f46f7329bc4eed48113e539f94c5cbf4987a03ce775d70f61467a8c66dab5ad2

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
Size

195KB
MD5

02b5448c5b94cdccba39e558edc244f4
SHA1

c2412eb9496638d156e434cc8fdf843ee52552de
SHA256

f46f7329bc4eed48113e539f94c5cbf4987a03ce775d70f61467a8c66dab5ad2
SHA512

5910f40ae53b6a3030b7fb07cf48ecbf706e90f926d683afaa1cb3629ed1f8e9d2a233fc4514f4a21db5cefe868f8543d725a9371420a1dc8357e62f1ec8b130
SSDEEP

3072:H5yAzyrQ/yjBWe6WYhoDnDkh91pkoDjE/u2nfkMlDCvSxQN:Z8WytWuYhoExpkok22nfVGDN

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2240	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	taut.exe

Loads dropped DLL 2 IoCs

pid	Process
824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\{467C76B5-7524-7D8B-1CD7-921313E2C271} = "C:\\Users\\Admin\\AppData\\Roaming\\Igqaz\\taut.exe"	taut.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 824 set thread context of 2240	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	51

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taut.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
1076	taskkill.exe
708	taskkill.exe
2572	taskkill.exe
2716	taskkill.exe
2616	taskkill.exe
2272	taskkill.exe
1028	taskkill.exe
2404	taskkill.exe
2148	taskkill.exe
2156	taskkill.exe
2116	taskkill.exe
1240	taskkill.exe
832	taskkill.exe
2892	taskkill.exe
1972	taskkill.exe
680	taskkill.exe
2368	taskkill.exe
2520	taskkill.exe
1620	taskkill.exe
2368	taskkill.exe
2944	taskkill.exe
2508	taskkill.exe
872	taskkill.exe
2080	taskkill.exe
680	taskkill.exe
2568	taskkill.exe
2488	taskkill.exe
1956	taskkill.exe
2520	taskkill.exe
2800	taskkill.exe
1060	taskkill.exe
1664	taskkill.exe
2688	taskkill.exe
2640	taskkill.exe
1424	taskkill.exe
872	taskkill.exe
1916	taskkill.exe
832	taskkill.exe
1576	taskkill.exe
2712	taskkill.exe
1068	taskkill.exe
1672	taskkill.exe
1736	taskkill.exe
1668	taskkill.exe
1728	taskkill.exe
1976	taskkill.exe
2148	taskkill.exe
2852	taskkill.exe
992	taskkill.exe
2040	taskkill.exe
1904	taskkill.exe
2968	taskkill.exe
288	taskkill.exe
1528	taskkill.exe
2644	taskkill.exe
2932	taskkill.exe
2924	taskkill.exe
2992	taskkill.exe
1144	taskkill.exe
924	taskkill.exe
2020	taskkill.exe
2572	taskkill.exe
1968	taskkill.exe
348	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
2764	taut.exe
824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
2764	taut.exe
824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
2764	taut.exe
824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
2764	taut.exe
2764	taut.exe
2240	cmd.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2516	cmd.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
2764	taut.exe
3016	cmd.exe
2764	taut.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeSecurityPrivilege	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
Token: SeDebugPrivilege	2820	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	2380	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	708	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	1120	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	2712	taskkill.exe
Token: SeDebugPrivilege	288	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	1896	taskkill.exe
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	348	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	1824	taskkill.exe
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	272	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	2608	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1932	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	93
PID 824 wrote to memory of 1932	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	93
PID 824 wrote to memory of 1932	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	93
PID 824 wrote to memory of 1932	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	93
PID 1932 wrote to memory of 2448	1932	cmd.exe	33
PID 1932 wrote to memory of 2448	1932	cmd.exe	33
PID 1932 wrote to memory of 2448	1932	cmd.exe	33
PID 1932 wrote to memory of 2448	1932	cmd.exe	33
PID 824 wrote to memory of 2148	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	148
PID 824 wrote to memory of 2148	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	148
PID 824 wrote to memory of 2148	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	148
PID 824 wrote to memory of 2148	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	148
PID 2148 wrote to memory of 1660	2148	cmd.exe	95
PID 2148 wrote to memory of 1660	2148	cmd.exe	95
PID 2148 wrote to memory of 1660	2148	cmd.exe	95
PID 2148 wrote to memory of 1660	2148	cmd.exe	95
PID 824 wrote to memory of 2812	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	38
PID 824 wrote to memory of 2812	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	38
PID 824 wrote to memory of 2812	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	38
PID 824 wrote to memory of 2812	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	38
PID 2812 wrote to memory of 2820	2812	cmd.exe	98
PID 2812 wrote to memory of 2820	2812	cmd.exe	98
PID 2812 wrote to memory of 2820	2812	cmd.exe	98
PID 2812 wrote to memory of 2820	2812	cmd.exe	98
PID 824 wrote to memory of 2764	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	41
PID 824 wrote to memory of 2764	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	41
PID 824 wrote to memory of 2764	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	41
PID 824 wrote to memory of 2764	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	41
PID 824 wrote to memory of 2776	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	42
PID 824 wrote to memory of 2776	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	42
PID 824 wrote to memory of 2776	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	42
PID 824 wrote to memory of 2776	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	42
PID 2776 wrote to memory of 2916	2776	cmd.exe	44
PID 2776 wrote to memory of 2916	2776	cmd.exe	44
PID 2776 wrote to memory of 2916	2776	cmd.exe	44
PID 2776 wrote to memory of 2916	2776	cmd.exe	44
PID 824 wrote to memory of 2632	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	149
PID 824 wrote to memory of 2632	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	149
PID 824 wrote to memory of 2632	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	149
PID 824 wrote to memory of 2632	824	02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe	149
PID 2632 wrote to memory of 2692	2632	cmd.exe	150
PID 2632 wrote to memory of 2692	2632	cmd.exe	150
PID 2632 wrote to memory of 2692	2632	cmd.exe	150
PID 2632 wrote to memory of 2692	2632	cmd.exe	150
PID 2764 wrote to memory of 1152	2764	taut.exe	19
PID 2764 wrote to memory of 1152	2764	taut.exe	19
PID 2764 wrote to memory of 1152	2764	taut.exe	19
PID 2764 wrote to memory of 1152	2764	taut.exe	19
PID 2764 wrote to memory of 1152	2764	taut.exe	19
PID 2764 wrote to memory of 1276	2764	taut.exe	20
PID 2764 wrote to memory of 1276	2764	taut.exe	20
PID 2764 wrote to memory of 1276	2764	taut.exe	20
PID 2764 wrote to memory of 1276	2764	taut.exe	20
PID 2764 wrote to memory of 1276	2764	taut.exe	20
PID 2764 wrote to memory of 1308	2764	taut.exe	21
PID 2764 wrote to memory of 1308	2764	taut.exe	21
PID 2764 wrote to memory of 1308	2764	taut.exe	21
PID 2764 wrote to memory of 1308	2764	taut.exe	21
PID 2764 wrote to memory of 1308	2764	taut.exe	21
PID 2764 wrote to memory of 1596	2764	taut.exe	25
PID 2764 wrote to memory of 1596	2764	taut.exe	25
PID 2764 wrote to memory of 1596	2764	taut.exe	25
PID 2764 wrote to memory of 1596	2764	taut.exe	25
PID 2764 wrote to memory of 1596	2764	taut.exe	25

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1152

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1276

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\02b5448c5b94cdccba39e558edc244f4_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /fi "imagename eq RapportMgmtService.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /fi "imagename eq RapportMgmtService.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /fi "imagename eq RapportMgmtService.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2820
- - C:\Users\Admin\AppData\Roaming\Igqaz\taut.exe
    "C:\Users\Admin\AppData\Roaming\Igqaz\taut.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1728
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2712
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2452
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3016
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:832
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1708
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2156
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2932
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2420
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1068
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2948
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1660
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2820
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2336
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1832
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1864
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:3028
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2888
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:860
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2852
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1828
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1756
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1872
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2284
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2168
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1612
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2676
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2632
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1188
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:536
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2452
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2872
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2896
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2416
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1756
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2080
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1620
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:572
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2800
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2036
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:288
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2964
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2136
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2860
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1080
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2284
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:272
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2672
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1284
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1448
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1784
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2016
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2892
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1216
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1628
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2856
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1540
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1880
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2096
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2460
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2800
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2756
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1476
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1204
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2748
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1216
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1236
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2728
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1896
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2164
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2372
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2448
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2408
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2904
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2808
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2244
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1188
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2552
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2736
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2696
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:628
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:1904
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2868
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:664
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1456
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1524
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:896
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1496
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1752
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1080
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2448
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2408
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2784
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:924
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:572
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1484
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1284
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1324
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1748
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1672
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2520
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1908
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2452
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2376
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2504
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1096
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:1576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1468
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1740
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2164
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1080
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2044
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:772
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2280
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:760
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2800
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:3032
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:1076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2484
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1488
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2724
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1468
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:1060
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2236
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2648
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2460
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2600
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:3056
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2332
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:1176
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2428
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1672
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:1020
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        Kills process with taskkill
        
        PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:564
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2416
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2156
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
      4⤵
      PID:2364
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /fi "imagename eq RapportMgmtService.exe"
        5⤵
        
        PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /fi "imagename eq RapportMgmtService.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /fi "imagename eq RapportMgmtService.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C taskkill /f /fi "imagename eq RapportMgmtService.exe" > nul
    3⤵
    PID:288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /fi "imagename eq RapportMgmtService.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp7e7279e5.bat"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2240

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "256608954-1032204409142894421519826942862070593167243609746-1528190033-1065295877"
1⤵
PID:1736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "142183646619497042211841419368-20105603951321691381416504600-1077356810-825505670"
1⤵
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1320192192-1826954927-413997296-7905529168658373312094096217933602338-1381973590"
1⤵
PID:2748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1584442115-67183023-1804451462062622582-1699294871-148826988419803966982086874996"
1⤵
PID:2008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1236364014-1116087980-151514926071398340514750433181264501168935468673-1951888799"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "863987610-1016472450-16744041991646243098730953418333857761811495525-930738318"
1⤵
PID:880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "442149626448804076-9424897121630910254197506369711222216841797747056-1892853314"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "33507536011448685481328854846-1509776608193115027113283011263986561531063408294"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1314249062-1255710346-1987769686249276713-1101168841-187669501910370100891832496068"
1⤵
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1229826497-642057734-1535594253-1949015272-966437266-794132754-6121958-935294728"
1⤵
PID:1204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "92740101820844764418739305402087695144-1721335180-1380583598374075904-1020837723"
1⤵
PID:2116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "845705108-2593465011030644989447723317-1885928904-93858775621300245831061546247"
1⤵
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20879255581752680236-1784253722440932039191203769147779110815545511021400629801"
1⤵
PID:1424

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-674530769-9908822412102228724-676989320-15191409951846817611-900687019-955780927"
1⤵
PID:2432

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-116906871918296169131981209293-1024147441372238271292803905184200709261044669"
1⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1841861412794818277-1650464043-17342589681439579666-707907027-1940128635-2112764763"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-871181301-20860120751336019783667019774-118632676720332109612931480161832930288"
1⤵
PID:3012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-467621868-3932066861516520052858830776-412337816-1947109656382016321263704037"
1⤵
PID:1412

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1186811461-263578679-298068119214808702-1182615807611399726425056828478931695"
1⤵
PID:2640

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-74571461316515193969558936191848808602-20305404667125292052119349578-578960014"
1⤵
PID:2508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "18473937251585857829-265205828-1360496683824401012-768571225-8303488721164665224"
1⤵
PID:2084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1735412044-15755769756440382851923515095-66489259396222764-1754161152-1287794914"
1⤵
PID:1240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1225157670-593487269822772992396418325-1207574807-1422315391-1543583430-1678375722"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1693310516787315094304563542-12320700151626817382064980643-7790120561000862197"
1⤵
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3731179631095198211342943851531191140-94699596-527575873475809447955360073"
1⤵
PID:628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "896947945-1931176703-564546098-179070367318262740411069470748-477613278-581967568"
1⤵
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3155821121938535766189204827011608013921741399282-925008113-786587473-17449718"
1⤵
PID:2164

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4692564191903762729341276219-1603670487766497968621357340-411947171-150940202"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2439334142129954870-18319362547410935271261912463-1020896961-57597261094720301"
1⤵
PID:2968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2582396901170698188185233566-1222766565112263648-1207812894582110554-1034546806"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "417886667-18769985142137948420-464138339-17201790501297273268427814-53870270"
1⤵
PID:1800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "463739487-180441747412801809581875732399-17771022511263711279338217951-1001742581"
1⤵
PID:2884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-548358886-1131844342-1585066934-19459707161967702972-1729998456-956099858-1622503438"
1⤵
PID:2728

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1528574739-666306273-870705499-277879609-1954716314-98375175014861323931467024913"
1⤵
PID:444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1481190186860499785-2100266601-1483349891-1670819062-1452592941481154057603564748"
1⤵
PID:2060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2023540591364547572-1726570608111568444021627376-1913573872-93742151844348653"
1⤵
PID:1932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "640140686-99709556-114875014-907279782-24706530846192147-848406316413072555"
1⤵
PID:1688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1375550694-388799222-328517113-45048409818118579731489272658-1917375326935170339"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "883579964-42698869731556460616283248972060304404762990840852230427-519422251"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1950649152-2079944823-1760622302074669983-1486812030-1420109859-1263763661873754403"
1⤵
PID:1976

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "167121336258894592704429051-1056020313-18738764731677536995943732221144046485"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1640649567-1831620505401353129-17553464561464616652419622468494790-1345634414"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "90846708-655186264-918039510166735197268819858120743238071144521598695022924"
1⤵
PID:2760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "400687091-751942820-1369335651731750060-444536782-8544220225521867961311010312"
1⤵
PID:1032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "652071959945998643-877914476-761739596-1782524831322831009-1366669595-1960364786"
1⤵
PID:2888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20196585761693231532-2115134015-495020923-197760338019333072244849751001575881783"
1⤵
PID:2180

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-140693871618979920751953474291549203117986153668-8926785001745581828230316711"
1⤵
PID:1880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17770940942026395703-150762367-565869807043116213594485681477547581-463624550"
1⤵
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1899631038-131488464-1708434829-4829501-11217965701247312359-2733668041521010538"
1⤵
PID:3052

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-680856630-2059006837-781745516-278284462-1928823181903876414576355718378397894"
1⤵
PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "897497289157189379616239987512258281551073780157-20709618851926012445-80799342"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-278092745-102603439820809259651825053951618281533858286295612334294-1909936786"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9808701251232105295-2123524374-207295490983138770265666997-784055492289275176"
1⤵
PID:1216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7475388091260175651285391422-2034576323-810526466405434237-1708869839-1518742343"
1⤵
PID:1256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1254797664-2146144354-232170217-169572058496971125-1036260247-1143506118-680786626"
1⤵
PID:1880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "196034086356009032315613035721066245509-1283250542-84198683316705297672116959711"
1⤵
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-775113246-177627169-149633354413689542871342458101-370568084141491960250370578"
1⤵
PID:496

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "513044151-191968396675705277198142830-113433025-980269813-982765015-1095183620"
1⤵
PID:2264

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-227799216867893788392657841576965963613153061176738875620761781-324190903"
1⤵
PID:1120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2065324143-16184876922067682532291190840186956873664771161998204354765180360"
1⤵
PID:2620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "6114086071569338350456273479-1293444044627633896770613743-69529828116428142"
1⤵
PID:2892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1692138787-87296421-1449421166741591254603250974336553336-8722466991972896803"
1⤵
PID:1256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "472510643-152837642610322069171903655417183749393-1290608821453383492-1317585964"
1⤵
PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-303885487-180252135531277030210543916752080140757-163372209813703391862077840825"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1222413946-189796337916803630271511155257105603946-18727306401069159052-1157119795"
1⤵
PID:2676

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1975621092-329584920-20944757193523877229227816564099117657714192041549347955"
1⤵
PID:1892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-354336725-19143196281037069308-408108413-1820800989196068719218745238541932181913"
1⤵
PID:3020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "569862857-634249476852531371-306274399460117005-1090128628-1721130421471541827"
1⤵
PID:2040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "650211564885399757-1286848956314071931-974442396-1647022887-1436189344-381159554"
1⤵
PID:2316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1756857025-1789645029189421242750178070-51757308-522396351-674842315-679172121"
1⤵
PID:1884

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "655970872-106039357118952883721893790548-2138264606-1534115448-21096750031001448860"
1⤵
PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials in Registry

T1552.002

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7e7279e5.bat

Filesize
271B

MD5
9484d76f21e985f58819f6d968a42fca

SHA1
c6687ec81af4fb0d0c6e74fad9b0516507189aba

SHA256
f48e88d9f03cbff66a4d680e65bffe0ed353bacf57b4a313fe9efcb725db6d1f

SHA512
33eb9a74299b8d8118e55f0b5f080230cdc2a18453badd8c67cba7a685b502f22d30742bb7853761f027e8658d0a1b13a7e8a0dad197ebd455c7aa2fd759dc02

Download Submit
C:\Users\Admin\AppData\Roaming\Igqaz\taut.exe

Filesize
195KB

MD5
811a5cd42b3b5d7361643ec420904764

SHA1
5b583b7feba7696e56cf8976316a4eff83984b92

SHA256
fb1a45f973804937903b0b3ca96122923ca7e03c9f3a0d0f0a19d27e6bdf23c6

SHA512
f994552c14a5d06cc45c33b3fb359d840b2044e72367c5f16c64b3fe7b33aad175b7fc38a2bf369d80050c4d9b168e1cb864acf6cef5f718dd86d2767babff2c

Download Submit
memory/824-70-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/824-3-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/824-0-0x000000000042A000-0x000000000042D000-memory.dmp

Filesize
12KB

Download
memory/824-64-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/824-65-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/824-62-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/824-60-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/824-58-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/824-56-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/824-1-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/824-76-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/824-74-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/824-72-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/824-2-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/824-68-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/824-67-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/824-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1152-22-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/1152-20-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/1152-18-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/1152-16-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/1152-14-0x0000000000290000-0x00000000002B8000-memory.dmp

Filesize
160KB

Download
memory/1276-32-0x0000000001EA0000-0x0000000001EC8000-memory.dmp

Filesize
160KB

Download
memory/1276-26-0x0000000001EA0000-0x0000000001EC8000-memory.dmp

Filesize
160KB

Download
memory/1276-28-0x0000000001EA0000-0x0000000001EC8000-memory.dmp

Filesize
160KB

Download
memory/1276-30-0x0000000001EA0000-0x0000000001EC8000-memory.dmp

Filesize
160KB

Download
memory/1308-36-0x0000000002A50000-0x0000000002A78000-memory.dmp

Filesize
160KB

Download
memory/1308-38-0x0000000002A50000-0x0000000002A78000-memory.dmp

Filesize
160KB

Download
memory/1308-40-0x0000000002A50000-0x0000000002A78000-memory.dmp

Filesize
160KB

Download
memory/1308-42-0x0000000002A50000-0x0000000002A78000-memory.dmp

Filesize
160KB

Download
memory/1596-50-0x0000000001FF0000-0x0000000002018000-memory.dmp

Filesize
160KB

Download
memory/1596-46-0x0000000001FF0000-0x0000000002018000-memory.dmp

Filesize
160KB

Download
memory/1596-48-0x0000000001FF0000-0x0000000002018000-memory.dmp

Filesize
160KB

Download
memory/1596-52-0x0000000001FF0000-0x0000000002018000-memory.dmp

Filesize
160KB

Download