Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 17:39

General

  • Target

    JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe

  • Size

    1.3MB

  • MD5

    9fc4cfa3e04730f1809f4c6f1af4372f

  • SHA1

    281ce35c070b075e8d871e5603eb654c4006e8a3

  • SHA256

    4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca

  • SHA512

    3df27f66fe80cc5895b0b9e7ac0bc1b55216f60084874bd9b5cc7aaaafe62809d0998f152dc35b06faf6c6ffd15902d6365939ee7fd3ed2bf6e167220ec69e90

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d43dfa39b21bcc3e686200a2cba050abfe099744f6ad8596f41934e3d8ee6ca.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2260
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2728
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2872
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:2372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1564
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\fr-FR\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1600
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2188
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2532
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QoMnQPSfsQ.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2124
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2728
              • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe
                "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2308
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
                  7⤵
                    PID:2296
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2036
                      • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe
                        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2952
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
                          9⤵
                            PID:2536
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:2836
                              • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe
                                "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1996
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"
                                  11⤵
                                    PID:1364
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:1212
                                      • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe
                                        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2748
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"
                                          13⤵
                                            PID:1884
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:1360
                                              • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe
                                                "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2744
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
                                                  15⤵
                                                    PID:2672
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:2924
                                                      • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe
                                                        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1268
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
                                                          17⤵
                                                            PID:1408
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2820
                                                              • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe
                                                                "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2880
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"
                                                                  19⤵
                                                                    PID:656
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:1104
                                                                      • C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe
                                                                        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2400
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2784
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2668
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2616
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2740
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1580
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2576
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\WMIADAP.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2296
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1692
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2832
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1136
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2608
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2852
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:740
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1948
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:852
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellNew\wininit.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1284
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1624
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1752
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2404
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1628
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2024
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1332
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2288
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2252
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1156
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1632
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1964
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:688
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1704
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1184
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:328
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2420
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2004
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\csrss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1060
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1416
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1816
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2580
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1412
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2356
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\Idle.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2488
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Downloads\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2960
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\Idle.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:2116
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1360
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:880
                                • C:\Windows\system32\schtasks.exe
                                  schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                  1⤵
                                  • Process spawned unexpected child process
                                  • Scheduled Task/Job: Scheduled Task
                                  PID:1996

                                Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        89413e84575a14c1605d6a49237740d2

                                        SHA1

                                        de6e323c52099254ca76a77b89e2c58f319946e8

                                        SHA256

                                        cac68d963197ea90c5e94c4bac184050c432242bcbf70ba4335c55051a5ad176

                                        SHA512

                                        5e0a7b3ee2d47b9bc390874e5382d6aff96347debc133b8fc1582112ba6d51e45ef457c84a2f20300787bac7bee4f76780cf40617aee17d07f5dfb2e0b8b6c8e

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        05d05eb66c1afc313ddaf77e609690ae

                                        SHA1

                                        ef7e86afbf56a406ff3988ccf032030d75891c2b

                                        SHA256

                                        bbf8f50724ca86a5bc51e3044c4fcfd7ab696731aa00bd9227a8050f45464cd4

                                        SHA512

                                        1562d45f076b35d16b95011d90189f09587a4a5a79d8b761c0342e67466aec7ed0b5a30a4f1f4b366a7dc6db339adb356d29f393a4a82256eb2c6e7d1e71d271

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        8c8ee121c631b4dcb205907bddda6f3d

                                        SHA1

                                        099b02792914a05d978fd85d157d6f9f40678cfe

                                        SHA256

                                        870bf723643726e3b7953be19b369c86183e2859d9a9c59d130e29b713ef9f1e

                                        SHA512

                                        da8fcf36e29320a060b5067db0f62f96011b9a665c6b6cc896b323e424f21750b94267f52fb141e73773eee84c6d4c328302e7864254c92facb862d5c804e8f6

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        c7e0a08e01413998cd2045c16e5e4f5f

                                        SHA1

                                        0dacb42f30fc44597c7deee327109df61fb74a81

                                        SHA256

                                        7f7dcf53562305a8447453acd833b0a4e5ea1e31c0cc8d055c97b5f559c78026

                                        SHA512

                                        3dee82cc4fb9bdd57006b112b6c8edbaf3eb2ad26eaddd24ce68858ea138eb983d2033ccf0a831c115be617a398fa292be0448e4d17e1cbfeefc3f6aeaed7986

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        5d361c22c750e1bf6cb70cb4386bfaed

                                        SHA1

                                        a4093c2223edae2fc4208d29c02a0302e3cd0930

                                        SHA256

                                        a3a413042f336152cc23915d943964f98ad4c6774bee3f4bc754e15b33c2f6cd

                                        SHA512

                                        42cb3017a3c5fd8dc6e060c4c5a0f3529e59dcb84994ca529c68d17d858366dfff27e9b2576f1b223c035d7096701fb4bddf8052fa9d7f2bacb048132ff93a17

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        51f9771b5d934cfeac454000ae3c5a5c

                                        SHA1

                                        1875512287291b04fcd7191281b8dd25c78702a5

                                        SHA256

                                        33603cf43a9850555a9e4f857ad32d262bf633f596f57b49e4eaf8f0c1455456

                                        SHA512

                                        daca928b1c95570c666c57c1a90d551311094609ab707ab41f67dde02d85c0a7f864a7d6864b7a888394d0209ce8db35445e69fcbb9908762c7f07610297005d

                                      • C:\Users\Admin\AppData\Local\Temp\Cab7042.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat

                                        Filesize

                                        235B

                                        MD5

                                        2c79c409fda4e603cd46925b0446ed1e

                                        SHA1

                                        c6959cfc5ccf00423e4ff14cb452569873525253

                                        SHA256

                                        d59a962929d2ce6ee11d03051314364ebf0bb9f9b84490698101ccb195dee6b6

                                        SHA512

                                        53dbb13dc3112a77cb01fe8cc228cad2029a30f003cc0b5e37b63c23eeba397cb683d1a58fba0d39a6d0e6ad96f171c42f409a56caf356cc8a9c8d0d6a0e646d

                                      • C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

                                        Filesize

                                        235B

                                        MD5

                                        d608a22338687b206a4a9bc1c072e964

                                        SHA1

                                        c86b0dfa791f6ba5065facb4ad4aa9422168ee4d

                                        SHA256

                                        ce6a8ef05f656c4ada0db88916a8d9e4296964329206cdfcbcadd7eecb5b8b0e

                                        SHA512

                                        5ac086528e1444ae53ead11d3edff0c28e7d52d78c25a681081797a05328734d68f1b237175a907101d60783073cf31f7014e2bec93bb3b5abc261e426a19bcc

                                      • C:\Users\Admin\AppData\Local\Temp\QoMnQPSfsQ.bat

                                        Filesize

                                        235B

                                        MD5

                                        0ef7f3ccf8160ac2da674eb8ca060de9

                                        SHA1

                                        13c4d12b4ba398d4997d83ddada05ef99f6b0fee

                                        SHA256

                                        c1065893a278c8c6f6795533220a76d8fceded49c28b427bb24f60f587bd42fe

                                        SHA512

                                        786ac8c9c155fe8ada98285edd2456ec190f88cab0512d0f1b10ba9afc7266465686052ed12752daf153fe1aa290f147b8150d97a303c692860e84a0da87dcb3

                                      • C:\Users\Admin\AppData\Local\Temp\Tar7093.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

                                        Filesize

                                        235B

                                        MD5

                                        88caa2e1f2f7d711e07785276788df31

                                        SHA1

                                        1d67339d8b833c549898f7888b890b5166ff1b48

                                        SHA256

                                        b976f3aa672fdc26fea443d595d6acd7fe37b81afe0573c8fa638537a5ecc7ed

                                        SHA512

                                        f8ef38175b5fc03dd3f264929ce48d8a065f1573ca11371038ff857f59277dd5b6d1528204678e6731c195b0786cccd34df6aee18137b8ded5885f6692a7bfcc

                                      • C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat

                                        Filesize

                                        235B

                                        MD5

                                        942f5c8bf1b0de94adc9d757e053e940

                                        SHA1

                                        5e84f898e7b1dc261b49d713802a722ff521636a

                                        SHA256

                                        681eacfd51ea9a234cd20ef9d559c9b686d20b974d98293cb075c5d4c6fd0ec3

                                        SHA512

                                        6e5123582f4143c102f8e1be15eeddbbd6fb7a77ebe91e95a5488b955ef1336e0db45cbea6dc19a085ce2258b1193200f40f7f5f866184f6a048071f347f4e1b

                                      • C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

                                        Filesize

                                        235B

                                        MD5

                                        538234f563e05be2b20a0b74dd803284

                                        SHA1

                                        e27675d0e7999a6bbc72189bad7594c49cdb26b8

                                        SHA256

                                        ed7bf5bb9c24aaca01e09bc5144b83b4857c118adf1cc3e323e9c79867e61a1d

                                        SHA512

                                        4b7cdbd7acf10d2556dc2ada227dcd52104633d28b2fa509b660ee8f90657e3dcfba9f4a420db321914a7869b85d25d0c8c4fe793f08dcf47065b87480f4eb8f

                                      • C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat

                                        Filesize

                                        235B

                                        MD5

                                        0b808b83436188c42fa2bbccfe9d4165

                                        SHA1

                                        42e1777fcd7263edbdd1b277b8127ccaf3c62d43

                                        SHA256

                                        72ef496a723a3196e45848b5475948282b5ba33f0ed5877d654fc4c03e106174

                                        SHA512

                                        4a9e026083814631060ebe0a17208c0efeb8d06343adb853619b63adeab259626d44cc815f6807e6d8cf3b1eb976b03c327920a4abc654117d062a9178b25bef

                                      • C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat

                                        Filesize

                                        235B

                                        MD5

                                        b05082e1756d74d400c57d090d3d7af7

                                        SHA1

                                        0ff7c577840ac2e7ec0f0e22f704925e0a1d6689

                                        SHA256

                                        18afa910b7400d7d16fb90b315a2786afc7ecea92625b67c46a92295591fbfca

                                        SHA512

                                        35a428927805fbbd895d3975881f6b0851f3d4aa6a8630820936e8b4568a542af1a419f71497c51781b61c0453d3f541eed8c7801a25b7f8f18c2b06f9fc8914

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8S5XH4VXU0G09IJVW2W8.temp

                                        Filesize

                                        7KB

                                        MD5

                                        6853416e801d22d545c15d3359b12a19

                                        SHA1

                                        7be6361e4344de04ea94ba43237d24c625eb3ec6

                                        SHA256

                                        6af5e381aa605a457dc3de625c3009275a7e318f2bd14ae0a8641718e4b68bbe

                                        SHA512

                                        872dccd27e2e0d5671ac0cb78e032d11b75709c3af834f13265e17b34566ed098deb60eec3729d8525c01149cc8c7690e7c584af82773863b8842075b15ded37

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/1268-427-0x0000000000C00000-0x0000000000D10000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1564-75-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/1720-82-0x0000000002410000-0x0000000002418000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2308-127-0x00000000008C0000-0x00000000009D0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2400-547-0x0000000000050000-0x0000000000160000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2400-548-0x0000000000450000-0x0000000000462000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2744-367-0x0000000000730000-0x0000000000742000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2744-366-0x0000000000330000-0x0000000000440000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2748-306-0x0000000000170000-0x0000000000280000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2872-17-0x0000000000670000-0x000000000067C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2872-16-0x0000000000660000-0x000000000066C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2872-15-0x00000000005D0000-0x00000000005DC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2872-14-0x00000000005C0000-0x00000000005D2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2872-13-0x0000000000F40000-0x0000000001050000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2880-487-0x0000000001220000-0x0000000001330000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2952-187-0x0000000000140000-0x0000000000152000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2952-186-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

                                        Filesize

                                        1.1MB