Analysis

  • max time kernel
    146s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 22:23

General

  • Target

    JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe

  • Size

    1.3MB

  • MD5

    affa00e7521ab3d3d637a9ff294ecccb

  • SHA1

    c9cf1f0ca3f8a2f97b1a88a0b9f656641263cbcf

  • SHA256

    ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81

  • SHA512

    9cbbdad39a61cb67c23157bdbb9ec043d0175961d9d84b36d7653c55331c71d2babc785b4a8aaec875c67c6be23cbd0b15e46f30d9a78047bc063f626f584589

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ea8ccdbe0f65376c5efde32a0bd812aca5d6339498cc8240d1c14626ebd3de81.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2052
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3016
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1480
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1612
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2168
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1264
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3032
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2012
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5a9ShOQM99.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1464
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2868
              • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe
                "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2152
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1728
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:3036
                    • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe
                      "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2684
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
                        9⤵
                          PID:968
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:2340
                            • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe
                              "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:904
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat"
                                11⤵
                                  PID:2532
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:2096
                                    • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe
                                      "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2944
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"
                                        13⤵
                                          PID:1260
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:1440
                                            • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe
                                              "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2484
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
                                                15⤵
                                                  PID:1804
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:1864
                                                    • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe
                                                      "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2924
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
                                                        17⤵
                                                          PID:1116
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:1588
                                                            • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe
                                                              "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:904
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
                                                                19⤵
                                                                  PID:1420
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2852
                                                                    • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe
                                                                      "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2668
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
                                                                        21⤵
                                                                          PID:2588
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:2552
                                                                            • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe
                                                                              "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:680
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"
                                                                                23⤵
                                                                                  PID:2864
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:1612
                                                                                    • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe
                                                                                      "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1568
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
                                                                                        25⤵
                                                                                          PID:1512
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:2752
                                                                                            • C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe
                                                                                              "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2024
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2816
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2824
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2664
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2528
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2548
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2456
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2772
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2544
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1636
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\System.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1420
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Music\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1388
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\System.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:324
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1692
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2444
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1552
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1848
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1620
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1908
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1572
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2020
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\services.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2480
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2856
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2828
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2956
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2596
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1904
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:272
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2708
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1100
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2396
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1308
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1808
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Ease of Access Themes\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1720
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:844
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1652
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:908

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            18a2bc30aa88cdb1c6eae12c5cd8bcfc

                                            SHA1

                                            e1e79334c861c5b3ce14b320460b898a0d0f51f7

                                            SHA256

                                            2ba6d684b2a894a44784aa0f6725e42c1feb62bbb1b4bab17afdcd7ff605e915

                                            SHA512

                                            f6d7df7a581ef6eb5976df6d172c2b63a1e5732dbcd8ef9c9380ec16cadc6fa18e994d34c7b052ff930464252d123794fa817af60a161da5307f5bc87dcbb13d

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            f801f8522811e4379e0c08d0527986f1

                                            SHA1

                                            c49c6f59b6c2ac60f9b2cc759839d73eb0b60a7c

                                            SHA256

                                            3b5be4e62418b30625ab6e94f8a759c77cbdf33da288b0709ca9df8f6db19bec

                                            SHA512

                                            d27cced31c60e3c7fd584b77451a295c168bb06036aac37ac7bfd4c456649ac3131ce2bc09e08d61c02a12ea84dc4a08c730b60df0d5ec355b79e17ef42e824a

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            a3af627e5f8dab6d68cb621073fe5fda

                                            SHA1

                                            f135932ff8816411f0daca16e47499c0bb793dda

                                            SHA256

                                            c5334b8fdf6109174ab42303fe21d532f9cc4c433048927ab60b528dcdbfd853

                                            SHA512

                                            af9f79c713108aa23169e4925a8871454ff83b09185ce6d22f37551706f62ee7aa494401eb18007ba3103c4c58a7527d9cabee223a644a93c1a86c00334c7f2a

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            f15af2964e1f128e17d25a3f596ebe23

                                            SHA1

                                            63461b683627858fc492f4a1cc355adabc15c4ca

                                            SHA256

                                            ff180ffa8acc4eef1d755228e487c4770a758437b40198fee5a7995f8595a41d

                                            SHA512

                                            c4dfeb42c2f16676161f9dc2633c73b9e8cab3f257bd09af0258a21c92868797b3e337b449dd73130650cbdc133bad8cb791058e9b26b1983a38b048974ab716

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            02090401ce08f5ce9669d7fc855b8c11

                                            SHA1

                                            e397b672e8be96b8b1e98c26c9f50c0329d30b5b

                                            SHA256

                                            bc6ea61fc02d48bd032cc6d258b6ba856110bba9d55e54d88ceda31c9d0de9f2

                                            SHA512

                                            0a7541a537f1f19aae86f179279e0024001de32477cb674f104d84673a353035f802587a99990890f9bd7ff69840440b55fd53c5c48367bb969f48c22fb95297

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            371fa15d9bb8e3ed30ce03ecc11fb851

                                            SHA1

                                            12a69ec6113d93840a8d4dbce1178a3e2870ad9b

                                            SHA256

                                            9b983a755344793e290677dfab0641df7f772ac4b43aba32ee4cf85730820903

                                            SHA512

                                            dcb06ae7abfd9b7d2ca646c3721a72f5e9ddf83160c950433b1929197b536aae71f2e4299139669937db694d85359db27faa87f752fc6b3c68385ed42ed8d64c

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            9873a7f00c2d79217c20d10a21fb4bc0

                                            SHA1

                                            6a1e8b2ad7f6f6d4bab51148b05b1a0af6111c9c

                                            SHA256

                                            495dde5ab802d5bc02726ca3bcdecf859a28062a514799c61632cd75ff8f25cb

                                            SHA512

                                            5af22c31b94b13659f8939a506215b0c9fd370a72b80efeb4856bd2533790eed8700bd91448ce24760b21748bed1ce5e89dd897c72e343ff0d06c130984c8082

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            99bdf4fb04a5e844d9aaee441e983dfa

                                            SHA1

                                            108da9c85e172b5f87f8cdfa32600a9608f3f2e0

                                            SHA256

                                            8c9a91a8deba6564d8dd21163ca17a8ea3dfdf4f77a3f1d724020f4f473b0cef

                                            SHA512

                                            ee2951cb0773cb8a38612d26ad8aa2832a345cebb1f2e9c5350a7b41f6cdc8303f4725d3beb937f7eb2835cedb9c25e4cddfbecc39b183328ddec8eb9428a8be

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            3e61ce9022f2385cf9b24c3d6774854f

                                            SHA1

                                            fb2850baff4408a06bb2ae85b60c4db16c2296c4

                                            SHA256

                                            b1f69f234d00bd7765405f9e630d39c5953ad81e9a35a1578a5bdc1cd99cce16

                                            SHA512

                                            3a5e8ba4b3d56cbdaef5ebfde92a244f922a5801b1d92c3483a4e3d0a497a914dfac6b3fdf125652b6b9c88ce99294e219b5bca4ca6f008b50ba341d9e8c1257

                                          • C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

                                            Filesize

                                            225B

                                            MD5

                                            8acd16ba4f2b96e55786b8ea36d2fdb7

                                            SHA1

                                            8e5b30d0461d748b4cec3a7fee4e12fdb4a68781

                                            SHA256

                                            dd141e6af614baecfb31bd25419f606afbc24183983d38eac7580896b0c6878e

                                            SHA512

                                            5bb7931661dec2686522be8e07377cfaf16c14c2003991a5aeb7a44699c24cdd75e9c6f228764429e53fcdb58ca0b94e71574975868b71680023e6dbbc190029

                                          • C:\Users\Admin\AppData\Local\Temp\5a9ShOQM99.bat

                                            Filesize

                                            225B

                                            MD5

                                            852f479aec6c431285bdb7ff4422ac04

                                            SHA1

                                            eec8079d3b4fb4ec8acd25a43d99b270308d3581

                                            SHA256

                                            1526a18589a446819570cb1f8c10605cbdfd4100d990b0e0226a16a8050a9639

                                            SHA512

                                            4d84ceaff671e47433dfc2ec0d281bb6f4301cd7bad4399ad6ddc7262670a83d4db1ace7c2b1fa5b5b9609f5662bd46ca6fb948d9671c48d4374cb22c4ab4b0f

                                          • C:\Users\Admin\AppData\Local\Temp\Cab15C4.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat

                                            Filesize

                                            225B

                                            MD5

                                            c4d5d9e3969578c0f52716cf2904be61

                                            SHA1

                                            0c0d8706ccc41f013b0b0ad1d6041d207f16448e

                                            SHA256

                                            d260a1b72f0aaacdef39189412d90ce0a899662bd1aae3753d2ec7b727f926df

                                            SHA512

                                            2b27c633f7ed39d14fb3eede00389939546c032ea34110e5b60d132f3f8d7d21391ecae8b5f29e37b9ef85791855d53a975a87fee182bf7ab16cbd1b9397fc8d

                                          • C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat

                                            Filesize

                                            225B

                                            MD5

                                            e22d26061c29881e9f633a4b4559075a

                                            SHA1

                                            8f67bc36152be558038ff1b6fd2d413e6279508a

                                            SHA256

                                            54c270beb5832a5ad5ac0b6c91e96b387096645cddac631043e1299e08462dbd

                                            SHA512

                                            3e2e03978890858628b2638180c51676207951df5ff61b189ed10257a38caef967e6dd06a94eecf6764d8062a196a5e2036e5abde16ef7f6f425f7798e00d9b3

                                          • C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

                                            Filesize

                                            225B

                                            MD5

                                            91b5b1b4b2113972dba25f6bedd43e55

                                            SHA1

                                            6ea9b77596e2ec77f46603c16cec778f75254bcf

                                            SHA256

                                            374947104588a526bedb76c5e5174f0c6851460cc3e0c043f2c3ce03727b1236

                                            SHA512

                                            54e2b4a417a14f76c8db19defe969444ec9e14f368558470858fdb756044ffec69ce7b5aada27f9cbe1e5f6a34bc7fafd5b05b8898bfa058e1ca4fbc4228f35b

                                          • C:\Users\Admin\AppData\Local\Temp\Tar15E6.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

                                            Filesize

                                            225B

                                            MD5

                                            fd070d63a4ca3a5304fa3fdf16574103

                                            SHA1

                                            f13330819f89de41be70e94801d9c1ac5d4738d5

                                            SHA256

                                            c0fbc5632e0232411eb85bdf61a4909b072427a801eec0511c04afd4c901f739

                                            SHA512

                                            05fccef82c0645b95f002d22f00fa887a2d7f358017bdcaec500a6adb1d6079abf1384692eab6be473e4825a1c622c6f7a25817083be80b5392fff7e1247f16b

                                          • C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

                                            Filesize

                                            225B

                                            MD5

                                            73e2138afa5df0f632f8130d3093af32

                                            SHA1

                                            d3f68102d0a0b8d02ba5c6d1dae29949f614f4a5

                                            SHA256

                                            6be8c11b6eb5e3be19a00e2227a6ac760a8e955d8dd45862191d177c658196f3

                                            SHA512

                                            1e9004f6880219d8d5a6007ee10d4c3792ea39503c4f4381d3baf13ccd523cf7465f0ff6add15ee001e3574ad7a9a80f413305a336cdeee4afd536702308596f

                                          • C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat

                                            Filesize

                                            225B

                                            MD5

                                            85e5717f5c7cf59308bac17cbc9aa2c3

                                            SHA1

                                            07b803a4ee2c811905512514c8d697933bbd1d06

                                            SHA256

                                            4534d3a5f4aa28f66b961595f9534d78870726fe6b2f7b61348eb06b37d814bf

                                            SHA512

                                            126958b67ff634ec1f22774c60745854594355f3a8ac707ac167902439488cfcfc5f6a9dfb60f817edb8d3ced854c9548ab4e0bbcf5c32019fa837693af77332

                                          • C:\Users\Admin\AppData\Local\Temp\iVopF68B7o.bat

                                            Filesize

                                            225B

                                            MD5

                                            3dbbe7c5b1adc3c02fe49550a7430628

                                            SHA1

                                            0d19fe94f68d2bad012b9715cdf3e7572810a676

                                            SHA256

                                            82a0dc6ac9fb11f9a03e41c9d790e45b6b30ca8de71e2c7834f64aaafa6ec1cb

                                            SHA512

                                            3df3df764e2caa4e61103df4717d3e7e348fa19d0e10f84bee57b181dba686cfb00e48a55d02d3ec6ec544b1049e5a9ed9cfb7be3f4d77d0376650c8134f96d7

                                          • C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

                                            Filesize

                                            225B

                                            MD5

                                            0e88a05c7e858b5d24bd9f1a0d2e07b6

                                            SHA1

                                            56f1130e3c2a16425044614a5d48ac4f509a87ad

                                            SHA256

                                            fadc18ddc942e02f3beded37b490e4519f55155a79ce8058fedfa283cda418fa

                                            SHA512

                                            a15b42033388489456724315efc1c6f9e80be1e7693bec9d36cd869f247878ca29f12c3158ea74d5945a340eda221ac2cebc579abe76e3894063cf1d7dbccd8f

                                          • C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

                                            Filesize

                                            225B

                                            MD5

                                            5d8f208f2f3b0b0a8953f33d42c89ca4

                                            SHA1

                                            27c51dc35ca8e5cf0060678e8995b8c6719c8284

                                            SHA256

                                            228d74a4260efab0fd6282be347b9f647bb2b5a992333e563bcb541a0f4f5aee

                                            SHA512

                                            561c491d0f715ee896ac96f7cb979e1face1b48ab1d93e4ae2caa807a8d5b659fdb4de03f44bbd158e8aaaf0c90fb4c59a08d75f997e526be093119d5c2b29c2

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            10ae1d92bf8f0a0b999a73ac4b72b280

                                            SHA1

                                            179706b1cee7259c51273b5552d054300a5b0097

                                            SHA256

                                            f309527e34bb6ad8db9b5220f2ff57e9c3f9629de88b373c5a0bec338f86f789

                                            SHA512

                                            43140c61f30c4237de033b39b3545ef3039cefed8098fe616bba8373e5ec74579a29e9ef0e597a578161ee312708f8d7774be9e21c8c6f97a2e858ae8a44c048

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/288-64-0x000000001B7B0000-0x000000001BA92000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/1480-71-0x00000000021D0000-0x00000000021D8000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/1568-648-0x00000000009F0000-0x0000000000A02000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2024-708-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2152-115-0x00000000013E0000-0x00000000014F0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2484-351-0x0000000000330000-0x0000000000342000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2924-411-0x00000000009F0000-0x0000000000A02000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/3048-13-0x0000000000B20000-0x0000000000C30000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/3048-14-0x00000000004B0000-0x00000000004C2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/3048-15-0x00000000004C0000-0x00000000004CC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3048-16-0x00000000004D0000-0x00000000004DC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/3048-17-0x00000000004E0000-0x00000000004EC000-memory.dmp

                                            Filesize

                                            48KB