Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:20

General

  • Target

    JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe

  • Size

    1.3MB

  • MD5

    087ec94d7adc88df60aa78bb8def7548

  • SHA1

    e6bfda2c1b9159104cdb61834aeb8f37adb432e0

  • SHA256

    88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2

  • SHA512

    a045878121fad3960916f9f77d13dd9f07b94955e7e6cf39f950793e9895526b67e054d0d08389829993d21d77673fb2a79417381a5f3b4bfd7766c8c735a684

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_88a89f51b09a9707a5e4ac9e60e076dc588cd32a5ef52180dbab5a44103cd2a2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:908
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1752
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1616
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2232
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1508
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D4akJCd5SR.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1864
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2008
              • C:\Windows\addins\cmd.exe
                "C:\Windows\addins\cmd.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:772
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2640
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1596
                    • C:\Windows\addins\cmd.exe
                      "C:\Windows\addins\cmd.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1856
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
                        9⤵
                          PID:2280
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:2916
                            • C:\Windows\addins\cmd.exe
                              "C:\Windows\addins\cmd.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2440
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"
                                11⤵
                                  PID:2672
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:2696
                                    • C:\Windows\addins\cmd.exe
                                      "C:\Windows\addins\cmd.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2256
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"
                                        13⤵
                                          PID:900
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:1928
                                            • C:\Windows\addins\cmd.exe
                                              "C:\Windows\addins\cmd.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:772
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
                                                15⤵
                                                  PID:1332
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:316
                                                    • C:\Windows\addins\cmd.exe
                                                      "C:\Windows\addins\cmd.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1580
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"
                                                        17⤵
                                                          PID:2840
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:1052
                                                            • C:\Windows\addins\cmd.exe
                                                              "C:\Windows\addins\cmd.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2716
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
                                                                19⤵
                                                                  PID:2372
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:1936
                                                                    • C:\Windows\addins\cmd.exe
                                                                      "C:\Windows\addins\cmd.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:932
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
                                                                        21⤵
                                                                          PID:1080
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:2344
                                                                            • C:\Windows\addins\cmd.exe
                                                                              "C:\Windows\addins\cmd.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1632
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat"
                                                                                23⤵
                                                                                  PID:2952
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:1560
                                                                                    • C:\Windows\addins\cmd.exe
                                                                                      "C:\Windows\addins\cmd.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1032
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
                                                                                        25⤵
                                                                                          PID:2680
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:2600
                                                                                            • C:\Windows\addins\cmd.exe
                                                                                              "C:\Windows\addins\cmd.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1252
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2796
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2248
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2744
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2576
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2644
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2192
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2164
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1996
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:820
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2948
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2540
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2812
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Start Menu\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2972
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1968
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2376
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2108
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2004
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1908
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2612
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\WMIADAP.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2944
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1672
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2088
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2536
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2212
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:916
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1104
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:692
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:316
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1360
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:308
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1604
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1568

                                          Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  2fb79e3b85c24971d9876b08497eaa29

                                                  SHA1

                                                  746509ace1d0d24bd36daf1023af8457d79c8434

                                                  SHA256

                                                  05dfe3f8a48e4bb4371b95e90c7ec548506e6616392bfcce5d66a2e39ce1aa0d

                                                  SHA512

                                                  b454a19a6efcb6bb59f59bb6a3272d63b8817d6dcc6958cb1f3850b73814d2cbf62d89c5a06ca15d86c116254ca9d6ce0867d76e73a0622e51b2377dce2b6318

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  742a3abf848007c2737e089789035cd0

                                                  SHA1

                                                  a83287fc00a7c42043c6e44a02103f53c52da1ab

                                                  SHA256

                                                  965f1f56e20767755c25c8ce8fc1da23fc119a2fdb24e02a085a593a5ebd8ff8

                                                  SHA512

                                                  8ef9c6a81f157ea6214091986cdd46817eeb7e82db2996e2e25e5337b3fcd566610ace5f7e7f9094886bb30f0a4515efe99de0beb1c4a8aab989eb56ee951233

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  e565173e63d3e0014c1b8aa61293c716

                                                  SHA1

                                                  1a529b0f7aed622979012e32ec0f4db4b6185300

                                                  SHA256

                                                  ae027655452974d34e54228232a1a0bb834a3a3aa53b536611aff80bfb534757

                                                  SHA512

                                                  2d3db91f2c7fb0be1ce73f1ed9c3bb0fb6e8b9cea0a20d88fa4b0470f75eb48a11e6b272ddcb4e8def2d3d93b96ce5065560e5e9eaddfeec6d7c7bc1cfb7a912

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  a7e915807160fb96ad0c94d76de4f439

                                                  SHA1

                                                  11b98b6f3059bedd7db62bcadf95770c4950cb13

                                                  SHA256

                                                  472924c91d85d92d1563ffc1b490f87072b42bf278d66750749be08551b06aa5

                                                  SHA512

                                                  a7643cdf666b883d570f548891ce856868a6909b5bb581c509731947b4cbbad6f5e7e6fd9c9d8bf586d2d2b9b1898e9527e3e5a63a2806e82816393edc9efca7

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  5df29240e352ff1f7446133f91406c99

                                                  SHA1

                                                  047b5f11cfecd49bbd804970636a6124378417cd

                                                  SHA256

                                                  42dfb9bee1855df87a66f69236d0a88cdfce62f5cf2a617f0bade0d9efc72617

                                                  SHA512

                                                  ad49d844faf704cfc695b958dfb9969d25804b2bab1ee996b140492279ec4e5e065e64746792d39d669fc1e92394ab6b83428416ad84cba6980e850e757b2408

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  13e57e13163796a2bb0c745300e6feb9

                                                  SHA1

                                                  1aadebf89c9294c7d6e90f2012123c571219109b

                                                  SHA256

                                                  e5c4093eba042d1263d7b263c5d7501bcbfb4e40057ddad9ac08df3adb656c90

                                                  SHA512

                                                  13186a4c6b6d51bdadba5fd06303c6792626cd34551ba89cd0894cf48c24051d7de7eca93d1ef95f7f4cfd3d6f9ca1cf6fafe2bfca6ed9ec0a703d45b85ed982

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  75366fe9460bf814dd531a27e30fa97e

                                                  SHA1

                                                  d3992ea73ffecec01d6d35fda1c93934f2d25735

                                                  SHA256

                                                  afd89f931270c4b53741a08a72eda005246142239124db9eb48100c46d2a449d

                                                  SHA512

                                                  4bbd1cfb08825cbe859f7d5a0572ae779dd12af410f1e26079fba5df0cefb4b082d97172b740a9774dbb22f42a2cc72013516254c1bbaa130dc60197fdb2fcaa

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  292be81011f7ff724dc8d45205564ea1

                                                  SHA1

                                                  1033340083c362be81859f2c3eddf08fe4e6439a

                                                  SHA256

                                                  989321295928b3de82319315431039dfb5dc00c67fa6f5bcaae0c5949189380f

                                                  SHA512

                                                  e55ab8b0b5a151826c7e5140117c611e152f78474a30be5e6089c8ba212d24c05d088badf1af0843a76be1d1d4676095fb2efd45b8af9c6d9e8fd71e6c300574

                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                  Filesize

                                                  342B

                                                  MD5

                                                  7a13c4c0d36bc554de80a77c71a0f319

                                                  SHA1

                                                  15a57619c66ff28e1d650da20d16f40a673e1792

                                                  SHA256

                                                  4fb39d186337d112d643ae5d61139eccbc784a26991d7c4bcd4aa9889e557ee8

                                                  SHA512

                                                  05476e50c1024cf0a650ab58b42d52baf26390a20e96c0ef32893338928959e6a878d9b9b9055f4215b80b6c91104011f64c7d1ee701422b445dc434c42b8ca2

                                                • C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat

                                                  Filesize

                                                  190B

                                                  MD5

                                                  ee5c0d6928d5639febdc817bcbbef807

                                                  SHA1

                                                  fb0842966b6c2c2156aad2a1b62d115adcbccf7e

                                                  SHA256

                                                  796aa4c0032c0d7a7ecf8226e70b3c0c5cc116469090d845850b27da1fdb0f98

                                                  SHA512

                                                  8892bf1ef8ae504edf7ca44b0396e135a491f0fb24f37f5ab3e9b1dff59c512be62f637601267671b33f47feb42192a45331ca51ceab51ba2e31fbd28df3387f

                                                • C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

                                                  Filesize

                                                  190B

                                                  MD5

                                                  b874e5eddb82c688e25116ef5bf9fce9

                                                  SHA1

                                                  05dc6ccb27619c23476553d20baef397d50853bb

                                                  SHA256

                                                  74bb81bc475b2a60f3167eb8ecbd8c3497104dc79a9f5f0867dcdc17d3f27280

                                                  SHA512

                                                  c9fd74c59b041d17e9a27eabae40d9976f293c4b5b46149847bd8e4d85def5545b3b7f715f97dc0b4043c831c123e116aca2141f5d33b83ba0ae0bdd41a2376a

                                                • C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat

                                                  Filesize

                                                  190B

                                                  MD5

                                                  fe2eb7522c3e969db96110536e2c6c77

                                                  SHA1

                                                  22537cff7a66e9b2208b93b64b40e0d47bba6078

                                                  SHA256

                                                  5c2ac176b6325bd170fa1a63e5ce7ec8f3b933406dedb35492bcd44de186bb90

                                                  SHA512

                                                  4b3323732c91936df52591238add37f40bcff6ca98d336adcbc4312ea6ae9928dc30ebab093c14f783b4284323f8e03182cb9b90c52aa3a47a373b4257ee66de

                                                • C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

                                                  Filesize

                                                  190B

                                                  MD5

                                                  70b13c5da1478d11af6b136dd2f5f663

                                                  SHA1

                                                  894a24099050862008f2d77ad39a36d0dac26a82

                                                  SHA256

                                                  975f6beb84e9a3138560938a21f425d5dfa91bc4ca9eaa934ee2e314a7285375

                                                  SHA512

                                                  bfc75325c9e8a9c5930009b0d064f1e36295a0323953ca0f73558c51662847253127e44b1018e6bbafabb9c042f6e2679733aa0fbe7dfef9efd4a3caafaa6938

                                                • C:\Users\Admin\AppData\Local\Temp\Cab1FB3.tmp

                                                  Filesize

                                                  70KB

                                                  MD5

                                                  49aebf8cbd62d92ac215b2923fb1b9f5

                                                  SHA1

                                                  1723be06719828dda65ad804298d0431f6aff976

                                                  SHA256

                                                  b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                  SHA512

                                                  bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                • C:\Users\Admin\AppData\Local\Temp\D4akJCd5SR.bat

                                                  Filesize

                                                  190B

                                                  MD5

                                                  9c75b1dba85b6ff66a17d6022c642797

                                                  SHA1

                                                  c1a956d1df03da9a1c55690fad2ab844440384fb

                                                  SHA256

                                                  2af8e1e2cf827c76464a38d427d39870173c3c385dd8592f28b1f013145e1f86

                                                  SHA512

                                                  cc571816367ce4b1a468ea5807e721af61795b94e6057f65aebdf4963f6064714c423236e87bedb56aa76a28a3749aa22e6b1ac3eef81fda73630a1cdc6adecf

                                                • C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat

                                                  Filesize

                                                  190B

                                                  MD5

                                                  7c2cc103aa2e0ecd8ee6d8e7f3cbef2a

                                                  SHA1

                                                  2850c0766ba7bcd5e477a18974cb4f02d2032bed

                                                  SHA256

                                                  978a9419ada2195329c1d942710d4ad46e128f4f6edad1d8f6022c9cf54549f8

                                                  SHA512

                                                  fa428d8d1dbe523bc4005c03fb68d31c36b66b0c88294e2274d65f4f0a4cbe921bda08d2743ee8b28ed6b5a7eb7f10ba1b6a5cd74c43424a82c8e5d5b15b85f4

                                                • C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

                                                  Filesize

                                                  190B

                                                  MD5

                                                  0c7b1eb518254f1a7d5b02e1c68c8c29

                                                  SHA1

                                                  88a37080d5b9b681fbe3509d0c472e658a8932b3

                                                  SHA256

                                                  2ebd200b9259709fc2b452c786896346781a8a874b9f4c34166a38fcebd19ae3

                                                  SHA512

                                                  8ba38c963e751e127bda9165022385bba250cc8cd70cf03f1bcf20e0eb33b572ba47ab93ac2f8f4a09260d2dfcb90721b2d19b3e5ed12944b10e6558f9888db4

                                                • C:\Users\Admin\AppData\Local\Temp\Tar1FC5.tmp

                                                  Filesize

                                                  181KB

                                                  MD5

                                                  4ea6026cf93ec6338144661bf1202cd1

                                                  SHA1

                                                  a1dec9044f750ad887935a01430bf49322fbdcb7

                                                  SHA256

                                                  8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                  SHA512

                                                  6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                • C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat

                                                  Filesize

                                                  190B

                                                  MD5

                                                  7e563f7f3588be116b1d7951eba8d137

                                                  SHA1

                                                  33a8abc51d56d1f95353615f2c5db6f996d6b4f6

                                                  SHA256

                                                  3dfacf793271430c7f156bc7548ae1011016c96a627d7fbc623671f7bf6b8882

                                                  SHA512

                                                  98216996b2d93c85f7db972728c37e200e0569a9031d1dfced68a9230bff44bc5deea79df874154d92f101672e8f1808e09fca66c2a2cbf8849c60864c97f537

                                                • C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

                                                  Filesize

                                                  190B

                                                  MD5

                                                  757f5c45a4a052b383c304626c033653

                                                  SHA1

                                                  1231442633d2974338fca1278b82f30fc1bfa8d1

                                                  SHA256

                                                  fe36a82b44982451431b4e2d02397b3e595bbd8e607439cb68a8930eaf50be87

                                                  SHA512

                                                  73f0808cc79942fd2725bcf7dc3c16a8a01106727d17fe73ce9703e5ccab0fb42f6a57a0ca9a64618a3e36a09696c28cc7bca7823eade9d4999e74e1a53e4359

                                                • C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

                                                  Filesize

                                                  190B

                                                  MD5

                                                  799a27018cbdb0da4bd0a37e657870a0

                                                  SHA1

                                                  e71efd2d844b586a34f9c8d733290797a6386268

                                                  SHA256

                                                  20c8b4df2bb880cb9e98f4601a96db230e99e4e66ced974c18ef3e3a810b982f

                                                  SHA512

                                                  699f075e3c9614ca92e976a68e576d49481743d80515c2c9086815160cce862bfa1d50eff2824b3a718a7411a60595bf3a215174f7b9f1809a46511c60b6ff32

                                                • C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

                                                  Filesize

                                                  190B

                                                  MD5

                                                  a705d9d850bc828eb5950bc29d92d73f

                                                  SHA1

                                                  a40603cb47fb6f31e7706c2518a59be43b68eb76

                                                  SHA256

                                                  c225e58de8eb00bbed728f7ef1b0c29501fa5c85e7595b37d533e481268dd606

                                                  SHA512

                                                  dbd7b6b174cf6d6bca5625010c16e7770151a3a0db060003dd3d0e21d39dbc65bfa80ada475c8e069f044775434d8715d1db4a9dbedf0f21c1379ee2194d28fb

                                                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  a8edfa4bffed7f5b48982d6be1bcfa07

                                                  SHA1

                                                  f13c69f405f7862d10b683be4a12da58858cdcad

                                                  SHA256

                                                  d81542cb22f0dc6212270ab147d649cdc82f17e0bca30b30ada8377111bbec9f

                                                  SHA512

                                                  ac98f981c4c85914eb7558b66905fe4759d451b004da512b4b5f282ae4b222f38825090d9c1cf012f93fa00a34db568f3e461dc1ca0c8cd532ed63c9b810f041

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • \providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • memory/772-109-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/772-108-0x0000000000930000-0x0000000000A40000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/908-55-0x00000000022C0000-0x00000000022C8000-memory.dmp

                                                  Filesize

                                                  32KB

                                                • memory/908-53-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

                                                  Filesize

                                                  2.9MB

                                                • memory/932-526-0x0000000000330000-0x0000000000342000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1032-646-0x0000000000290000-0x00000000003A0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1252-707-0x0000000000480000-0x0000000000492000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1252-706-0x0000000000280000-0x0000000000390000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1580-407-0x00000000011A0000-0x00000000012B0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1632-586-0x0000000000640000-0x0000000000652000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1856-168-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2256-288-0x00000000004C0000-0x00000000004D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2440-228-0x0000000001050000-0x0000000001160000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2676-17-0x0000000000400000-0x000000000040C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2676-13-0x0000000000B00000-0x0000000000C10000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/2676-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/2676-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/2676-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                                  Filesize

                                                  48KB