Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:35

General

  • Target

    JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe

  • Size

    1.3MB

  • MD5

    7e515e4b394a3a0b27c3f061dd0215ea

  • SHA1

    c3be28953ce77ebc930c774d6ce5110a0696bd7d

  • SHA256

    fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97

  • SHA512

    85a563ed0ab056b5e1b720b9dd043c6b3e246a761f099e6dd3b79c0ccb64dada0f916ff7cbc4cd14cabac34941874e326d5aa9db317d2a77bf6b22aa164d2424

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 35 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 23 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2120
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2660
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:596
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1036
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zSoFCSTtdt.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2752
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1600
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1044
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2500
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1312
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\wininit.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2860
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\smss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1144
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2028
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:380
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2012
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\de-DE\System.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2428
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\meta\reader\audiodg.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2948
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2420
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\lsass.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2964
                • C:\providercommon\DllCommonsvc.exe
                  "C:\providercommon\DllCommonsvc.exe"
                  7⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2260
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2372
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2648
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\lsass.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1924
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\schtasks.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2924
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\powershell.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1720
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\powershell.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2640
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1144
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1440
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2164
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\powershell.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2876
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1636
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\schtasks.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2724
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\DllCommonsvc.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1556
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\WmiPrvSE.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1608
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2688
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\powershell.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1944
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2740
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2704
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2072
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j9C4kLBHxE.bat"
                    8⤵
                      PID:2980
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2800
                        • C:\Users\Admin\Links\DllCommonsvc.exe
                          "C:\Users\Admin\Links\DllCommonsvc.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2076
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
                            10⤵
                              PID:536
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:2128
                                • C:\Users\Admin\Links\DllCommonsvc.exe
                                  "C:\Users\Admin\Links\DllCommonsvc.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1612
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"
                                    12⤵
                                      PID:2344
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:708
                                        • C:\Users\Admin\Links\DllCommonsvc.exe
                                          "C:\Users\Admin\Links\DllCommonsvc.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:952
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
                                            14⤵
                                              PID:2428
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:3024
                                                • C:\Users\Admin\Links\DllCommonsvc.exe
                                                  "C:\Users\Admin\Links\DllCommonsvc.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2704
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"
                                                    16⤵
                                                      PID:2664
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:1148
                                                        • C:\Users\Admin\Links\DllCommonsvc.exe
                                                          "C:\Users\Admin\Links\DllCommonsvc.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:536
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"
                                                            18⤵
                                                              PID:908
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2432
                                                                • C:\Users\Admin\Links\DllCommonsvc.exe
                                                                  "C:\Users\Admin\Links\DllCommonsvc.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2676
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
                                                                    20⤵
                                                                      PID:2692
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:2056
                                                                        • C:\Users\Admin\Links\DllCommonsvc.exe
                                                                          "C:\Users\Admin\Links\DllCommonsvc.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1800
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"
                                                                            22⤵
                                                                              PID:648
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2372
                                                                                • C:\Users\Admin\Links\DllCommonsvc.exe
                                                                                  "C:\Users\Admin\Links\DllCommonsvc.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:584
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"
                                                                                    24⤵
                                                                                      PID:2632
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:1920
                                                                                        • C:\Users\Admin\Links\DllCommonsvc.exe
                                                                                          "C:\Users\Admin\Links\DllCommonsvc.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1760
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"
                                                                                            26⤵
                                                                                              PID:2312
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                27⤵
                                                                                                  PID:2572
                                                                                                • C:\Users\Admin\Links\DllCommonsvc.exe
                                                                                                  "C:\Users\Admin\Links\DllCommonsvc.exe"
                                                                                                  27⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1504
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2728
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1344
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2592
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2680
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2580
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2632
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2972
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2224
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1936
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1792
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1684
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2492
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1368
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3064
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1800
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\system\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:108
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3056
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1812
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2184
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2276
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1156
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1656
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:896
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1960
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2440
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:936
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1736
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2452
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2268
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2848
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\de-DE\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2800
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2676
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2740
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\meta\reader\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2572
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1992
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2360
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1148
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2832
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2632
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Contacts\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1288
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2648
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2876
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\powershell.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2844
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1592
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1692
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Services\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2720
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\providercommon\schtasks.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1932
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2880
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\providercommon\schtasks.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:3012
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\powershell.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2728
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Public\Music\powershell.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2900
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\powershell.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:2444
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\powershell.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3008
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\powershell.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2224
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\powershell.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1716
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1408
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1704
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1980
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2272
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1852
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:1664
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2892
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                              1⤵
                                                PID:2264
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1820
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\powershell.exe'" /f
                                                1⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2556
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
                                                1⤵
                                                  PID:2988
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:700
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:276
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2632
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2740
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\schtasks.exe'" /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2644
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\schtasks.exe'" /rl HIGHEST /f
                                                  1⤵
                                                  • Scheduled Task/Job: Scheduled Task
                                                  PID:2032
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\schtasks.exe'" /rl HIGHEST /f
                                                  1⤵
                                                    PID:2076
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\DllCommonsvc.exe'" /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1288
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Links\DllCommonsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1916
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Links\DllCommonsvc.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1628
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1580
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:2776
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /rl HIGHEST /f
                                                    1⤵
                                                    • Scheduled Task/Job: Scheduled Task
                                                    PID:1492
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /f
                                                    1⤵
                                                      PID:484
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:1012
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\DllCommonsvc.exe'" /rl HIGHEST /f
                                                      1⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:2368
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\powershell.exe'" /f
                                                      1⤵
                                                      • Scheduled Task/Job: Scheduled Task
                                                      PID:964
                                                    • C:\Windows\system32\schtasks.exe
                                                      schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                                      1⤵
                                                        PID:2012
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\powershell.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1676
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\providercommon\services.exe'" /f
                                                        1⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2896
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1028
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                                        1⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:1104
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /f
                                                        1⤵
                                                          PID:1596
                                                        • C:\Windows\system32\schtasks.exe
                                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                                          1⤵
                                                            PID:2608
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2460
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
                                                            1⤵
                                                              PID:2420
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Scheduled Task/Job: Scheduled Task
                                                              PID:1812
                                                            • C:\Windows\system32\schtasks.exe
                                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
                                                              1⤵
                                                              • Scheduled Task/Job: Scheduled Task
                                                              PID:2000

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                              Filesize

                                                              342B

                                                              MD5

                                                              d58ef5863f93a5aa74f9396a90fc9d22

                                                              SHA1

                                                              0f34a47e3e0496484c076077e861a6e73ae90b75

                                                              SHA256

                                                              5a6d9f863f9599299f9373ef264fd028df47b4d588391b30f4288ec6c21c104d

                                                              SHA512

                                                              017fec922cc2ce9fe276940bf01867fa378f31d5d93fe7362b759a7c36cf100f45fe034def1537fa1af536583b87bbca3e8a5c8209c57e53c01a843b5586253d

                                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                              Filesize

                                                              342B

                                                              MD5

                                                              aab8ffcfdfe755ad1a883bca3ed1b876

                                                              SHA1

                                                              f9a7f41a8b9a16bf164d42e5ac34909cac94b1f6

                                                              SHA256

                                                              a3ad62fd684d5d8e35ea2851bb4372aa869393eba4958d0715920c02321bdf36

                                                              SHA512

                                                              1cbd3679b7c1f3baa76968f7f55167025cfd4fae760ddc419e2e85cdc1c150dce8bbd6f97757ae6bdb04138a9dc1f3b6ce23ef5d4f61d1b38a32e1483bde274b

                                                            • C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

                                                              Filesize

                                                              202B

                                                              MD5

                                                              d4f7a84e8cb6dfed53364a96879662ff

                                                              SHA1

                                                              d28e8ae93fb926e178795790b5dd6c03916bca48

                                                              SHA256

                                                              80d3bbbf7e193c4af8c3fa6a265c2dcfbba9a296db91a358c7fd71d47bb8c345

                                                              SHA512

                                                              f8577f27d3d28c3a2a5e24e0ba702a59e852a589f23fcdcee8646ea41ab2eadc8ceec121c645abfa4f0607978bd98bb5eb8cb60c331a4fb2160e963cae72ad37

                                                            • C:\Users\Admin\AppData\Local\Temp\Cab6145.tmp

                                                              Filesize

                                                              70KB

                                                              MD5

                                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                                              SHA1

                                                              1723be06719828dda65ad804298d0431f6aff976

                                                              SHA256

                                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                              SHA512

                                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                            • C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

                                                              Filesize

                                                              202B

                                                              MD5

                                                              e1327ed8833a7f2287195d11860aa218

                                                              SHA1

                                                              5d7209a05483a4eb13de4b8698511460b00db23c

                                                              SHA256

                                                              c28199fe823e36a6fd58f4d9cb43bd9ec0198228d1136ba1a6dc1b0846347535

                                                              SHA512

                                                              71e34d37fc3cb5c74d09a9453eb371364e9bc427fdc343874513161492edb3e8f906dec90eecb51f09286920e1b9e6ffc5b4660bc47de9b4666a6421ea29b952

                                                            • C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat

                                                              Filesize

                                                              202B

                                                              MD5

                                                              b7b5f5bce77a375a51b2558321215f98

                                                              SHA1

                                                              c2134a755d88a34793c2a595272453a97f9ceafc

                                                              SHA256

                                                              94077059f89c5c8e5f536fcedb2d8c4311ad261032e0efdce6ad46bb943d3601

                                                              SHA512

                                                              c0f9f42245800cd5d11636c249184409587767127bb7781b4dcc742657422a43e8c007b0a4a7e1eee002d97b9e26877b1f2e57455fead137df29f7900ba55c1b

                                                            • C:\Users\Admin\AppData\Local\Temp\Tar6157.tmp

                                                              Filesize

                                                              181KB

                                                              MD5

                                                              4ea6026cf93ec6338144661bf1202cd1

                                                              SHA1

                                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                                              SHA256

                                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                              SHA512

                                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                            • C:\Users\Admin\AppData\Local\Temp\j9C4kLBHxE.bat

                                                              Filesize

                                                              202B

                                                              MD5

                                                              fd44b37fce364953fce7d16f3297ac53

                                                              SHA1

                                                              540c9c9f0fa955ba441597460a37681f8268571b

                                                              SHA256

                                                              fc4b0cafe2619b4181b56a46cc5fdf4c430a6da94c93653219c6e3faf13c0432

                                                              SHA512

                                                              8a95a0bb759fbcb665ff23983b1f52bd6975c36c0c66cd1e810c72583fa9846d27c4ca71370bc841773e21c95fbbb3125dd7c52fb885f178afa27fd36afce379

                                                            • C:\Users\Admin\AppData\Local\Temp\zSoFCSTtdt.bat

                                                              Filesize

                                                              199B

                                                              MD5

                                                              162372895978540278f2afec2bd77370

                                                              SHA1

                                                              8e4dcab9d383a2d77c24d6cf251fb3f5ec78bc1d

                                                              SHA256

                                                              718dc96f3aec911b8a504e3e0c41cb0c29e54cace7a806d885ab83b0f8350d04

                                                              SHA512

                                                              8c595d782fb49232e99c41c961906badef2af5b776eb89b38a51d0eee2608c1876c34d6bc82cd2aa6acd72fa99b215a817a626029f9997f4ecec09593f380479

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                              Filesize

                                                              7KB

                                                              MD5

                                                              6e6b2f30916664d87d3c6d9d24990bce

                                                              SHA1

                                                              0aef0ca8225d3076a1275f1d16f992a7593bbb8a

                                                              SHA256

                                                              5add1218df45908f619a9e078fbf219021e23335000ab73bdd30bed058996ed0

                                                              SHA512

                                                              0218240fccea5f7233b56ee8c9707a270b8e24d1b3b03ede3a8b693459797c47ed443e0c35364ada9286ad5ab988e7524d6873ccffa55c2d4f8288c31d056934

                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                              Filesize

                                                              7KB

                                                              MD5

                                                              2eb5a7ed8722f9d506515cc552ca9749

                                                              SHA1

                                                              ec87a5679767e798986796ca383445a01bae5172

                                                              SHA256

                                                              b8fd70ffbb3bb111aa57fe1cf3a7318c12f957c4442a49454e8fa6b613de3ff6

                                                              SHA512

                                                              e6c81be4c82ee8845d26d4d423759f23f64e4eb3339497d261ae7777fdd9e2e78236f29d2129914cf13de5f01182794b4a3e010ff19f6efb5194d782d8ec4f65

                                                            • C:\providercommon\1zu9dW.bat

                                                              Filesize

                                                              36B

                                                              MD5

                                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                                              SHA1

                                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                              SHA256

                                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                              SHA512

                                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                            • C:\providercommon\7a0fd90576e088

                                                              Filesize

                                                              650B

                                                              MD5

                                                              eed8c83075165851a28c92428b59dcff

                                                              SHA1

                                                              382119360d908ad764b3bd741f3a14eb6c4ebb73

                                                              SHA256

                                                              37b2a2122c31b51c4b1d35f0388a129a892c70327e5c568d1ea512b6a583394f

                                                              SHA512

                                                              ac2c681596c65ca230b023cb83fc72584a2cd5e3f95270362d2ba1e15a607f9e23da3d22f5c0d44515ce7eb24f72b83db52591a504dde85315c9b03df08c94e6

                                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                              Filesize

                                                              197B

                                                              MD5

                                                              8088241160261560a02c84025d107592

                                                              SHA1

                                                              083121f7027557570994c9fc211df61730455bb5

                                                              SHA256

                                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                              SHA512

                                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                            • \providercommon\DllCommonsvc.exe

                                                              Filesize

                                                              1.0MB

                                                              MD5

                                                              bd31e94b4143c4ce49c17d3af46bcad0

                                                              SHA1

                                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                              SHA256

                                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                              SHA512

                                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                            • memory/380-91-0x000000001B760000-0x000000001BA42000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/380-93-0x0000000001D80000-0x0000000001D88000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/536-516-0x0000000000200000-0x0000000000310000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                            • memory/584-687-0x00000000001A0000-0x00000000002B0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                            • memory/952-397-0x0000000000350000-0x0000000000460000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                            • memory/952-398-0x0000000000340000-0x0000000000352000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/1504-802-0x0000000001350000-0x0000000001460000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                            • memory/1704-44-0x00000000020C0000-0x00000000020C8000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/1704-34-0x000000001B670000-0x000000001B952000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/1760-745-0x00000000002D0000-0x00000000002E2000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/1760-744-0x00000000002E0000-0x00000000003F0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                            • memory/1800-630-0x0000000000D70000-0x0000000000E80000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                            • memory/2076-278-0x0000000001310000-0x0000000001420000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                            • memory/2076-279-0x0000000000330000-0x0000000000342000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/2660-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/2660-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/2660-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/2660-17-0x0000000000500000-0x000000000050C000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/2660-13-0x0000000001060000-0x0000000001170000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                            • memory/2676-573-0x0000000000930000-0x0000000000A40000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                            • memory/2704-458-0x00000000003A0000-0x00000000004B0000-memory.dmp

                                                              Filesize

                                                              1.1MB

                                                            • memory/2704-459-0x0000000000350000-0x0000000000362000-memory.dmp

                                                              Filesize

                                                              72KB

                                                            • memory/2876-190-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

                                                              Filesize

                                                              2.9MB

                                                            • memory/2876-191-0x0000000002890000-0x0000000002898000-memory.dmp

                                                              Filesize

                                                              32KB