Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 01:55

General

  • Target

    JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe

  • Size

    1.3MB

  • MD5

    60b2c0573b64969507cf45e1bd455b7c

  • SHA1

    6bd82a7a32faf8a941940b1f3e7cb2ce54c868f4

  • SHA256

    9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87

  • SHA512

    642d65e686c908c0ce383cff9a76523972c8d793eca77f4e2385b2b011481adc8492ff8fb7df165384eec3e31c9bda6d941da4c4d15e322f42ebc8886dbf1d3b

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9ce8d0981de0baec14529bed5fab731f2157e6a65a5dedbe028cc44aa202cf87.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2312
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2368
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2300
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1240
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1768
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1696
          • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
            "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2556
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2388
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2700
                • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                  "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2616
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1824
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2996
                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2124
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
                          10⤵
                            PID:1148
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:2692
                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2592
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
                                  12⤵
                                    PID:2072
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:2436
                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2724
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
                                          14⤵
                                            PID:1680
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:2476
                                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2796
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
                                                  16⤵
                                                    PID:2344
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:1368
                                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1740
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"
                                                          18⤵
                                                            PID:1748
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:608
                                                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2912
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat"
                                                                  20⤵
                                                                    PID:1512
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:1500
                                                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2196
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
                                                                          22⤵
                                                                            PID:1072
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:2488
                                                                              • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                                                                "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1012
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"
                                                                                  24⤵
                                                                                    PID:2904
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:1028
                                                                                      • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe
                                                                                        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:584
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2964
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2724
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2712
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2736
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2684
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2752
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1916
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2320
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1340
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1076
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2440
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Music\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1504
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:820
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1876
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1928
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1948
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1248
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1560
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2980
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2560
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2788
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2272
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2288
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2204
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2212
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1624
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1036
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1100
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Music\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2088
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3004
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:896
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1380
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2484

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              783069a00b32c9e17172790ce898ee29

                                              SHA1

                                              dd57fa3c62b022d04d9fc3c8e76e95945e0850a1

                                              SHA256

                                              72c99096ec569f4c741d1a81e24e23eb709414fc0279f84689db5be0c29b0a2d

                                              SHA512

                                              64f17af10d6af2829fbfc870f8d68577e07c518c09651a9c52512979e446194ae4b1b3da570855a5010ad3346ba25ba201557943f4fa81b88d4ff39a8e352c21

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              8443d092e2281c8c36954be8f8457b4a

                                              SHA1

                                              9a15a8ff36227e84d38918fddde3ff0def54e2b3

                                              SHA256

                                              f221e1068b9501d83ef65449ed119226d7cc246b13fd8e225fbe770585b51d9b

                                              SHA512

                                              18ab433c239dd42fca7de57b523ae2e91cb5fabc1a50d5a5cdfe52bd00a2bae7a6c64d79aace54d10829c70cb9e635d40cf2c0afa699c1ea9b3d6b5f78844ef9

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              bbaf7002d5d3b44c6fbc2cfdde1a8180

                                              SHA1

                                              3e59067565a024a8d82223d600f6b80c984d5f2d

                                              SHA256

                                              685b5fb21073ef27e638c59dfe6894ad01439a3ea9abff89fe127e8510b56b20

                                              SHA512

                                              10a26c36b6544b9a3c0a7352fb7cc681276e73beb6c9480ba119234e43d1536d0991a27c3339e7f168d0851afa97d0ca89728163f63c268ac724c87da4e01f87

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              98ea63db929993ed8e2aa9c01182649a

                                              SHA1

                                              30d5a4f1b5e8200416471f07d4a48e6e523226e6

                                              SHA256

                                              e177eee0ab37337d068e04e757194498488960a8989c8b2a0b71e88e7165e0d3

                                              SHA512

                                              433630d2246255e0c433392144ca0b5498b008b5b4a35fa4d9b19bfee00832d18f6bd0a421b2a1d033bc97cde69cf377a1e2842072baf608edd47a84d6b6cf68

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              5a6dbbd14af7f75ac146fb27a8199e77

                                              SHA1

                                              318371b11a337a8176b33f3224e94e828f6bf1e6

                                              SHA256

                                              7b6992dd8f6f88dd0e0caafe56056f6ca9929023510d5b4aa91efac44587d3ee

                                              SHA512

                                              33dc63d882d344ec18a44d246ae51ebef7d5042987cd748548ae007a56417924aaf1fac820f20d841f87624e0199c4630b202b460f32590acf060aea24d79e55

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              d991a67d826b6e066aa0e65165787a3e

                                              SHA1

                                              09a26319f06e06596d50e52e90cf17f0b8140e97

                                              SHA256

                                              fbaf0cc460a12aec2beaf8e7d4536d7cb552815998ad764602784d66213cb05a

                                              SHA512

                                              400a4ebe3609205b9df40d0b5857fe3176e1f46666cb13f8d0415727031f38be34f6a3044b5a52585e7bfa5cd762388d3e694e7be86dc27ae7798ca51972080f

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c9d4b6b35642f567a8e2d76d5532ad1d

                                              SHA1

                                              515fece0d7ba608235439571145bccc174dbc1ec

                                              SHA256

                                              3753422c7e55194e434897d1158ebb51bbb94b6d82d75b9257f5855e4e092313

                                              SHA512

                                              e89409162047f52509e3b0e8329734297e531516ac6f2092e07ca6a4b5545df320c0ade4777799b12245ebf63d70246f8a6c2f7cd05679e704c8a56a61a6e656

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              15659e58bab4488dbfec3cc5b1db48c7

                                              SHA1

                                              680637be9590a7b7e54baa570aee4977b2d3f7d9

                                              SHA256

                                              52e338db0d0304c8f2dc5d3f037735950deda44e189c63c54ee084139c6d9934

                                              SHA512

                                              16a4cd8898c7386a69242c7ab33df6e9aefdc2a95d48eb6d5fd7f60d649094e5c1f87c8f445ff87055225f7b11a2cd11ba90ab56146d223dd195652320e34823

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              d0a254331c8a66a77ed64cb1bab2764e

                                              SHA1

                                              8111ee46dd12133dea9ba16bb132c4c1b4511589

                                              SHA256

                                              45d365d406a27de61101ffd8302bcf7927c7f65b6385a2a69340e518a8c81f48

                                              SHA512

                                              e861aadfaf4039d7520de8a46c9ae786b6fe84503476f75097e657290647180625fb205ea20221b51ec3fcc6f5e86350151a8bf901f91d522729ebe18f8026e3

                                            • C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

                                              Filesize

                                              239B

                                              MD5

                                              b99769a7f0b1a29ffb3fee2dd1457f9e

                                              SHA1

                                              b617731aa591aa9cdc0e338f79a024044645931f

                                              SHA256

                                              976a592530566fe822f4ffc5ff13ac7d4959ccc4635ad644e6c728347f3953ac

                                              SHA512

                                              1e1f2b8bd8399a486660ca689ea0875aa8742008268c3e11e728390e33c3df82d6bac2efd9b6265a2f70a8fd1d1426b4a143849034e45510fcfb6dc965c4e8d4

                                            • C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

                                              Filesize

                                              239B

                                              MD5

                                              920575c85742419be142913a8e9b8661

                                              SHA1

                                              d799f68c8d66c2bbd0ec723c1b8d33f9e0dfe5c7

                                              SHA256

                                              941a3c2d13d5566f18ef597a556e023dd1e5235ace94a4f43edc156d72e25ccb

                                              SHA512

                                              17eec57dd00207ce8f86acd64356be81b744773782e15cb937b4ada551bfdd9d156026e0d024f05abd4c0e9e80293cab7f7af5b35ce180d2ea32126adcbcb695

                                            • C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

                                              Filesize

                                              239B

                                              MD5

                                              dbf3432ac6bfb2c340b6c1f162486703

                                              SHA1

                                              131f30ba232e57183106affe6f71660fb72ee88b

                                              SHA256

                                              4159bbf99935430aae8f8b98f1fec1ee35a2e1e0d884a2b912214978b9f8f65b

                                              SHA512

                                              4b9667d112560bce165a5ae3cb61b22fe40fb8605a5bc2d75c85e675473f29602713763623c11d75c6ef63f1c5123ccb613e242517581d98ce746be3e4544ecc

                                            • C:\Users\Admin\AppData\Local\Temp\Cab2F0.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\Tar302.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

                                              Filesize

                                              239B

                                              MD5

                                              a362a3904881f6272d6c2556c8c8599c

                                              SHA1

                                              8273878b382d1ad0208d66d9b3da663348bb053b

                                              SHA256

                                              c91dd14c71164388489668ccf3bd5e7346c32db62df9126e356a340738c44414

                                              SHA512

                                              5b1c48fb3d9d15919a8acdaafb55ae137c959ca8bc9301411f947547eb27b3501a4eece63f4da9d27d363665c06072b1c4300d7c6a7de8d78083ea611c07dbe6

                                            • C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat

                                              Filesize

                                              239B

                                              MD5

                                              e9da1f848f5a2b805010d5f190d992aa

                                              SHA1

                                              085ec80f2123eb0658b8a773c4c4288bdbdaa937

                                              SHA256

                                              07a3c51b269e1593e8b0299ce2999cf1952a24a655d54b10c7a1e2841f853f51

                                              SHA512

                                              749c2888bc026d1d50a76abb49f26c721bf0faaabdc7d57ded0d388ad33d00703748a633dbd517efe10723fa37ff0283340864e73a6e9c35cb5ac5d9590fc4f7

                                            • C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

                                              Filesize

                                              239B

                                              MD5

                                              5d077a555cc8be5c1a7ee6d619752253

                                              SHA1

                                              452cf4bc978a53c1d7f3d44c15594ad78dab491c

                                              SHA256

                                              8c1c90267bf73b58c2ed66e0270f837070e7fc12b3cb5dada21d9373916d1482

                                              SHA512

                                              71308aeb9c73ba05c85a59753de060af4832b5ce53efc3c1999a1584ce2daa65c88cb4fa871eeb382f83955a0b9740c30fa6fad4fa819b6b6ef2c37b069318a5

                                            • C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat

                                              Filesize

                                              239B

                                              MD5

                                              5ed599b41a262d012037c545ea82de98

                                              SHA1

                                              d1e6e6a7e3417cf09619a4331810f89a30a81dd9

                                              SHA256

                                              b49ed7b712324175557756014c40cbe65e96122d5cc0167995cb570af374e65f

                                              SHA512

                                              67bd77f6a22712fe35019ba87e3f1c261cbc43ef98da4c106b775f2594ffb648cef0ef4da6248b5b2920e601a47be0d511acfab945f00d5627dbbe7f28b3aaa0

                                            • C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

                                              Filesize

                                              239B

                                              MD5

                                              e13be3f522d5833ffbcc3724ab8676de

                                              SHA1

                                              cdc5c4f0f628e3fc2a5b9d9a198027b56cf10e62

                                              SHA256

                                              e5676ba915fc13b569225f53969fb2390c5d53c9ed0d2b5830929f7adef9d732

                                              SHA512

                                              4c470b9fd13ee94fa75171dd1fa9735ff4b43f3a39b8e813a54a494ead946bdfb6ebfaebd90ae72069621e3809f7ac3c7402d3f51d7b2a829fe42f3075260b66

                                            • C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

                                              Filesize

                                              239B

                                              MD5

                                              6a75abe437d6375c85c46291b569d1c6

                                              SHA1

                                              2781f7e6d4b1490ce2c92c6e34b7b4bf509cede4

                                              SHA256

                                              f53255c6182924afa41715e8510d5ecfec98bcf1388388c20f22913457d15442

                                              SHA512

                                              d6d20915c05dce52ed9a295b509752d13bb3cd7bfc37d87d2715a64286d8f16129262c8ca2d61cac4e43ed9aa35a63b5e1b090b213cac0bcbd61ca8ca86a370f

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BONJU275VGHHJID1ZABB.temp

                                              Filesize

                                              7KB

                                              MD5

                                              366cf488ad2d1c279619167919d506d7

                                              SHA1

                                              285a6726c1bf1232a85c700e9b34743eac093a36

                                              SHA256

                                              9fd2cf02179cdfc137c62442f4439dfa9f630b8c612b4035c51be9a23219ab98

                                              SHA512

                                              b687ec13dc6964d7f1ea2cede8d1d58d971ddd048e0d2a02b934a7d5935afc66c2f0c820d94c9fd90dc46b5035e50a3fd9884a44bb84b5489a413851d0df8b22

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/584-704-0x0000000000230000-0x0000000000340000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1012-644-0x0000000000F30000-0x0000000001040000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1740-464-0x00000000003B0000-0x00000000004C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1776-16-0x0000000000250000-0x000000000025C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1776-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1776-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1776-14-0x0000000000240000-0x0000000000252000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1776-13-0x0000000000830000-0x0000000000940000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2196-584-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2300-106-0x000000001B710000-0x000000001B9F2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2300-107-0x0000000001E60000-0x0000000001E68000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/2556-46-0x0000000000E80000-0x0000000000F90000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2616-166-0x00000000010B0000-0x00000000011C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2724-344-0x00000000001D0000-0x00000000002E0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2796-404-0x0000000001350000-0x0000000001460000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2912-524-0x0000000000C60000-0x0000000000D70000-memory.dmp

                                              Filesize

                                              1.1MB