Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:18

General

  • Target

    JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe

  • Size

    1.3MB

  • MD5

    79c251d41d9c2d82f6edc3a6ab8006a8

  • SHA1

    8e7ba5a29674e151d8f6b90b41ab130acf7243fe

  • SHA256

    b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd

  • SHA512

    6a7a9cb0ac0a5ae8f539334f332140b3c2110d40e07542995a5a56b769d026eeb4ae87a46aa9ac2f1177dabea966fb514805313dd6d4f5473ce538368e2c8017

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b58e7b37c0480353b20287494b9a4c86d135c2262fb976f3cb932c8892215edd.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2008
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:772
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2168
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1668
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2660
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0C0A\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2656
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1484
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2336
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:988
          • C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe
            "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3068
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1288
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2676
                • C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe
                  "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2664
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
                    8⤵
                      PID:1784
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2172
                        • C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe
                          "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3008
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
                            10⤵
                              PID:2184
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:2240
                                • C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe
                                  "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1300
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
                                    12⤵
                                      PID:1712
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2560
                                        • C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe
                                          "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1556
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
                                            14⤵
                                              PID:1000
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:3052
                                                • C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe
                                                  "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:772
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat"
                                                    16⤵
                                                      PID:1904
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2380
                                                        • C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe
                                                          "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2704
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
                                                            18⤵
                                                              PID:1288
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:1728
                                                                • C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe
                                                                  "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2132
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"
                                                                    20⤵
                                                                      PID:3056
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:1600
                                                                        • C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe
                                                                          "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2316
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
                                                                            22⤵
                                                                              PID:1072
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:1040
                                                                                • C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe
                                                                                  "C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2192
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"
                                                                                    24⤵
                                                                                      PID:2532
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:344
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2700
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:876
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2856
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2756
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2744
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2816
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\audiodg.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2604
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2652
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\audiodg.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2296
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1528
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2896
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2664
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2560
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1504
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2912
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1312
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2460
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2056
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0C0A\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2036
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0C0A\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1784
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0C0A\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2956
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2964
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2952
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2200
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2216
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:332
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2136
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2324
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1476
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1240
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2292
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1932
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1320
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2540
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:296
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1792
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1716
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1848
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1776

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          c3d3fd79ca5b3c02bd52c54e5d29dfc6

                                          SHA1

                                          658b6e193a2795cb22e8bfc79a2825bf42c0683b

                                          SHA256

                                          68052ef1c9f05b33a16806410b9d2082f9352bb713e8e0cb121e3a1816725261

                                          SHA512

                                          53f82f2be66e8457f9f4a794f4fb62c0db1bb622be70bb6df07b0176e38384477ab1859c07f1155362297742d762a2ae2489937f596eaac91b04eb65feaa5195

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          644a036c43cd4bf8cb69eb97d7dc13da

                                          SHA1

                                          6304514b21aead71ec58611ae7341beb914ca6ec

                                          SHA256

                                          e136da7d2641abafe3031fdaa564748a0b974901a826c40c59e55c1ca3abdec9

                                          SHA512

                                          e3a9fa613d3015f0bfe834f17685384b0e5398b7289d5a5ffbacb120c43b91c180730a61baceabc869ed59fef37ec92408eb709265b1bba70ec5dd3c0d401d41

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          bbc1be3726abd233da1cf49906e03946

                                          SHA1

                                          84aa6733d83de89a58ba10ccee3438cdaf2acdb8

                                          SHA256

                                          883bdd2fcf661bb1a9347e15995db3e6ea846f7a132e94a2e3f6408aca9c8fdf

                                          SHA512

                                          3ed44ba32de9b7ddafeed30ac650163456e3672ce3e3ed2c02bd5d63917815d42808e1d3b5bf65c2b4c2490d5e0d72f133132f2fa42cf522272e007ffe09d146

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          b67fff3ce5e0a5bad26a6a181d2c9487

                                          SHA1

                                          f1497d6491705c56d8370a22e1f87a0c6b350e24

                                          SHA256

                                          8fe234b79849e88aa71c5225ce738d1957c3303501ac923fbc8f76f45ba357ee

                                          SHA512

                                          e5460a59156bda1444ef13e984f55fb470a9f83525647fe4e387d0ddd24a957565b4e95224f77a2cc0a0586f96ba05d1d191434daedbda2729e8a0bd76f0ef4b

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          f6c0ff0cf76d3023867a3b7d84115a0e

                                          SHA1

                                          22ee3245a58516bc02b56550488d1224a6eb4be5

                                          SHA256

                                          17b0856c48c92346851e1ec318dccbccbc50efa1b301af14794ac292c3a46941

                                          SHA512

                                          11ee576bffb5f3c6c4acc8c33e458a5aae9ce5a23f8a5580d1bb4d3d3c60bdcded0f37f39e3317bee0a15007bc12516fb0fe6d0f9f3cecbe0a0af5fec92d82d5

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          87425fdabfb1eee25e208c840998d9a2

                                          SHA1

                                          bf265e9a07db885cbce8050f85cf1aa844f563a4

                                          SHA256

                                          6190b6e7030b314a3f253a23512a65d081d5721edc67ae08faabd6b430a043d9

                                          SHA512

                                          78a10faf90ba7eb7cf33516c61c4c797dd9d90034c65951b91c598cdb3622e449bb722a553d7f6eeff02d7a7460c2078117359a5227eaf30dad96c6f2e5d58f1

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          3c4e0a1ca141ece6b366f407b5efc0ee

                                          SHA1

                                          4c47453522a2061e6cf8d9ac5b2ae67242779b39

                                          SHA256

                                          5950fc5cf0c767c1f12819eacc1436a1c0e97ff8d37e0a799bdc7112f292ea4d

                                          SHA512

                                          5766e9ecffe9b76a8b5fb2113e55679595c7f531a7d5e718383ee989223a07736dde08054aaa8ade0f37353bfc811e2ace57f42867f51b368e9e4e5dcba0a11a

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          b3f5d6219277d59bb3dc0662252f922f

                                          SHA1

                                          3cfc3aa8c999e872ecfc71f51974483a0d926e27

                                          SHA256

                                          78fe164a51ba9eab43adcc57031721d5fa5098ebfcd4fe60c261286932c5641f

                                          SHA512

                                          47f571c40f608131130b71b18c10fdcfee5f7f9726aeca8ee28d84adee1c1ddcdc8c2b698f858c579c041b293399ebcfae89f71c94bd90fab9390880bc6e1ad6

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          e4e17320f816641be1445561a25165f7

                                          SHA1

                                          5183818a1b369d9528f8f9da3486560ba9fde0a7

                                          SHA256

                                          3f751fb046d37251b37ed141ef24fcbb9207c36e134126ee9f84b7a89cd0d870

                                          SHA512

                                          64b25f87273fcf4c94ce14f78aa088aff2457b696ef91f4053dea7a08de754f1c7732386076b884c36c557e9603689d9b1111f2c956c307f19f562aa5b9b8cdc

                                        • C:\Users\Admin\AppData\Local\Temp\CabF182.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

                                          Filesize

                                          234B

                                          MD5

                                          5727eaba871181c991dd3933d9f3e132

                                          SHA1

                                          71eb5b0b166f9604a443e4373a1360cafb7a7ae1

                                          SHA256

                                          0b43d6231b91703e63bba8824b2584ccfbd1a44edab2c18912487858c8f3d38b

                                          SHA512

                                          eb27c5e3ec52cbd93821ec55fee76ff8086fb2df80bedbe8d3fbf8bae9b3c02f86095f0dfd9bf2bb2d5e31f951141e5c984bac353c4b5a0bcf464ad061c1e4ab

                                        • C:\Users\Admin\AppData\Local\Temp\TarF195.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat

                                          Filesize

                                          234B

                                          MD5

                                          06f8dfc272f1f692826e91080a9854ef

                                          SHA1

                                          47238cd3b82ce41cbb8f621a56e6f4766698c5e5

                                          SHA256

                                          dabcde72c43be21f5a6031ea3047e5455f1c970decd786397d038bb993dda43b

                                          SHA512

                                          a8e82ac0152b5850158279666ca0dbfab268075b45e7878669c0bf629d8469dd65a2a605bfada8ac7ad217c0a68c471932f0ad38bd26afb329cd103f43d0cff7

                                        • C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

                                          Filesize

                                          234B

                                          MD5

                                          55adb786c1f3009878a51cdee7512f75

                                          SHA1

                                          6a2fd3741658514ef8d1913d99b8b35f0c6bafb2

                                          SHA256

                                          d682ec606c31177a1e8a80d941ec6a7145b32cb002e147947ccfd7f74959ef58

                                          SHA512

                                          3dfb2e1e5c307cf13bb5b9737c1e7c6c3cd061f4fad4b836ec9c6ca380a555c210318550986b499e02765292c0ff31e327511f4e8e39f1b76732754230dc6c03

                                        • C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

                                          Filesize

                                          234B

                                          MD5

                                          119b8c9a7fe2c2bd891bb80b3471edcd

                                          SHA1

                                          a11c70f0ecd12549c7b1d7881fabc6a799349119

                                          SHA256

                                          70a9906ed880f8013e506d816e53df14165f4110540b9934ee26e4d330469d39

                                          SHA512

                                          1ab018eedb3b00bab65ab64921acb075a96a89b367ae8dcfffe8980f4e0407b5fee7580ca0b2165ceca8a0b117efbc3700019432bebd20ae0616ba41292a7157

                                        • C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

                                          Filesize

                                          234B

                                          MD5

                                          38584ae1eeb5a724445c2a22ecc803df

                                          SHA1

                                          27add8df279c611709107bffdf7e0b9de5346e36

                                          SHA256

                                          94c261a029f0ba9f2657993d7d21f75f9121f2cf9befcecbbf47acb82961ab0f

                                          SHA512

                                          a68517ae7a8a005e4c91bf1fba18332aa426eae762a5f56856ad21166f6c47c5ac4493fcf869aa7b94b2ae49084cb6bce32bb23306b1f6f5ff27089d4e60adf2

                                        • C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat

                                          Filesize

                                          234B

                                          MD5

                                          5e100b9743ecf0bacc5724cd3c7613ae

                                          SHA1

                                          e12539ac9a8f3b50f61f279b7c54d90d36f91269

                                          SHA256

                                          e00eafefd6755885956e02a093114ca1e43faead228403d1f8697b6f17f68bdb

                                          SHA512

                                          acfc3ba775abdc0bd9381b97aed7d41a38565edf8132a1fd216cd083d69d2dc42e4ea280198c760044ce74a17efa132af789a203cd6fccfdd6664bb2770d9f6f

                                        • C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

                                          Filesize

                                          234B

                                          MD5

                                          2a415e99875f16bca25995b3fd0ef0ab

                                          SHA1

                                          9f6ca8d4f01a8cf02bf179df1db7f7a8946b5810

                                          SHA256

                                          c7c5333057f79b0d19de530d0cc9ae76c4e0d0abe92754bf8886a330a36f346e

                                          SHA512

                                          9e273491877db72831d8ac7d63e20bcbea65a601bc03ba26a1f063c2146475d6bcb152aefa8fa996fc7b520c8b8ab97dca4d4b5cb3eca7f6ac172ea2a888cf4f

                                        • C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat

                                          Filesize

                                          234B

                                          MD5

                                          d3b24040f9e93cda12b575892db442ff

                                          SHA1

                                          3015f35aef18a80bc57d573d7fa72ffc7a133029

                                          SHA256

                                          e2e483ad5ce9eb15c3676463e22da633027c564561009cdbc9345bb2d2651603

                                          SHA512

                                          4f34b55bd5214a3b50160c90bb8066f7fe63abb573d118d5de389cb9e9eb50bcefbb1d31102d6d3382fe6b01af27c856329957e68f4402c1fad654e65d14d3ab

                                        • C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

                                          Filesize

                                          234B

                                          MD5

                                          dfe767460b1d28e0e6014194b0718cd8

                                          SHA1

                                          65d4d3e268360fcdb87cd47e838cdb6d3cd6d781

                                          SHA256

                                          006c174ad6c986230fea23da3d88f385e2d3e9b60e00e4ca1aea0df13676f081

                                          SHA512

                                          4f2d8cc41fec3ee8e8b1739d8c1f4d07f990c97d8e1fa3e4a1cbde871be8fbde8a4a6f61716f408b2f88530a93ee18b89c355809877f9c3bd66e6d409ac9bdf5

                                        • C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat

                                          Filesize

                                          234B

                                          MD5

                                          53629de887bb2121f97cbb1b2312b68d

                                          SHA1

                                          5467cfdb954823f85bac5af78766c1b683c74f22

                                          SHA256

                                          9a57385001b85bda3bd6af6b9c29e806f313349f30e1fe5eeaf169fc420ff7b4

                                          SHA512

                                          7f9b368e8bf042d2cd48fb9891f84fac4d73872ee6a1d3ebfe17e9879b836a46e325161d4b658cb1a35ecbd668933d7cbdb599bf84158403fb78bb673742d257

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          c7c9a63e42d4616dee55cbbeb3a4bf8c

                                          SHA1

                                          b149ecc2d78d660f1101377b7f1a8bae6a092207

                                          SHA256

                                          26a72093c47564705f375f86287982deec2208e3e1aa57d76a65c4fa0c1d8cd5

                                          SHA512

                                          f6542fbd9c08fe9d907c2ffdfd139af1bae045be50539b9a680d61135b202ba86982c60aea879d9b381da7d3bfb7ab23fce707e31c742709d2298cde76babee8

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/772-422-0x0000000000180000-0x0000000000290000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1044-61-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1044-60-0x000000001B760000-0x000000001BA42000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1300-301-0x0000000000850000-0x0000000000960000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1300-302-0x0000000000430000-0x0000000000442000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/1556-362-0x0000000000C30000-0x0000000000D40000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2132-543-0x0000000000F30000-0x0000000001040000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2168-16-0x0000000000360000-0x000000000036C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2168-13-0x0000000000060000-0x0000000000170000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2168-14-0x0000000000350000-0x0000000000362000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2168-15-0x0000000000370000-0x000000000037C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2168-17-0x0000000000410000-0x000000000041C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2192-663-0x00000000011D0000-0x00000000012E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2316-603-0x00000000001C0000-0x00000000001D2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2664-180-0x0000000000950000-0x0000000000A60000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2704-483-0x0000000000240000-0x0000000000252000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2704-482-0x0000000000250000-0x0000000000360000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/3008-240-0x0000000000260000-0x0000000000370000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/3008-241-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3068-50-0x00000000002C0000-0x00000000003D0000-memory.dmp

                                          Filesize

                                          1.1MB