Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 23:19

General

  • Target

    JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe

  • Size

    1.3MB

  • MD5

    e232528ddd6aa6256f1480cc472cc002

  • SHA1

    778b038f3f1f5be1b6340c5f18d409a581a9834b

  • SHA256

    ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be

  • SHA512

    2b07cf4503081e7ca467d048f2c74fe5211371b36623fcc45a44127dc9d5fda93b10e02b2df854f28f8337dfd73e304c71c94858b26d4006771024c6626fd937

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ab6a565ec6c3b0bd1ecd2a061db936ada4b963602abfbf3755b8bf13230570be.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1796
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1776
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1736
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2028
              • C:\Program Files (x86)\Windows Portable Devices\taskhost.exe
                "C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:908
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1664
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1160
                    • C:\Program Files (x86)\Windows Portable Devices\taskhost.exe
                      "C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2648
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
                        9⤵
                          PID:2524
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:2616
                            • C:\Program Files (x86)\Windows Portable Devices\taskhost.exe
                              "C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1600
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat"
                                11⤵
                                  PID:1008
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:2364
                                    • C:\Program Files (x86)\Windows Portable Devices\taskhost.exe
                                      "C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1404
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"
                                        13⤵
                                          PID:2040
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:1596
                                            • C:\Program Files (x86)\Windows Portable Devices\taskhost.exe
                                              "C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:852
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"
                                                15⤵
                                                  PID:2372
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:2968
                                                    • C:\Program Files (x86)\Windows Portable Devices\taskhost.exe
                                                      "C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:860
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"
                                                        17⤵
                                                          PID:1292
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:344
                                                            • C:\Program Files (x86)\Windows Portable Devices\taskhost.exe
                                                              "C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:820
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"
                                                                19⤵
                                                                  PID:1736
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2972
                                                                    • C:\Program Files (x86)\Windows Portable Devices\taskhost.exe
                                                                      "C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2552
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"
                                                                        21⤵
                                                                          PID:480
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:1016
                                                                            • C:\Program Files (x86)\Windows Portable Devices\taskhost.exe
                                                                              "C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2276
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
                                                                                23⤵
                                                                                  PID:1620
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:2256
                                                                                    • C:\Program Files (x86)\Windows Portable Devices\taskhost.exe
                                                                                      "C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2764
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
                                                                                        25⤵
                                                                                          PID:1852
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:2516
                                                                                            • C:\Program Files (x86)\Windows Portable Devices\taskhost.exe
                                                                                              "C:\Program Files (x86)\Windows Portable Devices\taskhost.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1636
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
                                                                                                27⤵
                                                                                                  PID:2344
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    28⤵
                                                                                                      PID:2596
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2596
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2684
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3060
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:764
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2552
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2124
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\spoolsv.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1620
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2316
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2740
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\lsass.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2780
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1756
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2776
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\cmd.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2796
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1844
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2364
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1564
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2948
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:552
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:376
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:532
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2236
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2192
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2120
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1804
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3016
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2272
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1716
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2964
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Recent\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2952
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2956
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2512
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1644
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:912

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                c9e047d4fc123af4b43cdc19b3d8160c

                                                SHA1

                                                37afc7969774fe0204e34c953e139ee16cd761dd

                                                SHA256

                                                0999c814db30920de0480bd5bcbacbbdf54b91a9feefdd5b78c733fe19a941a2

                                                SHA512

                                                71972739786ad68805cd381e705da1bb22b5675204943cf107f3d72c86a765211bd4959b1d0e3d97379b1dbd6b329aa443e70c3f19ce90260341cb446051aff1

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                a46df1062a49a8c6f06ea2e2220d454d

                                                SHA1

                                                8e18165f1ca40f713711ad9c92226f41395d8abb

                                                SHA256

                                                d7da292d0494ab778e0507c82cf4733589b4ce9cddb19fb4c1ebdc2e25f405a1

                                                SHA512

                                                ee50b96e6722a38deba7ca9c72b62a924827fe722ca8f14c8f800012ff1898657cb67be0c21ffa851bbbfcf7ca5758b2edd2abcc3ee819501696312dcd4ed2de

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                ab0955f94668df0766e42286152e2dde

                                                SHA1

                                                d13f466033f4d83ee98837602b262ceff846ed67

                                                SHA256

                                                1173edabfba010bfabbfe1bdde9f5b6c1599b2a01a4f3a5c600c69d6089e94ef

                                                SHA512

                                                6318dedd61744691a2604d826375309cc8e004d39cf136b4ac527d37729990d130c632967774d0a4dad3ce71f459d3800c2c2054ab829e36036c4e0f8047a063

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                c762abde7450865627400daccbc715cc

                                                SHA1

                                                31355cad7f503b37b936d61cb2e5e72b92d68d9f

                                                SHA256

                                                23c2998c7b9a0031ec7b8c9cd5636048ba4e0d129c3ee5f0f701b0aa001d456a

                                                SHA512

                                                11adac8c107fc81b213b2f3a7580161a5be00f995661c7d32d5f96f8925f82d74cecb2b871011dcd3b672aba1c1f112244e71a742195bb28c35577070e33b5af

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                570ff796d9f21d42146f8192b38a2ab8

                                                SHA1

                                                959c788c5fb6aea63a6885e69d796d9708441b14

                                                SHA256

                                                6896932059661eb364c8a04a81e819bff3cd98e36e8d772fd146e5dea3dc1535

                                                SHA512

                                                1571e98960f1ae52532ae845a053a29720c47df84b4898fbf7351265c37049c341cc96959ff3bbef03f22eec6bf0ebfb28695c10000c0c8ae3ad8c5de6fcb3f6

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                38798fee6885abd0a9ba19e48545ca9a

                                                SHA1

                                                f652a523fe0e98839ca0aac0e8120c36568003fc

                                                SHA256

                                                66b5e374e199dc46967643077fa1cc699370827f075cd39d56c41e30a76e33ea

                                                SHA512

                                                597688f149160e49f95977ce24b0fcddf213138d7a2bc18a6f6d5d0422d738a3aa3c966e5122f3e924bc282bce1f125f2b5fcce4fe46c5e3c1897496723f7096

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                13cc978b95e08d8115f987d2c48a67c1

                                                SHA1

                                                31cc58f09d50b60bc9841e5dddf86e65074b9782

                                                SHA256

                                                0fc90f97184de8d2a49aabe94f097f7d5cbec0230fcefa7ee68f3ed3fe9ec611

                                                SHA512

                                                9066d0a2220a17be4d713aa03b432ebb90f889b3b1d84c53e6a70ca4f71c0dcb453f9e171b10e039bd23a9fa350a5e012a9b68d0c424faf4fd98789b4e6a7ede

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                34cce59a84abee7b8b585c5f960298d3

                                                SHA1

                                                c9b724dd7a2ab564bf06ffa1beba863d40c94b46

                                                SHA256

                                                42d32422e826b575f866c5930f57f6526adc3cd9ec61e771be011f1a3285d510

                                                SHA512

                                                4cc53363d2526ccc1e8743cac4fdbf112f5a6cb9de9fd615bd62acd591f4708cd349e562e262d11098a9c89c1e2ab0cb23816087cddb01fdac8ba819f56382ee

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                5bde170653658bc3dc19c204c8f5fc6d

                                                SHA1

                                                42f2ca395c30994c3343c4ebb95dab91b06bd5a6

                                                SHA256

                                                d98651bb344a3a486c8c8d028b7b4674fea03de4244038252d706876e964c0a7

                                                SHA512

                                                44cc3fdc823c64fa6d454c6fca49f4c662aef925820c12efb15f39379d2ca79306937d9157c13621d6f9c8745687e194b00784811ac03c8fe25850405215bc8e

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                81fbec55304e93bd7f25d6f1588af002

                                                SHA1

                                                29259fe64e2f8efa34c4902900e5b967be8ba482

                                                SHA256

                                                b5c93fb024b32866ec7ee1b095bb86af908b38ccca6972d9de70df1daa1de55e

                                                SHA512

                                                1064d179e4ce4495bbf5ac70e67605f6e2dd4e4ec466296b6e71825db70804fdcd5271a6d8bba73bf7322d810d3df71391106c48f5fb805dd8b82716fd560511

                                              • C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat

                                                Filesize

                                                225B

                                                MD5

                                                2499bf377a7d9393f0ca691087eaa508

                                                SHA1

                                                394f87a3f124e6c6c307f3cf1066d2f2988dd381

                                                SHA256

                                                ded1e2283aa2269920518b2ee2b631939db521a5772c811117665fc91cae8bdd

                                                SHA512

                                                88234459ce2456ded8d0cfd3a3788b83be88ba4c220a061aa9c55f97424dc32ae6b24916f4ec33390238f884387e7ae0a717352aec2e9ed895338868b770f279

                                              • C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat

                                                Filesize

                                                225B

                                                MD5

                                                0434c8d082cbdd350ad3cc3ac89aeac3

                                                SHA1

                                                fb6344a4bfcb5ea6f8b3b940c7902193d6872c6e

                                                SHA256

                                                462ae3bf4766fe6ef67661ca9e75a3a988fa2dd831fb5c137db39ee72c7084b8

                                                SHA512

                                                b17fd89f585dfa4fb0c95f69676b8dbe67602ab0172bc3a4fade77bd00d934e0c061973c8f0236661e3d73d194817b4fcba891267d75982a766e5b29fea23a82

                                              • C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat

                                                Filesize

                                                225B

                                                MD5

                                                7d4d7e12d276c70520acb134cc3480e2

                                                SHA1

                                                c5de0dddcc73f8e09196601e79b0529def7d758a

                                                SHA256

                                                bfb86963dec2ef4a0838599d354a959996d662f45844e1ad9a01f932ddae4389

                                                SHA512

                                                d5c203dae672e34ae26f6cf97b87447cb7179944bac3afbc1ee8a413f836890b3650613f59c080b8c36f796b67a6cee5c145b65203f5409f50c590e8552e674d

                                              • C:\Users\Admin\AppData\Local\Temp\Cab46C2.tmp

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat

                                                Filesize

                                                225B

                                                MD5

                                                41301609f4fdcee807d88372a4ffc02e

                                                SHA1

                                                adda93ceaedae9a420f4805511061d0250624202

                                                SHA256

                                                f448fb543e328c12af9218341ddfa86aa276f10e46f3df998f506d7a1ef9305f

                                                SHA512

                                                19e25540cba10b70f0727e8d1bd74b94fb6375d630584104fcf5f0782098d5a3091b9a2e276bf353e5ab46d24dc1172aab9b32646e79b71622fd1e0cc31949f0

                                              • C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat

                                                Filesize

                                                225B

                                                MD5

                                                0a0a92b623c3298047eb7216c31e59ef

                                                SHA1

                                                28a15a258b25589255cc20531a7b1da8642de905

                                                SHA256

                                                a87fc3af747832ca2b17aff16eee8fe219542befe336322fb1415c0938ad8512

                                                SHA512

                                                74a8a724d3c3a80c1a31be4cf89add53e456da39be68f8fd3e6121f446f7bcd2aec6c8c47508617d659bb9e3025992cd3a41de665a73e1967d4c669dc1635046

                                              • C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

                                                Filesize

                                                225B

                                                MD5

                                                8cd15c7849dc2ea719532fd1e2c65e82

                                                SHA1

                                                3f444056de26416b9b423527d9f0f71ed53f1b3e

                                                SHA256

                                                f99e1a3708415fd83c79337f91a0a3e0fc1ada2379d76cfc8afc827b33ac372e

                                                SHA512

                                                ca74291c8d9377a8b6a1c9c3cdc63e67bc029b281776c610624bd03ec7ff24a4b3cbfc613cdd2e32bf6fff154c226dd8844641fea36fa52e53338dae62a954c2

                                              • C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

                                                Filesize

                                                225B

                                                MD5

                                                277e4a8c71b125af00c359a8d047645a

                                                SHA1

                                                ec9113b505cc5b05c46c992e62c83a764153a145

                                                SHA256

                                                14af811e0b7cf8b8fe2f71c08d18df6c6e5a287bbcb5dc4e52e2de16868192ef

                                                SHA512

                                                c4f9994d789543f766352f382513c351b07e4054ae89e7dec85d3fa281ca44362c2f3c531c8dd6cfe41a95436c60dda2271c7a217c2cd8d834c6de0f4e04a52e

                                              • C:\Users\Admin\AppData\Local\Temp\Tar46D5.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat

                                                Filesize

                                                225B

                                                MD5

                                                4ad53f0762610dc1e38dc7d2adefea06

                                                SHA1

                                                b4eeccda906e5c2be13a8ca1e4c468741a4aea41

                                                SHA256

                                                72a86899e81ed242b5b8cae04edaa945f9881dc0ead14a87fcb38600f599317e

                                                SHA512

                                                451d638363b570b0fe3aac92e6662132f4cab165ddad0cb7fc8d697ff125d29a3daf7aaf6744d358c3c91efd63ecf9bd1a28f2dd99c133dab6128811878822df

                                              • C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat

                                                Filesize

                                                225B

                                                MD5

                                                4da2012e9ddb373f537ed1998f1bb15a

                                                SHA1

                                                ba98262e231050c781dd14cdc68bfe9029ebdc0a

                                                SHA256

                                                d8fdb7cf5775c0add247828f86dbe6dd78f9f0175db48975ae13edd690dda5c3

                                                SHA512

                                                249944d5abb7d6652471b98f978739b1a93e2a97f2ea94aa37ce409aa88b8149eb089c7c4f183f6a516efd88707354e2f6541b416661f6527b039ead1a7690bd

                                              • C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat

                                                Filesize

                                                225B

                                                MD5

                                                b18e1d5cf1d0c7c12042d4bec1df8b8c

                                                SHA1

                                                688a783fb6cd60d26135510b15d12558e83d5b3d

                                                SHA256

                                                a50ecb9eac3335d1326b1827e6809b50874b2daccf8c1a391fd54e3d72f2b39a

                                                SHA512

                                                50711c0bd0031d464e87a832ef8f763ac6f22c4ca5953d1dca60e495805b2ff559ed32abc6c9664aeeccb34b923101ab597a0d08d8de17241e39f7e7a10172b3

                                              • C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat

                                                Filesize

                                                225B

                                                MD5

                                                2344e81d19c1412cc2b42e7dcaa704fd

                                                SHA1

                                                f2b7acc3070f3da44976676665b1d91b497c319a

                                                SHA256

                                                aa86939ab737e0f6dd9f800991c5a37d755ceb7bcb289f94495711f744c11320

                                                SHA512

                                                14e70cd6f4ea8ea478c07dd5bf4c27f0a1a5c05ddc0c2b007a8154e6c8b3523b08928937910b67025dc35fa19b747c5c817e831fc04fe5624310115df64567c7

                                              • C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat

                                                Filesize

                                                225B

                                                MD5

                                                0c0ce5d73de20728fdf42fcc48e853d5

                                                SHA1

                                                2f67c7a74bb235b864cdf4591ff708e80b53b0ee

                                                SHA256

                                                3544a0d4d9e404c27185712ee19914d7624235eb969a298e17152c79785c71d3

                                                SHA512

                                                3f2544096de1495ce671ef2352bf116afefec6bc41c710d466acbb8127f6c6c6d9c705ff770eb36e871077c00834a60f3a62f74c9e69dfd8764b5b97ab870f0c

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OQE0AW5Y8YO05X2RREZC.temp

                                                Filesize

                                                7KB

                                                MD5

                                                8fc9c8ea757313433384884e0384e0d5

                                                SHA1

                                                25b0fc7fa5d06e17147c981a04a78b35a0fe03c9

                                                SHA256

                                                d07731188f7dfa9e2ab3ac7872e27e649d4d72b3de7041cf1a80d0c5f11d4829

                                                SHA512

                                                6eb36190f826f4a136869ef92f21bb35863ea6bf2c3162ab413fad8e18d10535ebfee9ac7ecdf494a5be4c777e4114cdafa88b89e98eb65a43e8d7604600452d

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • memory/852-348-0x0000000000020000-0x0000000000130000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/860-408-0x0000000000E20000-0x0000000000F30000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/908-108-0x00000000009E0000-0x0000000000AF0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1404-288-0x0000000000A80000-0x0000000000B90000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1544-93-0x000000001B560000-0x000000001B842000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/1600-227-0x00000000002B0000-0x00000000003C0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1600-228-0x0000000000540000-0x0000000000552000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1636-705-0x00000000011C0000-0x00000000012D0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1704-105-0x0000000002770000-0x0000000002778000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2648-167-0x0000000001290000-0x00000000013A0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2764-645-0x0000000000180000-0x0000000000290000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2896-13-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2896-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2896-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2896-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2896-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                                Filesize

                                                48KB