Analysis

  • max time kernel
    141s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:49

General

  • Target

    JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97.exe

  • Size

    1.3MB

  • MD5

    ff3a9be337595d83a4c9846298dd8c4b

  • SHA1

    79825cd5d335aebba58401308908cd9c4802ed81

  • SHA256

    e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97

  • SHA512

    558a5f228dbca8be20000f4a86c4e9581494d240ed9852837ea375217c659564ac0fcb155e01c718fd8c79203c0005d10017efee76db683e821dde6372d58c23

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e24100430741ee06ae8852720bdc95c02c2f0bb4a0a56760cc430cce57c00b97.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2708
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Install\{5EB8F02B-573C-439E-BE36-635B3B6563D9}\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2400
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1652
          • C:\Users\Admin\Start Menu\csrss.exe
            "C:\Users\Admin\Start Menu\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1940
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2652
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2452
                • C:\Users\Admin\Start Menu\csrss.exe
                  "C:\Users\Admin\Start Menu\csrss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2472
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3068
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:1124
                      • C:\Users\Admin\Start Menu\csrss.exe
                        "C:\Users\Admin\Start Menu\csrss.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1920
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
                          10⤵
                            PID:3032
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:2568
                              • C:\Users\Admin\Start Menu\csrss.exe
                                "C:\Users\Admin\Start Menu\csrss.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2920
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
                                  12⤵
                                    PID:2212
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:1252
                                      • C:\Users\Admin\Start Menu\csrss.exe
                                        "C:\Users\Admin\Start Menu\csrss.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2980
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
                                          14⤵
                                            PID:1732
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:1100
                                              • C:\Users\Admin\Start Menu\csrss.exe
                                                "C:\Users\Admin\Start Menu\csrss.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2016
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"
                                                  16⤵
                                                    PID:1904
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:332
                                                      • C:\Users\Admin\Start Menu\csrss.exe
                                                        "C:\Users\Admin\Start Menu\csrss.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:744
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
                                                          18⤵
                                                            PID:3016
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:2948
                                                              • C:\Users\Admin\Start Menu\csrss.exe
                                                                "C:\Users\Admin\Start Menu\csrss.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2588
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
                                                                  20⤵
                                                                    PID:2896
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:1804
                                                                      • C:\Users\Admin\Start Menu\csrss.exe
                                                                        "C:\Users\Admin\Start Menu\csrss.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2468
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"
                                                                          22⤵
                                                                            PID:1800
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:268
                                                                              • C:\Users\Admin\Start Menu\csrss.exe
                                                                                "C:\Users\Admin\Start Menu\csrss.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:3004
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
                                                                                  24⤵
                                                                                    PID:2672
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:2548
                                                                                      • C:\Users\Admin\Start Menu\csrss.exe
                                                                                        "C:\Users\Admin\Start Menu\csrss.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2500
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\winlogon.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2724
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2296
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2180
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:376
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3048
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1804
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1792
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2520
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2852
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2144
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2000
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1996
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1776
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2664
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2672
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1108
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2928
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2964
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1152
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1100
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:288
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2580
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:740
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1768
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Install\{5EB8F02B-573C-439E-BE36-635B3B6563D9}\smss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2284
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{5EB8F02B-573C-439E-BE36-635B3B6563D9}\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2436
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Install\{5EB8F02B-573C-439E-BE36-635B3B6563D9}\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3008
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2464
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:600
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1604
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2476
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1680
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1232

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              b18a246b1b55009c4d8d9d986b04bb9f

                                              SHA1

                                              2c0b0826d75713ac4c0d22ff5a152866e8e2d6dc

                                              SHA256

                                              705100e2ddf0b1aabfd2211f8bf31839d6d625bfebc363b1170a2b0113aa8bab

                                              SHA512

                                              5563ea49b2e5c46016f17bebd9ebcfd108147a946cdffa72bd2b4b9e41fb8edaaec679dcd343b15a3107de96507626f4237064f8f452735c10767d1da5aa53ff

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              3c32ed38c5074443065a3d2b54788b94

                                              SHA1

                                              7af4ad97acf0f5222b0e030bea3e834e9ff12aa1

                                              SHA256

                                              e2368198a1919033201d4c87bd22f110361d8c6d63cd8bdd3e652be435e2ce53

                                              SHA512

                                              5e3b529094684233bd00629726c6751ef5f55fdb7d8fe0e4b690ea01032417ac06390772db38effd055094b0960efca2f85c080baf92dda03a812a6df86f243a

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              bf16de6b992e4d04c0575ea63e035234

                                              SHA1

                                              26cd873177a27f085dc9d87a98c3c41f7fb7fe11

                                              SHA256

                                              5415c9f8300fa4f4f29fb8fe025c8e7504e3502754c1de2bc54d2e5718151c46

                                              SHA512

                                              9cbdabecea4d7d04cd2cb7367087594a5b746a6eb7f1feebc36f9d4ab149235fcf12661f455c5ddcb96da2ebd365ea6a74c3549650027eea1d8c7afa50039590

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              d15fc85b375dd140efbcf6337cd93f42

                                              SHA1

                                              864fafc531dc9abaf5fef2242728b77c09f27d57

                                              SHA256

                                              e0a9acedb532c508ec7c62a1f229b411aef615c78e22f379ac65f002649d64b0

                                              SHA512

                                              b445d4b533e00145d8cc4cbac1074b7e9c2fd48e5238dd0cdf4673d9a132cc5f10fc782a6fb3a2e593c71d961b9306ad54f605154240c2cfe1c36b11f2842ae6

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              07c4606db2bcacc6b8dee1f58d1456d5

                                              SHA1

                                              ebb2084fb76fc9026d282338665ed1d63085173e

                                              SHA256

                                              94de8d6679ce4d79b86b0dddeda4623db23d00d8890262bc8efeb665fcd2d104

                                              SHA512

                                              aa769cb64be5fbee4e73f303fef8bedfd7fb3238c27028aedc141a6c0c780e150419ffff67e10b1c7a78155d15d9a935030ec00fb7ac891bca613b2d63dcc2d4

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c5eaa97e81a7aa1a1de8e2b686ca1394

                                              SHA1

                                              1930ec9f38bc0355c084f5532924e31cb745a465

                                              SHA256

                                              b9149a1fe7e652e6aa8cd299e13359532af6a003b39330654a7d318be89ac2e5

                                              SHA512

                                              857f96d1b319e8b98d35f356f87c437bd4cafb9bd397828c563951be42e317ff385b89c2b913f6806444ab563b8e214f1ae4af2e40323870873b9af4bb0649e0

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c2e11174d0a0d9e918c648f9a7ae2878

                                              SHA1

                                              af42963341814bd2406d83d055b37da118fb9cb9

                                              SHA256

                                              ed51cb4d9d8fe0046bff59b2c50116bc29b6e3f731c3248d45d20876d12f7816

                                              SHA512

                                              037f85553736b1353369f6b164dd6288f24759db117b135781d0f6a45a85d4e53762bbb18c1ce723d0656c3961c0dabd5f0ecc9f4b911984d7a0225344eb7d27

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              b5c1475e475b6450341db82862c33baf

                                              SHA1

                                              b6e7c39151361f945b3d06667397aa61b172a413

                                              SHA256

                                              46ab323fac00dfc7372e2219f14af25d9c3fb7a6e8899cf44b687ade2acf9c4d

                                              SHA512

                                              e45ad1cd8d97afc35a751f7977aa81472d35cd9f313c2fb695004e6de71554b58d2ee1d492b5bfeba51a7c24ad6980258b806888aeb3bb09859f99b16c71faf0

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              ec53179c332ef59c3182cdc95dde91b5

                                              SHA1

                                              00a966c147923c6850b0263a958b729974b4eb47

                                              SHA256

                                              448cfcb5240d3e8f335c51def97ae91af2562d5233c367f131df6d907bd16683

                                              SHA512

                                              0c6e39e8b66ef45f8ad47e2581ee095e7147e68493a2fc6d1419df15b0b10478d089aeec661168cd63f8afe17ad872e13c70a57d72c338c0db786e02ea801b0f

                                            • C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat

                                              Filesize

                                              200B

                                              MD5

                                              2b89798464608f791a33840df0cde1b6

                                              SHA1

                                              b3316e20d6a2d64dc54f4d3fd4b3fb8f1613e8ce

                                              SHA256

                                              a405c523468c1bfea9e98371767a6efdc15b491b29d448ad305641cff444c9ec

                                              SHA512

                                              c47aeff15fa77eb1314807be1f72cef9796b00a99d212a1c0a41fba981fc1f38578e0a9739c39f5a592ddfa873ba87ff16644300710eb1fadd23f2b3e5c4a6d6

                                            • C:\Users\Admin\AppData\Local\Temp\CabCFEE.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat

                                              Filesize

                                              200B

                                              MD5

                                              b1303156888e827eacd8058fc806ab03

                                              SHA1

                                              c87a820abb177eb43d9af2477fa5013329a21dd4

                                              SHA256

                                              aa6250d2381a4fde9825cd0975b05f20e7c759f3d970c808898a8c69d51babba

                                              SHA512

                                              8efb30264141498396f34f83442f7c989105be44b2697a40b8197d4cfaebc7bcdfac90cb8b52e6058ca95c9592004fd335d1be74c46c7a80c408572dbacb4496

                                            • C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

                                              Filesize

                                              200B

                                              MD5

                                              06d26af56e257f682b68257766abf101

                                              SHA1

                                              aa03a6ccbaefd4aa1c462590953f7059b475a642

                                              SHA256

                                              a8b5accb6a2f9df68289d87cdf7699e58ee7e6e97346ad58b2c6c6f0055a3009

                                              SHA512

                                              2377cfd72c032a5fe00b0697a0620480c9a1afc1dfebfd4e90cda781800e7777f960e4598387bd118ce7d3bdc0aaba06ae458f40c715cbcc21b5269760e5d84f

                                            • C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat

                                              Filesize

                                              200B

                                              MD5

                                              bf203b6f57145d666a8490546b91942e

                                              SHA1

                                              4f08bad0acc72ca91dc92b1811890bb37ead9fb6

                                              SHA256

                                              eeea4881c85c4954bebaebb90fee547f27b792bdf400b75962841c83a0756794

                                              SHA512

                                              6e3c0fd84742fcb3ebf3034038ebf22e02971b0030f52eaba45a75283acfd2c8d75b3e10f16ebe940d47c5be51431097ad19094b66f0ec268193c0e3607027b9

                                            • C:\Users\Admin\AppData\Local\Temp\TarD020.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat

                                              Filesize

                                              200B

                                              MD5

                                              bcac7331b0569d613fee7d5309227122

                                              SHA1

                                              82c1cd60822428bfaa7cecb6d9e792cb36f1bda1

                                              SHA256

                                              8ef366c1d1601b57055c01927477afd625040ed8290bc6e102bc1e2e3a238754

                                              SHA512

                                              499230837191ec1d97d645fb32f2b09dddc10a2663875bbbaf86084af766e4a01554e46bb2e602c2c0a32dc6a3f12bfddfc07596e200a360b4a1ac6e63017882

                                            • C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

                                              Filesize

                                              200B

                                              MD5

                                              b80d9f68b6633dd08ad0b7b2f82b7ae4

                                              SHA1

                                              b3346cb5118c4a89dd195b0d9145e3b503a4d5b6

                                              SHA256

                                              26d2ff1759f88cc18c2b0b6712d7e986c2cb5ba4c612c4f54dc576ba49bb68d2

                                              SHA512

                                              0c2c582c6a39688c4bd74fbe26a5f55e9d81533d39a3d4eb939ae1b4bd63985ea2e9cda31458293904a726a79df787a572e2f2da41c139ed6764efb786b0942f

                                            • C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

                                              Filesize

                                              200B

                                              MD5

                                              9538bc0ae429c90c0a0137aa38ac8814

                                              SHA1

                                              473f923cc7654350a5a2bce6de23cd5099037726

                                              SHA256

                                              def247b79b27fb2a288b785644d494af070e1477b5ae78f829c72b891519103d

                                              SHA512

                                              bbca0fae7e10fdf8d98b1fecba64ec8b7a09934853a04f3d7f027e62de0f3024fc22349cb5b345dbb4fd4ba77856cdbb8312e1d2b9e0e04c6132ea34841bb98d

                                            • C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat

                                              Filesize

                                              200B

                                              MD5

                                              07937a44eaee82de4f0735e604749051

                                              SHA1

                                              68f8bdcf93d0694339607e694f3281301a6db243

                                              SHA256

                                              30711f082b50ce57ecb273bf5b63e5bca5b6d9f55b4f0dafbef77995c1616bce

                                              SHA512

                                              3d8435ef87d840e3ddef838699adae0833abc9cbdbca80cad147c3b980a1bd4d78b0782b1e0dd2eb88ea1bcaad1c98ee5823286a36896d17e3f0d1d0bfa63410

                                            • C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat

                                              Filesize

                                              200B

                                              MD5

                                              b52e6b0af75f9dfd08e3425820e324b3

                                              SHA1

                                              b819b70732b2d81a20cd2e4741dedf8e4d1700ab

                                              SHA256

                                              85e70f19e115e8431a5ac28d89e061d797ac7b95badb874994875d97557851a0

                                              SHA512

                                              bb889609632ea61117d30e90d00d8b2b2712ca69d9ecf7701684cf9b6c9517de4aad6e4c4298ab76a094a8979e730a24e9accf5268b64782add7a384847047be

                                            • C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

                                              Filesize

                                              200B

                                              MD5

                                              31c644a878251fdf031f2da9e5f0bc39

                                              SHA1

                                              30cee9d9c25a779af29bb1539457ccad2107d365

                                              SHA256

                                              b89b8627e332c3716b2d345b5b249881310f3024c2dccd84982889f9ae87b291

                                              SHA512

                                              97863f7bc42cdab39048f30e80461d4af76dcfc5d9bd25b9a2041a4e16221cd99368c64bf01896d6c9472b8401d4688d9ac990885f7187f9bfb418a0e75a2996

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              ce0097acbbf4767617e75fa92f28383a

                                              SHA1

                                              3a4121add5c47f89f7217a62cf6b9e403a0e62db

                                              SHA256

                                              eccfca8f40eaed0027581b197493baffd5b6d50f3f838ea52919686b29fd6ace

                                              SHA512

                                              fea6ce33002b4cce41b70ccb5c9a467c2fd29cbda7d6a007bc404384aebcb67a0f9fe2e3c26aa39a71b12834a32fd195cd36ec0f5b88bbc929a9ffb1ad57f0b6

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/744-468-0x00000000003F0000-0x0000000000500000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/744-469-0x0000000000280000-0x0000000000292000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1348-67-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1536-65-0x000000001B680000-0x000000001B962000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1920-227-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1920-226-0x0000000000150000-0x0000000000260000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1940-46-0x00000000009D0000-0x0000000000AE0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2016-408-0x0000000000250000-0x0000000000360000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2472-166-0x00000000010D0000-0x00000000011E0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2588-529-0x0000000001240000-0x0000000001350000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2876-15-0x0000000000370000-0x000000000037C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2876-14-0x0000000000350000-0x0000000000362000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2876-13-0x0000000000380000-0x0000000000490000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2876-17-0x0000000000490000-0x000000000049C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2876-16-0x0000000000360000-0x000000000036C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2920-287-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2980-348-0x0000000000140000-0x0000000000152000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2980-347-0x0000000001270000-0x0000000001380000-memory.dmp

                                              Filesize

                                              1.1MB