Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 21:47

General

  • Target

    JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe

  • Size

    1.3MB

  • MD5

    f575f706d318594205de442141c1ecb5

  • SHA1

    3b1802d85e90ec9fc0742f4368afb57f23ddaa1a

  • SHA256

    a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33

  • SHA512

    8459655652b39d7643cc531325b7bd2e1b2aba2e2b22a3ea7b940e270bc4f10587b4e3d8a7ebd253b1e1eee6b2ed25f8d0c36ad672d0fe4d14d6a20b1b37a1b1

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a593dfa0bf52fac54d72ca0dd36caea17e1ff8882ed9ee52b3e781772eb2ef33.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2480
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2252
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2100
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:892
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            PID:548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\de-DE\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7eX2I2PXzl.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2776
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2428
              • C:\providercommon\WmiPrvSE.exe
                "C:\providercommon\WmiPrvSE.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1640
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
                  7⤵
                    PID:1480
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:1684
                      • C:\providercommon\WmiPrvSE.exe
                        "C:\providercommon\WmiPrvSE.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2512
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
                          9⤵
                            PID:2816
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:2388
                              • C:\providercommon\WmiPrvSE.exe
                                "C:\providercommon\WmiPrvSE.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2728
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
                                  11⤵
                                    PID:2460
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:792
                                      • C:\providercommon\WmiPrvSE.exe
                                        "C:\providercommon\WmiPrvSE.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2196
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"
                                          13⤵
                                            PID:2976
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:2248
                                              • C:\providercommon\WmiPrvSE.exe
                                                "C:\providercommon\WmiPrvSE.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2852
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
                                                  15⤵
                                                    PID:3036
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:2684
                                                      • C:\providercommon\WmiPrvSE.exe
                                                        "C:\providercommon\WmiPrvSE.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1084
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"
                                                          17⤵
                                                            PID:2188
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:3056
                                                              • C:\providercommon\WmiPrvSE.exe
                                                                "C:\providercommon\WmiPrvSE.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:836
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"
                                                                  19⤵
                                                                    PID:1176
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:356
                                                                      • C:\providercommon\WmiPrvSE.exe
                                                                        "C:\providercommon\WmiPrvSE.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1640
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat"
                                                                          21⤵
                                                                            PID:1900
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:1148
                                                                              • C:\providercommon\WmiPrvSE.exe
                                                                                "C:\providercommon\WmiPrvSE.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2296
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
                                                                                  23⤵
                                                                                    PID:2948
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:2588
                                                                                      • C:\providercommon\WmiPrvSE.exe
                                                                                        "C:\providercommon\WmiPrvSE.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2620
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2860
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2792
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Downloads\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2728
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2740
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2624
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2612
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2688
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2980
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\de-DE\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1956
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1672
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\de-DE\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2312
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1740
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1900
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:692
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2272
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2476
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fr-FR\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1248
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:380
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1156
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1424
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2824
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2556
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Application Data\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2432
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2876
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2136
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2972
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:860
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1092
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:448
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1144
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:844
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:616
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1640
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2452
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1684
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1656
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1744
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:856
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\de-DE\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:576
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2264
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2468

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          4512ec8dc45034d6d85e3086265dff5c

                                          SHA1

                                          8329f62f51e2bbde8a8b0a779d4e33714a0f617e

                                          SHA256

                                          06348e842b5070c980a7f3af0cfd8dbb490fc1dac4aac161d4b84a7aa406c825

                                          SHA512

                                          326131de08bc04011faf5b21de00ab41eaf74100739c46a4f9fa8afe2e7c6489e630043681f65a8c1df25dd74e014e64df21e33f893e940f34354699960d0d25

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          519d7efa576f49389e7b3e95e8755a07

                                          SHA1

                                          a2256972556a0b17d5ee871bdb34f655b0b55bdb

                                          SHA256

                                          b376290c42408dc24e0ba73a44477fd87da45b07773037ee520a7bd42ef4b7a0

                                          SHA512

                                          33abcd01901d67394b03a96839afde5d3edde57a1daf4e155db796ec2334a59bffb5814c82029a27056c7ffbcfa19678265cb04855b126c04165606c5a989a22

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          9745a83bfbf7d01606853a81c4b4ff77

                                          SHA1

                                          a9a51bfa84ce88d78b867e10d7ef993cacfa5f2c

                                          SHA256

                                          d0799e45e0dd0635e25ae238fb82271d8b1285c8816dee4d9a0b9dc6dc6de76f

                                          SHA512

                                          db0a0d5ee48c56459e56944bb1c59326be921126df389d459564af61f433f760f64a425ba1e2fd0e269b2a3ff56569104fdccb45048ca361273b2a84498fa836

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          034044a4956c68e3eab714d46b58545a

                                          SHA1

                                          76b21d9b4a00f41fd6885ba1ab75a85e283ad046

                                          SHA256

                                          77d6007627e9114895c902b8d18fd40b0e8bb6a7d61389c8f7b8e7327f7e4568

                                          SHA512

                                          a2842b324ab7ebdd783f25d49f833a1f21ca7814ae21f431d2123949f16d7367a65ff0842184d81eed2970ff6e7b1d156aca207cbaadd6f13f51b26501acd13d

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          96226ebadc07bae623b20c4015190dcd

                                          SHA1

                                          c1b40a73d53a60b94d84681f536b6e2f3db2be4a

                                          SHA256

                                          f482fafc244803b2d82daf3aced994f07e98b633012a0bf0f1fa4659b4d8d609

                                          SHA512

                                          0daef6b24166ec85ad6ce42cbd8c7510dc994731a94257b4092c34549f8f50d328ff2b4e276f4428f40c79e367cb2e394ce8cdb36bc798fcc19d88fa518a1f06

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c94114aee2ac254bd500190e53cac539

                                          SHA1

                                          893442c8d4825d4a83ab6ec5b55ff8009f9b59af

                                          SHA256

                                          e0635a9f0e9f4a42e9f2695cead04878f2cda5623bbe1a46d5bdf515e94781db

                                          SHA512

                                          312e525e1b29fd06022d27bfcba8a35421e39e5af0f467f9de3a03e8ddf9b7f858b032715876ced93b32027726c3c0961e6b20b5ccbfe64f1612611e562d69b8

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          7d8a868d85367755355054817bf4bf01

                                          SHA1

                                          2af6d2738d7ea561e43d94cacc602d9541859996

                                          SHA256

                                          5520d1bd6c78839deacc7093e6f17b41bba2025f95e212045e7dcf360d7453cf

                                          SHA512

                                          43e78e91b6e2ae6f08d21df6a6af095c87d10528857c460faa8ed116a13208db2a8e629a3b2d401664928596ffe6f7c493a3db1b8805f4ac4dc95450495b005e

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          7f0c6d6a5f67d761da8cc029dd84718d

                                          SHA1

                                          485ed468e2a72088b669b579adca6f3b88dc900a

                                          SHA256

                                          7853215c1fc3994b5b86590dec89432267fdcfc5f078cd51f5094b0f3a29e9b9

                                          SHA512

                                          01749521b12041f9cf4039c5a0574ca1aed3133b0a203e916fb4322e8de61c9e9f0eb5d84a2e99d7dc26cfda29a51d43fbca59d1fb5f680df896992bcb6ddca9

                                        • C:\Users\Admin\AppData\Local\Temp\7eX2I2PXzl.bat

                                          Filesize

                                          195B

                                          MD5

                                          8d552f61cffe3edca8078c05df214d4c

                                          SHA1

                                          3e76ef8ed134d988fbcf7fe6da59ead3374a49b3

                                          SHA256

                                          2856d606afd6946f7f5d620a342b2131c9cd8be62f90c17bfc1628b5a332d4b7

                                          SHA512

                                          994dd150d57dc6fc847c5f6dd53020406b1d8d814264047bf958f78e3a9f8ae927c2e1349e211308f3ead0ec473eada4d576df9e0eedcd40d2c459d123ddaa81

                                        • C:\Users\Admin\AppData\Local\Temp\CabE487.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat

                                          Filesize

                                          195B

                                          MD5

                                          83349355ec8ab1e7f7185d8769705517

                                          SHA1

                                          056286e3b450ee0e395b4cf911c79417eae50e27

                                          SHA256

                                          e62645cfebbe6b9b196f4c253aac51404a9708283e4a70e089c03d058225127f

                                          SHA512

                                          cd301c04543d29c8c6b530f5e3a2194c47b4787948b7df4a29481e614ece0925c2b04ea9cbda081357cd7f5cf129f8e9431fad38081309b5d53dd231bb6724c2

                                        • C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat

                                          Filesize

                                          195B

                                          MD5

                                          b386868939c4eabc37bd359c9816d313

                                          SHA1

                                          53e21a957570cc5a32c262576e7deaad590ba90c

                                          SHA256

                                          5d3acdcacbd8afdb4f12b646b2ee41eda291783428eea4b94649696e206dd423

                                          SHA512

                                          3fa30c0c6f3611aae6b8f3b0b27d64b03093099aa2a3f48a428a27c7494a8177d83b61853646986b7118af4f6e8843981cd37791079fb8dfc9c03e6c15c1ad40

                                        • C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

                                          Filesize

                                          195B

                                          MD5

                                          0649fd1a663e7331ee30c47aa182a681

                                          SHA1

                                          366e466f739ad4e665e5b9eec9386b5288ad37d9

                                          SHA256

                                          42d5ec14197c3afbf49b4a33ae0515a62920d83888efe6894a410163b07a6961

                                          SHA512

                                          9fcfd4758c071499d5268a6a691edad74026a234e7581206c67dfa7b00e90687e60e49360493b933800844b1156f42a44f15db20901b0126e471a48e8a385005

                                        • C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

                                          Filesize

                                          195B

                                          MD5

                                          78b066bad52fa47518c095799a53eb06

                                          SHA1

                                          bc67e1d0d7e0d5900f0f78aecc199c38cfa48b3f

                                          SHA256

                                          d326f04eb28c8059aec4c8710622335f61552b1b3c5ac2b2c5f292262c5ef7c4

                                          SHA512

                                          6b0dbcb96fbdf000665c62ffe11a3e2ccd9283a9c45197b5cd0cdee64597768c1618b3846a53eb20871ea624d4674f2351116890127c1696ffceb5e0cfe86b04

                                        • C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

                                          Filesize

                                          195B

                                          MD5

                                          17a7b1a70e1933d546fab7b16c4ad916

                                          SHA1

                                          787ae423e0415e175da44b3acfd1654722b7dad6

                                          SHA256

                                          e538ceb2fee16fb8d0500f7e6159fbd9133ad4c89414149af91731cdf985a4b1

                                          SHA512

                                          b9f56b10f677995f5a0b455402aa2dfd7380e74de30bbc9c3758cae68c96bd54ac02a33782cadebfecd87c72647c397450c116ffd637cd77f7d75400c4153412

                                        • C:\Users\Admin\AppData\Local\Temp\TarE49A.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

                                          Filesize

                                          195B

                                          MD5

                                          5eb42f3dacde8fe78adc8c39f40cb25e

                                          SHA1

                                          022bc0e688c513a3713e6466bfaa5e7c41911836

                                          SHA256

                                          311e09f53391ac08a89148c01a9c2cf4ebf2a08f53e70bf86e9f39c641443413

                                          SHA512

                                          02941988c2099901026afcdb4c81200906a104e55f63d1a432b07b0335327d8eeb754cd033b5bdda5618dffdfdf8a9b43cc9538839ad81469fa804eb209e86b5

                                        • C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

                                          Filesize

                                          195B

                                          MD5

                                          9a857dfde4cdec220506b28ddd929b18

                                          SHA1

                                          ca1320704f5972287237b9658e7074b1ac9d62f3

                                          SHA256

                                          af9e75ebfc72d2453a3b283473817d991bc8cfb16117a3c40634610f2a205c8a

                                          SHA512

                                          7359dd289d1bee806dc4809d27c397a233e4489de08e299bb00edc822cba7a6f2285a4479ea40ff2ffb5f3efb811fc93dc4fb8c39a942ed5259068640db4c971

                                        • C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat

                                          Filesize

                                          195B

                                          MD5

                                          d07733519d2c46253e68e9e0ddfb578a

                                          SHA1

                                          614e87c58fe5f2ce299bc3a541db3dae967d24b4

                                          SHA256

                                          bab4a0b89db6cb56e5af90232f500cc3c667a028e5a84bb0aa076b71a63d6a66

                                          SHA512

                                          0890aaf411b72031c0afab59d1d6bc2127c1a8b72603ae3da46d9300d871b4f41a0c2205aebd39b3a982e886f214b8ac72538d85c83c5eb5d5a49c93dea5fa30

                                        • C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat

                                          Filesize

                                          195B

                                          MD5

                                          3d57f070a9a97889167c5fbc2fc4b4a9

                                          SHA1

                                          8daa1f782079c1bd16aa482534ab223480922fcf

                                          SHA256

                                          8d52c74c33ef0a6cd9ea5b27e9f3c83177da94b7425f787c2fcc7f892a164fee

                                          SHA512

                                          601383cd90794f875f0220204f460ea75f9c30ad208085e9eb405494c4c9c618e12f616f64ee0ae6338b58a64ebd6c73c14d63d1c55b8b41309d8dcef9c959a4

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          24a51975ed0b1d3f3a1a96150df38256

                                          SHA1

                                          9f444ca91e214734c2a5b11125c9ad1742f1da34

                                          SHA256

                                          d2bfd0fe5e472506e0007e731c44dbb42dfce0b1a181df0bbbdc3af871e6a614

                                          SHA512

                                          4a41d27a9cba4fd8152e917b1ce0197e339c676020f1dc894d3c255a6e999ed68ba1369dd910bb6a6082722a909fe490a435620364954e899726395d8f4b609b

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/836-481-0x0000000000340000-0x0000000000450000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1640-541-0x0000000000210000-0x0000000000320000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1640-123-0x0000000000090000-0x00000000001A0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1640-542-0x0000000000360000-0x0000000000372000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2056-14-0x0000000000140000-0x0000000000152000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2056-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2056-13-0x0000000000F40000-0x0000000001050000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2056-16-0x0000000000260000-0x000000000026C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2056-15-0x0000000000250000-0x000000000025C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2196-301-0x0000000000C70000-0x0000000000D80000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2296-602-0x0000000000150000-0x0000000000260000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2332-65-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2512-182-0x0000000000960000-0x0000000000A70000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2620-662-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2852-362-0x00000000004E0000-0x00000000004F2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2852-361-0x0000000000D40000-0x0000000000E50000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2952-55-0x000000001B5A0000-0x000000001B882000-memory.dmp

                                          Filesize

                                          2.9MB