Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:19

General

  • Target

    JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe

  • Size

    1.3MB

  • MD5

    bc088505e2522ab98217205c4d01bace

  • SHA1

    6fff4b2725c066519eedf14c5bd9e5e71b8382b5

  • SHA256

    4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43

  • SHA512

    493be489851159f6858217df1b663ecc3751bcb1b4d7126e33c125615b2640e0a2e5ee92cc2046ad6f07d00625b3d11fed228ac84ef0984e41796d5b8e9047ed

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ad084980075d06ed003d1412c3678317e5759dc7baa74f8a5a6c8a3fc114a43.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2088
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3036
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2756
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2868
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:396
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2000
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1092
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2188
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2304
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Assistance\Client\1.0\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1608
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u7id3hG60a.bat"
            5⤵
              PID:296
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1156
                • C:\Users\Default\Templates\lsm.exe
                  "C:\Users\Default\Templates\lsm.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2904
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
                    7⤵
                      PID:1652
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        8⤵
                          PID:1660
                        • C:\Users\Default\Templates\lsm.exe
                          "C:\Users\Default\Templates\lsm.exe"
                          8⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2620
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
                            9⤵
                              PID:548
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                10⤵
                                  PID:2424
                                • C:\Users\Default\Templates\lsm.exe
                                  "C:\Users\Default\Templates\lsm.exe"
                                  10⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1976
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
                                    11⤵
                                      PID:2816
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        12⤵
                                          PID:2696
                                        • C:\Users\Default\Templates\lsm.exe
                                          "C:\Users\Default\Templates\lsm.exe"
                                          12⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1264
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
                                            13⤵
                                              PID:3016
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                14⤵
                                                  PID:1684
                                                • C:\Users\Default\Templates\lsm.exe
                                                  "C:\Users\Default\Templates\lsm.exe"
                                                  14⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2384
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"
                                                    15⤵
                                                      PID:2252
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        16⤵
                                                          PID:1088
                                                        • C:\Users\Default\Templates\lsm.exe
                                                          "C:\Users\Default\Templates\lsm.exe"
                                                          16⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2444
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"
                                                            17⤵
                                                              PID:2736
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                18⤵
                                                                  PID:2596
                                                                • C:\Users\Default\Templates\lsm.exe
                                                                  "C:\Users\Default\Templates\lsm.exe"
                                                                  18⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2980
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
                                                                    19⤵
                                                                      PID:924
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        20⤵
                                                                          PID:900
                                                                        • C:\Users\Default\Templates\lsm.exe
                                                                          "C:\Users\Default\Templates\lsm.exe"
                                                                          20⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2220
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
                                                                            21⤵
                                                                              PID:2432
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                22⤵
                                                                                  PID:2600
                                                                                • C:\Users\Default\Templates\lsm.exe
                                                                                  "C:\Users\Default\Templates\lsm.exe"
                                                                                  22⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:980
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:984
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1212
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1952
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2424
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\My Documents\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1060
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default\My Documents\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1964
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1816
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2352
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2132
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1584
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Templates\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2396
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2228
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2972
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2260
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1256
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2584
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1792
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:716
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2080
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:756
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1932
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2372
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2064
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1440
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2576
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1408
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1096
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1868
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:956
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\wininit.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:912
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3016
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1492
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2660
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1156
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:808
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1732
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2244
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1120
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1672
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\conhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1704
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1696
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1036
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1016
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:108
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1044
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\services.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2292
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1616
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Assistance\Client\1.0\services.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2184
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2792
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2944
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2900

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        912a7c6e7139b915a808e3eeb1ec9079

                                        SHA1

                                        066e60ca7019d472b47e16a90d8407883488e4b0

                                        SHA256

                                        c79609bba0f2c2efac21d56b01e0e6de199158e666c5e702698764a0f907626b

                                        SHA512

                                        476c043268f3db9945adf45eb2d44231e092c010ebd3dc9e61c95f00491c1355e8b919efa69803a50e342847b09cb59bff658aa7e9c5ddef122212df55bb1a33

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        520184d056f0061f13c8b99306bec9f9

                                        SHA1

                                        bda6704bf6d8aa2583a47ebe11b877225679f1f6

                                        SHA256

                                        aa62e2bf9f3d694f794ad62c11328c26e4ab9b5752edeab876c48e1b8579703e

                                        SHA512

                                        c196e536fe8eafe9114bd917b8fcc2a624d1aa114c8abb3fcc78242e8699a8b23009f3aeb3a71ef1b3465cfabf4203489503f19402958b7b5fa76938169eb9d6

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        9c48f7fd33cb00b1ca6d33312c97f051

                                        SHA1

                                        257395016576c59a189e38ae46741af152bad41f

                                        SHA256

                                        8570611b196281cf17e5bbcf9734a4755752cb4b19a58129f1f817a618edfb34

                                        SHA512

                                        8b890fe6c20d4990c61a34b6fe4487d745610197eacf9858850105e705b7ed22d60192de9b9220f57a4f8d641ac74fd5324bcd8e714739ef3e20ea9605a4185d

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        4d162e0d1ba82d316ef9c9a9ed4ecfb1

                                        SHA1

                                        91e1e972c98de5ed4394ded76cd9463caf05e82f

                                        SHA256

                                        cc7a0fa77e2ba9476dce339d80f973e036dae557c5c42754da6b1238e3f8cf56

                                        SHA512

                                        1cf2107ff7580b2260cb01bd90828e9945da5ecd88e4ebd8aed80740ab7ce5d35a40a7474ab2bd1677f44e734d3457723f59063a3d6924234b7a53bc9b02326e

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        e058748fe2ea523a09e7a0e7dbf6a87d

                                        SHA1

                                        f0be22f03e24e4c513b1377a7f4c780ae2a33a0c

                                        SHA256

                                        d114883e8ac7f77377971e0b71105243cf5d281970cfd968760915918b9f8682

                                        SHA512

                                        0845209777a9d663c63791bb1181d12f89b1bdaaead9f20d0ace8f94b740f6fa94caaa9eca364a309dabaa032053a0549a98977b69d1a939a55e8acf9df05c30

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        ad33dc471ce448766cd78290fa67cc15

                                        SHA1

                                        72bf51e72db6dba2a189b8c8deb798371c5c83db

                                        SHA256

                                        44c97c311f28aa61b6dc6cf8904533db0362ad2804317696487675e7fef7ad7d

                                        SHA512

                                        0aa01060c24e8dbe50382879968e9ca145a8e019b8bef777da690b7f4a72f1ec22172c75e52a68de7069e6fc68225feb2a6029096aec614f7334d417010d2203

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        779fe4b06e874e614c29c0039be04fa0

                                        SHA1

                                        556dc9c776121c34438db24aa214861ffbf1784b

                                        SHA256

                                        15c92c50d670360a04f1a7a7962606ff8b5d40635671eb330f0e3639ce349faf

                                        SHA512

                                        095f84f89cab23881d4549d68306d9b620976a40beeb3803fe5944706d3b964ddfcbb1c08cfd1335cd7dea97adaa66d3964518a136095332f0466813424389b1

                                      • C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat

                                        Filesize

                                        199B

                                        MD5

                                        c988a6207f86072a3cffa75dc851c18f

                                        SHA1

                                        6b615b524481d44e655ac3e2d272b5e23673035b

                                        SHA256

                                        bade979b0b47d9cde50aa0d10763461c383e0b52b73f79676fbb34007b3811c9

                                        SHA512

                                        6f7384dd96da5839b7316fb373b0f4c1425290232c2bede6fca6c769dbddb1bf0eaf2d532699ca6e9343075e54463308d28a4c52e159350a4a5c691cd1441081

                                      • C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

                                        Filesize

                                        199B

                                        MD5

                                        04ec1a204a6542b9c374e750f4fe48f7

                                        SHA1

                                        402a3bbac923d9c492d36c7c30b451f8190fe080

                                        SHA256

                                        20fa68418d44eb0d356ff51ef2ce79c8681e29bd891af3e0c2455c3eecdcc04e

                                        SHA512

                                        ced3919c52ecd55a73ba47f6485d32034e00e3ff572d82bbc73f8003d177835ec087dbd7ed373718c4a2b8f9316f28a9474d21dd1896b9246fae4d26d9218543

                                      • C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

                                        Filesize

                                        199B

                                        MD5

                                        b309fc63dd46eb1750a88266a4bd5ff8

                                        SHA1

                                        e6a1384e00a70102b8036c14d83e934c954bea04

                                        SHA256

                                        9d233056249c8e9de825f9556e6b6392cf477b2175baf5896fdb67383c1c398f

                                        SHA512

                                        f5c7f3f24714c7553d4f3dbf4fd22f71056e28638195052e00f305f99e4c0d1ac714c3db6bf06f172823a911966d15621fa292f9ae4ba899cd242e88f92d0900

                                      • C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat

                                        Filesize

                                        199B

                                        MD5

                                        907eb9bb3992bcc83183183637329cce

                                        SHA1

                                        762d492113aa2838427f000915f81677f1ab0941

                                        SHA256

                                        87d855bc58fc395d1e5bf555984888890f497234713b17badea0b9e1822c33b8

                                        SHA512

                                        c03da8e3285a325aa20c5f2fecfcdf8271fba8c53fe759e180caefb07d254c4acbc2bdd0051b944d31c98ff9d2e9f603fc2b7ba0d1c0f1e3f2e7f9963adc5ff1

                                      • C:\Users\Admin\AppData\Local\Temp\CabCF62.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\TarD08D.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat

                                        Filesize

                                        199B

                                        MD5

                                        72f79146e3fd8fa29e128e3db7347272

                                        SHA1

                                        94befa2dad1bd8f75e6eacf013d0f92f6a59018a

                                        SHA256

                                        57fe68f776f0328e8be8136e9d5f6ec47eee51a5b5824af6e2d3dd530fd6588f

                                        SHA512

                                        97c3bccbcab908d3ca132acf5da370969e983ef8311607cbe6f98f08754d92ccbd0116f6acbbfcd07be1e6c88c88f0bc11b1b22571eefc82ed2cdaa7ed6fd47b

                                      • C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat

                                        Filesize

                                        199B

                                        MD5

                                        1e6df2bd09228d528fb6016a3f017cda

                                        SHA1

                                        11df58b7dafa992a1fe0deff37769436a06e138d

                                        SHA256

                                        fb5d9f413b4272ae47b8c011527d3a4e23d5bc3e63ff04319c05afb1f90bfecf

                                        SHA512

                                        b8a36424ef2e3fb742ba9064818f783e2e9a1f09266c970e6591d4605bb2aa62102617c5229066f8ff2d40bd460802609d12a311433686b85f05572b488be8f5

                                      • C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat

                                        Filesize

                                        199B

                                        MD5

                                        14ccce57c2b811a9fcbfdb035b2891f1

                                        SHA1

                                        efdd06a28e18d9e44ec36ebcd54375abb70a732c

                                        SHA256

                                        81e6467816cc47fd589b01e0f518f3be163c0b9435c9156034348917509ac5fe

                                        SHA512

                                        53dda58723110e45f01cc44a78fdaed79fb33c200ed985a001086d4453e6203eba435bb9faa1f796cfddfbf6dce5cf1fe62925e938cc46aacc6664943ae540f6

                                      • C:\Users\Admin\AppData\Local\Temp\u7id3hG60a.bat

                                        Filesize

                                        199B

                                        MD5

                                        a556dab8c2b424416c223cdf2fd14eb7

                                        SHA1

                                        108f3af56b0f32074eb77cdc174e8c3732c67bc7

                                        SHA256

                                        f03cbcf6a43c47f6d53048a8a4236070d5ffc0e80accdb767a17b086cd76552e

                                        SHA512

                                        2503162cede34ed7188a7b58a868bb32df4cb5602df0c1b8d06376e23f1883788a13cebd808a757a1e435bfbf08ef2394c279f5bb7bfc9efdaf9b5eeaf7dcef2

                                      • C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

                                        Filesize

                                        199B

                                        MD5

                                        7b47d6ad1a828ef97cfebb73aa5c1250

                                        SHA1

                                        d14b76c2dbd91530ca2c6ac47bfe455ee6429eee

                                        SHA256

                                        8f473eb730dc4c2764f035838995eba3c29deed89b856c476c13c330cef137d2

                                        SHA512

                                        4b7b4baa1d5a4511005b589b0d7ada2a6535d9a76119a7ad2079964c1a36c80f880d3d61166340dd63a4211f6613a48396e1d2ecb8d2c21b251c066ccb31d533

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YJSXCDLWFBA1MUI929LD.temp

                                        Filesize

                                        7KB

                                        MD5

                                        02f711b093f12e7b68e427a84465e80e

                                        SHA1

                                        83f5bef94c8bb966d1694a9d789a748923155fad

                                        SHA256

                                        04ebdef6c977e7498f607fdb9a5c318f3861a4ba19373119b1e20959891c6e20

                                        SHA512

                                        99e9f2047f43afd772c53b093637b34d35fb5e8eca2553a518a80a1d9fae78c327b7ed22b71ae0a4a18230cef3494af742cd3483dd71f0fd1344a954a2c07a52

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/580-75-0x0000000001D40000-0x0000000001D48000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/980-611-0x0000000001000000-0x0000000001110000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1976-254-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2444-432-0x0000000000010000-0x0000000000120000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2720-60-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/2756-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2756-13-0x0000000001190000-0x00000000012A0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2756-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2756-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2756-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/2904-136-0x0000000001290000-0x00000000013A0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2980-492-0x0000000000C50000-0x0000000000D60000-memory.dmp

                                        Filesize

                                        1.1MB