Analysis

  • max time kernel
    147s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 21:21

General

  • Target

    JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe

  • Size

    1.3MB

  • MD5

    ca00d75fa2f031429cd175b8b7d52d99

  • SHA1

    c275a7fa05d4ea6c60a08cc816f40591d521ce57

  • SHA256

    bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8

  • SHA512

    50b3052283cee67726e61c4308d08f37a512ea2a1d00e7ca0fd5dd9f4e412ca608044828a95ebcb0bb893a1de69d9fae7e0a299fef667b5ee66a51b5377ade31

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 33 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bd2cc74019219b90f0fc61fde3275c861686a875ea4b367be25b7d1a36bb7eb8.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2984
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2472
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2100
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2808
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h7CoQcyUo6.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2320
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2016
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1148
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3068
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\spoolsv.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2176
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2808
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:580
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2024
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3052
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2252
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\wininit.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2416
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2968
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2540
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2068
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2100
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2568
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2016
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2800
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2320
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2228
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2504
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7DiEoI3Zf4.bat"
                  7⤵
                    PID:2096
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2772
                      • C:\providercommon\DllCommonsvc.exe
                        "C:\providercommon\DllCommonsvc.exe"
                        8⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Drops file in Windows directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2268
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2780
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_32\DllCommonsvc.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2444
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1656
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2284
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\Idle.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2980
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2108
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\lsm.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1644
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2808
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2948
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\DllCommonsvc.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1768
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\User Account Pictures\csrss.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1144
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\System.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2424
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V08IpBiAEb.bat"
                          9⤵
                            PID:2156
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:2440
                              • C:\Users\Public\Favorites\Idle.exe
                                "C:\Users\Public\Favorites\Idle.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1552
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
                                  11⤵
                                    PID:1728
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:920
                                      • C:\Users\Public\Favorites\Idle.exe
                                        "C:\Users\Public\Favorites\Idle.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3068
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat"
                                          13⤵
                                            PID:2352
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:2100
                                              • C:\Users\Public\Favorites\Idle.exe
                                                "C:\Users\Public\Favorites\Idle.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1688
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"
                                                  15⤵
                                                    PID:2336
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:1708
                                                      • C:\Users\Public\Favorites\Idle.exe
                                                        "C:\Users\Public\Favorites\Idle.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2636
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
                                                          17⤵
                                                            PID:1964
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2956
                                                              • C:\Users\Public\Favorites\Idle.exe
                                                                "C:\Users\Public\Favorites\Idle.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2832
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"
                                                                  19⤵
                                                                    PID:2448
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:900
                                                                      • C:\Users\Public\Favorites\Idle.exe
                                                                        "C:\Users\Public\Favorites\Idle.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:436
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat"
                                                                          21⤵
                                                                            PID:2744
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:2456
                                                                              • C:\Users\Public\Favorites\Idle.exe
                                                                                "C:\Users\Public\Favorites\Idle.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1576
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
                                                                                  23⤵
                                                                                    PID:1752
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:972
                                                                                      • C:\Users\Public\Favorites\Idle.exe
                                                                                        "C:\Users\Public\Favorites\Idle.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1944
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2724
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2760
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2532
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2356
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:1060
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2272
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2076
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2480
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2072
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2684
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:976
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:848
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1124
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:1408
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:1848
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:972
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2584
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1052
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:640
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1456
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2164
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1640
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1992
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2460
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:472
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2280
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2360
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\Engines\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:1748
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\Engines\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1620
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1608
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1356
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2552
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2144
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2380
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2852
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2720
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2312
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2848
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2440
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:900
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2396
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2092
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3040
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2172
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2764
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3032
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2992
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1984
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2356
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2616
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2900
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1916
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2992
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2900
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2188
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1620
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          PID:2388
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:780
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2552
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2860
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                            PID:1172
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Favorites\Idle.exe'" /f
                                            1⤵
                                              PID:3048
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2692
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:368
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2260
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2740
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1292
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\Minesweeper\lsm.exe'" /f
                                              1⤵
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1552
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                                PID:2484
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Minesweeper\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:580
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /f
                                                1⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2640
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2416
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2072
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
                                                1⤵
                                                  PID:1296
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2076
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:1512
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\DllCommonsvc.exe'" /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:472
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2240
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2300
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\User Account Pictures\csrss.exe'" /f
                                                  1⤵
                                                    PID:2812
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\User Account Pictures\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2616
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\User Account Pictures\csrss.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:288
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:112
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
                                                    1⤵
                                                      PID:1944
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:3036

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      742d291ebee94790a90cf337524558dc

                                                      SHA1

                                                      0396bc4268fedf01e88d5d7eab3d51c1ef445e40

                                                      SHA256

                                                      3802775e13b7af2b95596a54d1818661f77d2c2689aa67af9a18eeb415de8eed

                                                      SHA512

                                                      33369c3856a1736ace58beb67a52e87844a2dcf17af7e56b1d5a5bac278ffd7f6e2e4c1aad6ad22e41a309c43f22dde8f1e283712921b017b19bdc78a8a5410f

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      b66ae09f465ad889ef00c2a2afeb4ca0

                                                      SHA1

                                                      9f549c7637992bfb79375e249bc727fa2e96c5f3

                                                      SHA256

                                                      67c6d3dc96a2daead9bc81cb91190738cbb2e52e720185e904c8ed4a2d51d887

                                                      SHA512

                                                      19294a2ddcd72f82afec27dc7a89ba39391afad5553b793efcab8b11cd5050d91263ed3a9c6a3ac0c24ade2e2bfdab12b5cbd635aebd875efaa45aac5ffb0e04

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      d421a0217a5cd6b6f4968338b46f9492

                                                      SHA1

                                                      985c9781fce8d3bb17ea1ccfc91727b4b9502877

                                                      SHA256

                                                      042a05b9854a16085af43eec2cb3f2ad8211ec1522a3ce9d80f80eb73bf53b28

                                                      SHA512

                                                      c34eec54905be2b8416b8fe74da9732c2ab9888edbebb3ef51c7d2f378e01ab2598c34041acc2ba7104e4b03299e336b540e249cd7e96b74721aa3e9dadef65a

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      fb84ccedd44bc9671086c4936fe0505b

                                                      SHA1

                                                      4229968f1dbe27d80f969ac07b8b69ff67d38e02

                                                      SHA256

                                                      bb0ecb6d11ab7e5e99c0e3e1e3501f0c01be535a3d1ee42b29af984db1e74305

                                                      SHA512

                                                      6705b74f8741739ccd35c84481fe639bb33a4eeb8ff78e568df14e4585b425edbad9c30446c5c83947e31d6daef6b5b7aacdd326b3939f903abe13fcb0026607

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      1fb7c4a27b9e226dba5197f7d504ac74

                                                      SHA1

                                                      0b9f5afab6be94b61b07108a7f5d5e69a3701c6b

                                                      SHA256

                                                      3df289a28c5efd915c4a317374eede706670a5cd55bd53358e56ffd1a42e62e3

                                                      SHA512

                                                      d5e5c3063adc82b40148f528d3b0fab856a62c080ca25ecc0221004e1078210eeeea076fd669aa3afd29804245c025f44c775f94a6265119d736977969d94d41

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      7288a1767038e7d07b4b430a1b14ea0e

                                                      SHA1

                                                      e88a6ff6cc44314d2a45123b573e75f3bb6ffcdb

                                                      SHA256

                                                      0a04e3f3aa4d600f9d9be32dc8ce3f73ca34e546cb8508609088d599302cbf8d

                                                      SHA512

                                                      d06a6575482f90dae7a7da88e3eab696c562666335336aed6dde8cb5b9d7ae15e8de7f1a7f5bf4bb20becc374f7d38a6e93f989513282058015212aa8e4ce596

                                                    • C:\Users\Admin\AppData\Local\Temp\7DiEoI3Zf4.bat

                                                      Filesize

                                                      199B

                                                      MD5

                                                      1e13f330285db262dd5205d7a59ccfb3

                                                      SHA1

                                                      27654908427696f5d9be0c2a676cd80ef4d32b5b

                                                      SHA256

                                                      d4dcbb8a012b93166af93ea35037e337b1f3ceaba90c950fc0a6d5362d1ce09f

                                                      SHA512

                                                      ffd56d71ca1fe04874952fd3a050e9077cb7587e9448b2308cafa49eb82574d0a600e23f9181e9c6aa00364ffbc79aa79cd5c8b8ed2c315ab3d09a9312100ceb

                                                    • C:\Users\Admin\AppData\Local\Temp\Cab1289.tmp

                                                      Filesize

                                                      70KB

                                                      MD5

                                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                                      SHA1

                                                      1723be06719828dda65ad804298d0431f6aff976

                                                      SHA256

                                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                      SHA512

                                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                    • C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

                                                      Filesize

                                                      199B

                                                      MD5

                                                      a8d5b4568123a045205fd1b9098daca9

                                                      SHA1

                                                      70d539ab90e4faec35c8169b8bca2d32696e444a

                                                      SHA256

                                                      a770c35a9b68d8c49016f3bc5eb2b132bb434acb7a8f55f2405a950ec256ec58

                                                      SHA512

                                                      7106b776e84fe23289bec1f83ebb95ea7759e4fb8e13d75243e503abe2125b7a978a3f9cbe43a25a777824daba2010edd1c9b295eaaea0aa244bac2cd53d6734

                                                    • C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

                                                      Filesize

                                                      199B

                                                      MD5

                                                      6dd4c42f2a84007b17883875b2775da3

                                                      SHA1

                                                      5c53c562ec90bc613e8b111fd10e278f28062b1c

                                                      SHA256

                                                      f9bb7c60b91736b239bcdb874dbb1bd97aeb03ccfb832725d36a22764e40b8c1

                                                      SHA512

                                                      d42508ab85a463cb8659100f452d059a6aa296defd5a63e5143926f9db6f106244d7288ee2ec4d8460c164b66edd1a6ad7f86f8ecbafd73ab0649d2e3a00948c

                                                    • C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat

                                                      Filesize

                                                      199B

                                                      MD5

                                                      858724eec3975ec86de717cb6d59e6f0

                                                      SHA1

                                                      18778365ba4d15462ee4a75876c27f4b43c257c5

                                                      SHA256

                                                      bc46cdd8f34d8b352d290679a5ed062bf3960b05148672a94def2cf5b0f6f5ea

                                                      SHA512

                                                      43b075b0d7dacd56c0c3e331c8cd14519cc237ffdb3e6941ba064b441e5f477743dfc371a0048256af4f1df88b6d63ce762668d8f57215cab7ed8bfa2603dfff

                                                    • C:\Users\Admin\AppData\Local\Temp\Tar1338.tmp

                                                      Filesize

                                                      181KB

                                                      MD5

                                                      4ea6026cf93ec6338144661bf1202cd1

                                                      SHA1

                                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                                      SHA256

                                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                      SHA512

                                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                    • C:\Users\Admin\AppData\Local\Temp\V08IpBiAEb.bat

                                                      Filesize

                                                      199B

                                                      MD5

                                                      d871db91903e94d75e4f3812e94f7f36

                                                      SHA1

                                                      4df5f41c3eccc506ba7aa865eaef4e79c97a750e

                                                      SHA256

                                                      0c3d0768820727f16b71c0396b5e5f977285a91788d1b99d9878f83d02132a6d

                                                      SHA512

                                                      2cf2a4b81c610fc72985dbcc399c5df1b536262145283574a24a0988fefc0609cd2fc5af67e0ad48ce960f603005b1490f1b1a72b38672b08c0a98c2ed817da8

                                                    • C:\Users\Admin\AppData\Local\Temp\h7CoQcyUo6.bat

                                                      Filesize

                                                      199B

                                                      MD5

                                                      4f5b423443cf368cfe00838c0ecf6318

                                                      SHA1

                                                      aa8747a373eef02a58acc63d3e10a552c91ecf02

                                                      SHA256

                                                      3c8c7fe24efb6300ee3e1a722de691454c3a2aadd28a156d3bc026adddb5535c

                                                      SHA512

                                                      53eae0ad78fb7f0221ad0edf78554ac1d1412004183879a25a5e99bf384848aa9ada012c0b7ad9e24b2954c542a857ea40cafa9f3eafdf32543f7edc38c6a525

                                                    • C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat

                                                      Filesize

                                                      199B

                                                      MD5

                                                      3c1911de840cd206132176dfa15ee076

                                                      SHA1

                                                      94e725a96e31353ccdd6af1249abbc8fdcd086b7

                                                      SHA256

                                                      8ac25937c4838074eb3ee7e39921c467a3cb38b5155984a91170418da7b82313

                                                      SHA512

                                                      2b3034e5b9e0191d67c6297f5798a68ec3aaf6434c1253962912e77e85f9171a7d221fa58cc7740a84d49eb22dd985e85ac5e9d4705ddddd2995df72c05f3d19

                                                    • C:\Users\Admin\AppData\Local\Temp\rBMLF9HJtT.bat

                                                      Filesize

                                                      199B

                                                      MD5

                                                      80c707d40b914e16043ec64d3b84c491

                                                      SHA1

                                                      efc9d62f0d0dc1c01aca5b27d7ac5a0774f6d400

                                                      SHA256

                                                      8c6ca5cbdabbbb1dcd204ce26f6f0a8ac0a390e3aa4b1f53929223a023ff8069

                                                      SHA512

                                                      1b2e7195ed9a3abd21d6e5a75dbcef1c9961bd2ab15fe267fd4539adc1d89e8c61416921b23e4b08ac71a545c3de990f1e7843f5ccecd5a2013dde9a802c5e8c

                                                    • C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat

                                                      Filesize

                                                      199B

                                                      MD5

                                                      77c1662c6a9ee32f6b7da8f606189451

                                                      SHA1

                                                      e26e7e5f18dce073e7124a6afb1c6d103de4155b

                                                      SHA256

                                                      66e900093d2a2d1ada3adba7cc4e05c6ea6a7f9f77b0a45f8b3f1acda0eafd9d

                                                      SHA512

                                                      01b1c2d3343de6743ebf4729a01784a139dee7e33f86e6e181c5d36e00fe9c64da2086391cfcf7b0ac1e9a468a86d1afcc3e9511cf8bd146dc6d4625b45465d1

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4ESRGNVEVP52SDI6VKQU.temp

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      4a3d860e31a85d2fa44a6ab4a6d6ad5d

                                                      SHA1

                                                      6d0030d4658c3bd1e69c27dc5089a606bf7a4cab

                                                      SHA256

                                                      5666789e00613478a6b6b6c8cb01c44b28ce05bcbba96e8e24f84e9ff2831df1

                                                      SHA512

                                                      e7b5716979248c0d153bfe4a99c0a72457f662f8233bc6ee17e74edc95c495e6bd806ea041d196e901aece9b393cce4f53c4ad6da53287a8bf7e74e13d9effa2

                                                    • C:\providercommon\1zu9dW.bat

                                                      Filesize

                                                      36B

                                                      MD5

                                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                                      SHA1

                                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                      SHA256

                                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                      SHA512

                                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                      Filesize

                                                      197B

                                                      MD5

                                                      8088241160261560a02c84025d107592

                                                      SHA1

                                                      083121f7027557570994c9fc211df61730455bb5

                                                      SHA256

                                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                      SHA512

                                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                    • \providercommon\DllCommonsvc.exe

                                                      Filesize

                                                      1.0MB

                                                      MD5

                                                      bd31e94b4143c4ce49c17d3af46bcad0

                                                      SHA1

                                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                      SHA256

                                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                      SHA512

                                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                    • memory/436-554-0x0000000001270000-0x0000000001380000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/1552-253-0x0000000000830000-0x0000000000940000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/1576-614-0x0000000000250000-0x0000000000262000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/1656-229-0x0000000001E60000-0x0000000001E68000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/1688-374-0x0000000000250000-0x0000000000262000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/1688-373-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/1944-673-0x00000000002B0000-0x00000000002C2000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2176-89-0x00000000023A0000-0x00000000023A8000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/2176-87-0x000000001B180000-0x000000001B462000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                    • memory/2316-17-0x0000000000270000-0x000000000027C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2316-16-0x0000000000260000-0x000000000026C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2316-15-0x0000000000250000-0x000000000025C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2316-14-0x0000000000240000-0x0000000000252000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2316-13-0x00000000012F0000-0x0000000001400000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2636-434-0x0000000000380000-0x0000000000490000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2808-36-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/2808-35-0x000000001B430000-0x000000001B712000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                    • memory/2832-494-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/3068-313-0x0000000000350000-0x0000000000362000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/3068-312-0x0000000000030000-0x0000000000140000-memory.dmp

                                                      Filesize

                                                      1.1MB