program Files (x86)\Windows Portable Devices\lsm.exe
                                                      "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1780
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
                                                        17⤵
                                                          PID:2328
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:2260
                                                            • C:\Program Files (x86)\Windows Portable Devices\lsm.exe
                                                              "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2932
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
                                                                19⤵
                                                                  PID:1016
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:1348
                                                                    • C:\Program Files (x86)\Windows Portable Devices\lsm.exe
                                                                      "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:956
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"
                                                                        21⤵
                                                                          PID:1684
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:1824
                                                                            • C:\Program Files (x86)\Windows Portable Devices\lsm.exe
                                                                              "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2684
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
                                                                                23⤵
                                                                                  PID:236
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:2840
                                                                                    • C:\Program Files (x86)\Windows Portable Devices\lsm.exe
                                                                                      "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2196
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2760
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2356
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:640
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2556
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2724
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1600
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2428
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2652
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2352
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1888
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2112
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1476
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1744
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1208
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2364
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1332
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2484
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:296
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2020
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1828
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2280
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2292
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1088
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2492
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1644
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2496
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1816
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2300
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1632
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:584
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2228
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1100
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1824

                                      Network

                                      • flag-us
                                        DNS
                                        raw.githubusercontent.com
                                        lsm.exe
                                        Remote address:
                                        8.8.8.8:53
                                        Request
                                        raw.githubusercontent.com
                                        IN A
                                        Response
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.110.133
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.111.133
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.109.133
                                        raw.githubusercontent.com
                                        IN A
                                        185.199.108.133
                                      • 185.199.110.133:443
                                        raw.githubusercontent.com
                                        tls
                                        lsm.exe
                                        741 B
                                        4.1kB
                                        9
                                        10
                                      • 185.199.110.133:443
                                        raw.githubusercontent.com
                                        tls
                                        lsm.exe
                                        793 B
                                        4.2kB
                                        10
                                        11
                                      • 185.199.110.133:443
                                        raw.githubusercontent.com
                                        tls
                                        lsm.exe
                                        793 B
                                        4.2kB
                                        10
                                        11
                                      • 185.199.110.133:443
                                        raw.githubusercontent.com
                                        tls
                                        lsm.exe
                                        741 B
                                        4.1kB
                                        9
                                        10
                                      • 185.199.110.133:443
                                        raw.githubusercontent.com
                                        tls
                                        lsm.exe
                                        741 B
                                        4.1kB
                                        9
                                        10
                                      • 185.199.110.133:443
                                        raw.githubusercontent.com
                                        tls
                                        lsm.exe
                                        793 B
                                        4.2kB
                                        10
                                        11
                                      • 185.199.110.133:443
                                        raw.githubusercontent.com
                                        tls
                                        lsm.exe
                                        741 B
                                        4.1kB
                                        9
                                        10
                                      • 185.199.110.133:443
                                        raw.githubusercontent.com
                                        tls
                                        lsm.exe
                                        793 B
                                        4.2kB
                                        10
                                        11
                                      • 185.199.110.133:443
                                        raw.githubusercontent.com
                                        tls
                                        lsm.exe
                                        793 B
                                        4.2kB
                                        10
                                        11
                                      • 8.8.8.8:53
                                        raw.githubusercontent.com
                                        dns
                                        lsm.exe
                                        71 B
                                        135 B
                                        1
                                        1

                                        DNS Request

                                        raw.githubusercontent.com

                                        DNS Response

                                        185.199.110.133
                                        185.199.111.133
                                        185.199.109.133
                                        185.199.108.133

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        ec8835039dd0e1124620ce94c54d881f

                                        SHA1

                                        65c95569adce06037d8daf48d7b8bf5ca304fa2c

                                        SHA256

                                        4d0812d663d4be9d358577e7576f6b684b8a33e35c64eb86458a679ac1b4ac93

                                        SHA512

                                        a6b773ee924f6c33c0132610ba42fb218ef85e7179bfdab659a6877de349214f99d751beceadae7700e21f28b5324f05ca06f12b9721d5e77e57b7fe972ba7b0

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        b974a2170b4f016c07ceb1b288bf3986

                                        SHA1

                                        be6b67ff5caa27c2a47d8040b7fd2ea8eee6d327

                                        SHA256

                                        48e282818ee2e6a5593f6e321f35115aa05f97efaf1ba4fa46234e3c36662ac3

                                        SHA512

                                        c2664158d900412a07d1db02a4a97f15b29cdc7cb277d2641089178a0a92acc462606364df8132b90ad9c45ad82224c253ad0b035947c2aaa26118a1a6fe5bdd

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        ee477bf3a04a78bfc21983406dcbfa8b

                                        SHA1

                                        299b4939def77970a4de303f64fcb8c4c3e75846

                                        SHA256

                                        0fc5788f150c8a97e6d52a810d7389ec490e5497e5463b839c274af32c1d2c8d

                                        SHA512

                                        cf8088ca4fbb1305c3708e062a17c570f00fc22197a701a9842b92efc00a0900c4126f218c53d821bc34f22cfd10aaf7f4bf9503bc05b8635968966fa8a2d37b

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        8f055ecd47142ebcb16d98e358fe0aa8

                                        SHA1

                                        70655d8bfa58a18a2e9fb1880bf4fe56f4a34558

                                        SHA256

                                        480acd841f7c140217a8210f5e75932092ee3906e350dfe8714b2e6709296db4

                                        SHA512

                                        ffc99a406b4e419c1ad1c5db87966fd480e89beee92441fea4781a177f2dd32883f955e3392b0af5aace202abda0bf57c941bb19a33ccd1fb3cb49a570c5fa7d

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        05f480cbfbde9efd90cd2c11346038bf

                                        SHA1

                                        816437e21d0a089b94df0504ad4084ce8dadc60c

                                        SHA256

                                        2aa34475287101d5a6c0ec63b1aec84b4e0202b973b9c1e007870b302c247a4c

                                        SHA512

                                        7697078b99c1f44dc743f23bd7fa8b2c5624a146c199b3aa123ff2494ee40716e1e31c6dfc59fb02dd21c3a29ac1efc11bfa0da7565be4cdf6117eb8c7375a45

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        cf9580d2469b806255d5072b91e63e31

                                        SHA1

                                        c40508de204c6a8cbb28d15a4da1aca4d4017de8

                                        SHA256

                                        b8330e4237ded90c138303a01c630199f4ca62a9538542b42698395bf6d23b91

                                        SHA512

                                        19dee7e64604ed0d860a3153d2c98b01dbc750e74421126cc6ca5c9ada9e943c4ddee721608fda1bd3f82f689413a969b8076134d0fcda8946f972db1454ade0

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        29ef3a99ca98d773f908461cb1809df5

                                        SHA1

                                        4995453ddc8f5a2cc46793f3ebcff6c724f001c7

                                        SHA256

                                        d12618331e52c6ee86f4abf80e9ac204db0ff8b5934c9f4abebbc168e634bbd1

                                        SHA512

                                        a0ec9be71f8755499e5a84f451effe49234655673e753b20850244da45e677913a1eea59d7fc98125db64c9997b0ae371fe65ac63c864044c7593b9aa1da590b

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        683a52c6859c3138ceaf5b7f250ea292

                                        SHA1

                                        aa2da7428ecd70e41cb82eaa5e5637682012c17d

                                        SHA256

                                        8e142d92eff24a8d2281beecb2a409084d9f3e43872715cbf4e8922dbe3edffa

                                        SHA512

                                        5073bdda0ec63bbded2ef3168041e3ec33c9e3ec8e34dacfa2a70a2d5e4b8ee0a23cab1c57941a5c2ed8b1702d02b388281f0188d90bf0f68a371c8721274657

                                      • C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat

                                        Filesize

                                        220B

                                        MD5

                                        f2b75f91855ce575f37d443b4843f868

                                        SHA1

                                        a9160be94cb2b31ee2504dd5f1a8b0ce1b9b49db

                                        SHA256

                                        0a6f7d8969e77ef34cd56e61e7c1033dbe2a68c76ebd46f626f2ec7249a987f4

                                        SHA512

                                        3e6624befdd966c36d8ba264937a7c658b7a70853498befdb3e8bcfd5d2fc189c7aeea2c080b4f46d4f4cf0db26a4f9d19a8439a27c844c557695a119ef29edb

                                      • C:\Users\Admin\AppData\Local\Temp\Cab39B8.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

                                        Filesize

                                        220B

                                        MD5

                                        4edf5fda2e790c59ffc59d96f5f3f8d8

                                        SHA1

                                        434ce9b2728d1a5fb3e5b6fe4bcff8ed76656628

                                        SHA256

                                        87bf648af9a700e079328ec75857ec5d74515d6a90c4c211e6f0f6f00a2a873f

                                        SHA512

                                        d6a5aeb22c05c05da86e3b375db5386d4fc7f2cc90f950e9de0545fe9656b53f83a5cb2183ff536487cbfd50c45ea9ebfd54d65397a1e1b92271bb9d26616240

                                      • C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

                                        Filesize

                                        220B

                                        MD5

                                        504d56e1c6b8dffde99d1344c4fdc7f9

                                        SHA1

                                        70a4214b330fb88734affa0a1273a7e4eed033b4

                                        SHA256

                                        13a495f9bd6e971c12f95dad7b7fde4d1528e9b6c3110f2a27e37b7375602bde

                                        SHA512

                                        196f2df630a00fbda91e9150fba526a836c8b90075eb51a2909b4d295083b0a56eb4c8f78d907f480db18f939ff13fe243e35754d0e1b3c9f5929a35cad7cd73

                                      • C:\Users\Admin\AppData\Local\Temp\Tar39CB.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

                                        Filesize

                                        220B

                                        MD5

                                        20627e1e0a71dd8cdf6b14655a72c530

                                        SHA1

                                        74d686c001863109fc0f09596253710152ec802a

                                        SHA256

                                        c460b885630efb1b269bedeea7395731c32b3eee52fed99ba81651ff1e50f18a

                                        SHA512

                                        89169d3249ee0924ab149082c469339cdc2002c5a99374ae356637c93fd6d873ecd3277f0a7fcf5f79d20aa8ba3f359e7eb151dc2f3750ec4229b6a204f78891

                                      • C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

                                        Filesize

                                        220B

                                        MD5

                                        aca70ec1f5a8989238e6124c6a6ab60d

                                        SHA1

                                        e00e1839c74a817a3a9cf65750ef9051e2b5a19d

                                        SHA256

                                        1a5b6e3ca3c424114069ecb5bfebae87436331ea948523764ea0ed4c9ce85016

                                        SHA512

                                        c7b53b803087248b9ecc0e61dd2a6fe8c18a0bec6acf8bf9a0d708af0ae45c1619f4e7aba2861f64a23c9370a0a82211453b82d0d675455fbdf7be6c93d870ff

                                      • C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat

                                        Filesize

                                        220B

                                        MD5

                                        f7d27644513606e6f84e0062c5735265

                                        SHA1

                                        7523ab64fcd3cb57adda77aeae8c76f5456bdbc0

                                        SHA256

                                        9a4f54992a4437a05a0f10af098f7f065fd320c68718967187614136b79ae8af

                                        SHA512

                                        35fda4774fd266ef2fe50ded2ab8166a193e95180dc503b8892b7d2276af73a40c1ad8ea2af6c8713a14dc3b5d5ea20e9ae28729338aa2cc02f219a373f0a278

                                      • C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat

                                        Filesize

                                        220B

                                        MD5

                                        ca7a5ce8094785baeb5af294497f040d

                                        SHA1

                                        294f4ff7b121230f289bf4bae95fc107a0f3d5e5

                                        SHA256

                                        5cef8279763dc6b2ea63a9c98f509261ca3b8adaf35c3f5193c48a50fe35e0bb

                                        SHA512

                                        016ee5e4451683a1d33bd4c687796515bc2b8ce050b0ba71e02a73f22c23cdf93a78912908db11e06fe311c886547e768a233ecb11f76c109c8e1014ed5a0198

                                      • C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

                                        Filesize

                                        220B

                                        MD5

                                        3a76f5e219bf2a6a53f174a0b1be423b

                                        SHA1

                                        1ebf3d37f2bd2c2920e8830032a5962225546944

                                        SHA256

                                        24b67d2bed554ea7639e34a63c8282f37e1d1992bb76b1c0d38fb5691e28cf48

                                        SHA512

                                        43575c9c436560245a525dd4b2e2e1389a99cd0e1a8e58f5253106f2496dd8d70ce0c02e130dda42d9b8303af3d0be64883de7b90db5f4587d7365726f07266c

                                      • C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat

                                        Filesize

                                        220B

                                        MD5

                                        69de33519f7dbbd225c1d85a09b98adc

                                        SHA1

                                        c25690d57a81d3ffaccdecc4ed51b0c463360a9a

                                        SHA256

                                        ee16dd9995498f549a37a0421ae03242336fb5fad06b957be36025b8cda94ac0

                                        SHA512

                                        c22cbfea901aaf33c9d8f135ac62f38bd6d335702340ae15351b1ac77b248a1fa45dedfafe05d574cb5a73e5f5d2b7bb2d8ae35b4d3a3adfc5031bd29681fd90

                                      • C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat

                                        Filesize

                                        220B

                                        MD5

                                        940fd9daf51598080e8716a425305a82

                                        SHA1

                                        9b20dd9d9cbccd00474454c94572e5f6fc7c85b7

                                        SHA256

                                        9b0680f89cd0d57ea593a7c9cb4110defd8cc4d4776b45ad4d8fcb4251a50439

                                        SHA512

                                        6a5a54801b7f60d14bf0caa6ecbdb5fe59f645b3bf8e81b6e15d7e9938299d4843bb7439de0fffec9dd932f9223833b238463cc267f5bdcfc612bf7b1059969b

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        958b6a8a602372af16851fd0222d3c6f

                                        SHA1

                                        636426e1dfb35bbad2e4497154114ae7ece38ffb

                                        SHA256

                                        c5a0a55feed866e73656fe3e9a30ad1c81fa7a4bac86951a93b884687447f361

                                        SHA512

                                        5036e02337b348f0d1656a171807b96c2f96d889957b02176accb092db7fb23eef0c8791f1ab65894eb0fb08d34770220504b0facfcda98b274ac22ebbd059c2

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/956-526-0x0000000000FD0000-0x00000000010E0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1448-226-0x0000000000C40000-0x0000000000D50000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1464-57-0x0000000002650000-0x0000000002658000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/1472-166-0x0000000000020000-0x0000000000130000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1780-406-0x0000000000210000-0x0000000000320000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2052-56-0x000000001B2B0000-0x000000001B592000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/2116-107-0x00000000002E0000-0x00000000003F0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2116-346-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2184-286-0x00000000003F0000-0x0000000000500000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2196-645-0x0000000001350000-0x0000000001460000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2328-16-0x0000000000560000-0x000000000056C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2328-13-0x00000000013A0000-0x00000000014B0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2328-14-0x0000000000550000-0x0000000000562000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2328-15-0x0000000000570000-0x000000000057C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2328-17-0x0000000000580000-0x000000000058C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2932-466-0x0000000000030000-0x0000000000140000-memory.dmp

                                        Filesize

                                        1.1MB

                                      We care about your privacy.

                                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.