Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 19:34

General

  • Target

    JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe

  • Size

    1.3MB

  • MD5

    fcf3b7201f583150d14839331b58b665

  • SHA1

    71b2596496c2aee893cc738fbfa0fe6cfb438c47

  • SHA256

    c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96

  • SHA512

    8288669988c9c7151ba9c6a9d999d3731d94dd3f0e0972d92366f16e695b26c94a2acad1669fed882f5fd1e2a5af6157b502a15006d57779077dbb83c7fc76a1

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c19238382edbc6b885d3105f7134140d5bb1532c607868bdeb844ebe3c156e96.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2676
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1808
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1004
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1804
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2012
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ZCIspfaYe.bat"
            5⤵
              PID:2344
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                6⤵
                  PID:1316
                • C:\Program Files\VideoLAN\VLC\locale\cmd.exe
                  "C:\Program Files\VideoLAN\VLC\locale\cmd.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2916
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1164
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:2640
                      • C:\Program Files\VideoLAN\VLC\locale\cmd.exe
                        "C:\Program Files\VideoLAN\VLC\locale\cmd.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1936
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
                          9⤵
                            PID:2004
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:1808
                              • C:\Program Files\VideoLAN\VLC\locale\cmd.exe
                                "C:\Program Files\VideoLAN\VLC\locale\cmd.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2664
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
                                  11⤵
                                    PID:2448
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:2964
                                      • C:\Program Files\VideoLAN\VLC\locale\cmd.exe
                                        "C:\Program Files\VideoLAN\VLC\locale\cmd.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2612
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"
                                          13⤵
                                            PID:2588
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:1980
                                              • C:\Program Files\VideoLAN\VLC\locale\cmd.exe
                                                "C:\Program Files\VideoLAN\VLC\locale\cmd.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1928
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
                                                  15⤵
                                                    PID:568
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:1012
                                                      • C:\Program Files\VideoLAN\VLC\locale\cmd.exe
                                                        "C:\Program Files\VideoLAN\VLC\locale\cmd.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1540
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"
                                                          17⤵
                                                            PID:2280
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2468
                                                              • C:\Program Files\VideoLAN\VLC\locale\cmd.exe
                                                                "C:\Program Files\VideoLAN\VLC\locale\cmd.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1528
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"
                                                                  19⤵
                                                                    PID:2600
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:1072
                                                                      • C:\Program Files\VideoLAN\VLC\locale\cmd.exe
                                                                        "C:\Program Files\VideoLAN\VLC\locale\cmd.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:824
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"
                                                                          21⤵
                                                                            PID:2716
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:2160
                                                                              • C:\Program Files\VideoLAN\VLC\locale\cmd.exe
                                                                                "C:\Program Files\VideoLAN\VLC\locale\cmd.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2188
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"
                                                                                  23⤵
                                                                                    PID:2872
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:2684
                                                                                      • C:\Program Files\VideoLAN\VLC\locale\cmd.exe
                                                                                        "C:\Program Files\VideoLAN\VLC\locale\cmd.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2144
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"
                                                                                          25⤵
                                                                                            PID:1048
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:2204
                                                                                              • C:\Program Files\VideoLAN\VLC\locale\cmd.exe
                                                                                                "C:\Program Files\VideoLAN\VLC\locale\cmd.exe"
                                                                                                26⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2560
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2672
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2580
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2552
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2608
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2192
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3000
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1656
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2032
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\locale\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1304
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2856
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\locale\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2868
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2440
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1588
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1612
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2840
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2364
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1272
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2964
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:468
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1924
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2968
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2300
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2188
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2472
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2632
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1672
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1720
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2904
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1364
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\ja-JP\sppsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1636
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2224
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1956
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1156
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:688
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1540

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              8030123a5606b6186912c275c8e0bec2

                                              SHA1

                                              7c5429745d7d898fe99de07ea80aa6b2aba138ea

                                              SHA256

                                              3ba9cbad65ecae46bb81a6a31d0c6f045dfc83dcb7ae75b29e9d1d3ea96b6849

                                              SHA512

                                              bf9ee4bdd712e4d9f11084a5fdac9b835eb372040d7cda0ca71ab6af160a07a1299c1ee1cea0de472d1d1ea40693caf0171c16a0cb749a47fc3b79ec0d5cc62f

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              3d6986776397276f574527893c77975e

                                              SHA1

                                              353791187cf90fe161d6253110403f8cf88d9f3e

                                              SHA256

                                              8a6e263b5aaf764d512dc80aa92e7c11fb1755a418f8f975fd284a7487673bc6

                                              SHA512

                                              17a491dd09e7e3ab074ebeb5f0ff747c358191adbeb77d63dabb97dbcc256241a010071dc5e199490da59dc24ddabaa72839a93478e886a2a8a628c4c3ba2918

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              939bc51fdea01cd0364047951fab3933

                                              SHA1

                                              12c850019985145b7f60ed5409762019c3c8bf43

                                              SHA256

                                              86ac34e61459fa44ae6a6dfada441a764119b7266950b5e5c27e9481886d544c

                                              SHA512

                                              a4234492d796f8effb1072bb0971fd5e9cf624f07cfa42a40a67cee3222a72d2758e367d8c2b7a185908d6bbc61e7b7a45607e095f24675187e298dc1f9b8c6a

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              a8d338f10584c8b849dae9d27192946b

                                              SHA1

                                              783a8d4cd2e63ab9f6df36da667b007399e5c3c8

                                              SHA256

                                              ac0b880749fa5cb698799dcdcd4b08bada2087b2946c8c9ee08c2d8bab0f9358

                                              SHA512

                                              353a2d82f4cfee1152a6765cc632d5d5aeae7a04d5b8ac1ff49b2fbf1c98390190046235a6318e32e965565341d4aca97aadc791bd2485677f02778fd55c4ea7

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              4c39ae1a312828e9edb3e083fc65082c

                                              SHA1

                                              1da08f437d6df06892eb2cf4db4190132ee5ebe7

                                              SHA256

                                              b1a319037c58da1cc89d8728c48da82cc31485de9ecfb85cc24979ae59aaa22f

                                              SHA512

                                              de80393f5d113ec150de39da65494605f0255bf52c4a0593266efb78dd7b476b172bd0768f7707148d441bdb74d05007151224fa21329f565842213378674b64

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c6f805648e99d432166b8c1875f052ff

                                              SHA1

                                              6459321be4d5b7766164f9e130ab82da3878b7c7

                                              SHA256

                                              e8817eb1d01d3b5b987b38248be536af55996c91f6a180da8fad50cff3d6cc2d

                                              SHA512

                                              d332a0ac4926ef2ad1b671da72cd21d3fd8c258a4e9afd383e5f6c46898d14f6d2613d94a19bbe22428fd48e147a937886c7e59d4e43e16cae79e0c1ddc07711

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              4c4efc82cb697181f1806f4391ebd4fd

                                              SHA1

                                              ed47367ac8c5bbc7fd5d2501284cecc771291b9c

                                              SHA256

                                              839dea610bf4b5649684c967e7daebf4fbb7b52d8a9c1bdc8d83c99bf174956f

                                              SHA512

                                              9906cf533cfb07e08591b8d64c850968ff0deb82f85133024aa369593d5b3a56b25be45fbfccdfb0c387fec1517fc21dab5e3fce9054359279c712fb15291d28

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              4451cd95b4d1f100a05dec84cef6c7e9

                                              SHA1

                                              72cb3c3fcfbcb9a424973f5279c4e1fdd5896bf3

                                              SHA256

                                              77d5c0aef9684d70fc015856e675accb9e3233edc8cc1dbb44eb56da3835c811

                                              SHA512

                                              2b387c278d04e9cad699caf684324a2e0e9f18d1d5bdf36f7640b2be63e140476430c8902f4ef73138df5425f61ecb5e894eddd033a0dbdc7f1da9b254c99fa1

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              e714e175e2409e133dffe806fc0dd2b0

                                              SHA1

                                              502c211e1fc065ebe0feb700f08ce7b71e1b59b7

                                              SHA256

                                              266d7b20b2e9e2a9152a53c51c4ac3be05cbeb3cbe53e2b9871ab042b81db104

                                              SHA512

                                              c14704b56ed3c6960aa4d55e9f87d3953c89c6fba30c5ebded7bd99e8cdf9ca5089cee9f8f4bacf50dbf73c6684436799d1f0c0ded4c6473f92b197f59662e40

                                            • C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat

                                              Filesize

                                              209B

                                              MD5

                                              6600d4baa81492e6daa73a65e945084f

                                              SHA1

                                              a1e3967505d8425fa7b7b047cb148de620be564e

                                              SHA256

                                              924cc44230ca5234852864edd66425ec884d4d56fc9c989517acedf6f446b9d1

                                              SHA512

                                              38a2ebcb8f931a57694899e6dc93ccbd35673191133e92d2b2a510d09e447fb4c03f01b861bea308d2ac7c57c8cac7a8b43a35a684ea431d36f5aa09c49baa12

                                            • C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat

                                              Filesize

                                              209B

                                              MD5

                                              51c2b6a3fa3326927e6d592f38bda4a3

                                              SHA1

                                              ebd4aca826b3569b19f6bcee59ab1a909dffd1a0

                                              SHA256

                                              4d2a5bdc6f2d987e28948b9ca2586cae589a3e08c10d96dcd743f4105b52247e

                                              SHA512

                                              247607cab8d674962829433fa817bc6a6bed463c66ab34b87926b3e437bc7c500c9d0713c3a85924ec0b0ae8c9acd9287db1fe99307debb8ea680c0154a3af16

                                            • C:\Users\Admin\AppData\Local\Temp\Cab2E53.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

                                              Filesize

                                              209B

                                              MD5

                                              1c8292770f440d96275230e3a610bcc8

                                              SHA1

                                              7c7f35bdfa30f881d2d0b51d2ddfd1669f6aed50

                                              SHA256

                                              7fafaddb6605813646ec6d1fad2254cbe5a9868779794494fabc8c7a6baf59c6

                                              SHA512

                                              9c576089ed8db92423591284d0ec1853b21550fd5c27f868789da95c61aa37359d6d2890ee1aec22c830af906c9702514fdeabb216a68dc8777f66e352e864cc

                                            • C:\Users\Admin\AppData\Local\Temp\Tar2E85.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat

                                              Filesize

                                              209B

                                              MD5

                                              21f1ec4cb6f70bfa85fce799ba56a688

                                              SHA1

                                              9943761742a0c229125d2a48864dcd40fa130524

                                              SHA256

                                              2ea86445205059286985a8d1a19087dfe15e8172271599d8fefb2c8ada74dea1

                                              SHA512

                                              690b746c3beb9cf56f42f879825731446b6163e4071a49657e53af9ac177dfef5626a67d54b67ea5f381459bef1e681fb97c41b0e90515eb226cef7ccb1ba478

                                            • C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

                                              Filesize

                                              209B

                                              MD5

                                              931d7489a2755b52dd662b540d58416e

                                              SHA1

                                              5b9d500bd7de03e756873d55efe823ce45035809

                                              SHA256

                                              1b56a33070d45edd028d503a70b45814d6136a76af6e029d05ed66296743c6da

                                              SHA512

                                              d96e5df3a43eed592d7a4d20e1343adcd0d5279efe899054fe8e4e003d1213f37fb5b266a1ef66caa8f27637fe35315f63485e1881d44298c9ce788e2a5219d6

                                            • C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

                                              Filesize

                                              209B

                                              MD5

                                              20e770b5805fee72ee0e06f0c16f8644

                                              SHA1

                                              39d3edb5bb1221dde4ee601081a9bac9f9ed0d17

                                              SHA256

                                              acc08e9d245a5a68e7b7e73c6ed399a922397f073c2ac27ad5d1ac37e3fd2876

                                              SHA512

                                              6e05a85c3a8c62a039721484f299e47cfddcd19c561eff31d9bf8bc1c3f9ff189c9cb77ca3bcde7acf4484dbcb233974526e194aabac1e481bb3997c63c2b8cf

                                            • C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

                                              Filesize

                                              209B

                                              MD5

                                              bfd7f813712639279e849119b9c89ac1

                                              SHA1

                                              9dad3dd2a860b3f9761ed6506b7d8125b7045051

                                              SHA256

                                              7e12c0d8e195eb61b595f45fa4c7bba6ead596561e82bba1393a053fd6a4a020

                                              SHA512

                                              2b8d09ca90344a1a46c51972282c70aef6034eefd685594bc4c7006e71e4571a58d638f0c975a961f2dae99feb63dfce248ac0bc981631e09911057ccd703be1

                                            • C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

                                              Filesize

                                              209B

                                              MD5

                                              3d60d4fd7735c82ba0746442a5859d55

                                              SHA1

                                              08c2437498e21640ae701b76a4ebdbbac428739e

                                              SHA256

                                              78d89778ae653cf358fc2203057da76b8909f0464e66eb6e6cf9ff258651ab55

                                              SHA512

                                              b4e5262ff53c5b571866bcd2a57d7d1c8ca21bf6a65c7a35335ded200f287323045d605f0cd664e667e48b5ac08e0c261fe3a1f3d956a9c6bc9d828b41630bc8

                                            • C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat

                                              Filesize

                                              209B

                                              MD5

                                              79bf2e1971aecd52d155e080f70a9ee0

                                              SHA1

                                              2819b04507615c0cf4a3b06cbb0ba4a47c73fd78

                                              SHA256

                                              d2776b4c0f06c7d57058cb2de3e12d9dbe6b705688ea3710adc07217621f9b28

                                              SHA512

                                              e36f9575d6001d373b509be06b56b28d753e3e8d78c06959a380242f2008933106933fd03a75d50c849bd8a4ffafaafe5a07b88ccd4dc42d7ef5dea341a809dc

                                            • C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat

                                              Filesize

                                              209B

                                              MD5

                                              b0bf11a689bf0cb90d38795eaad3716d

                                              SHA1

                                              279f0a8ebdbf525dc2a0ff992abc70cf2d98ba6b

                                              SHA256

                                              38fa12182884c3104f3c65f0306b3d07f667d509c55da684ab8730f1227dd67c

                                              SHA512

                                              0cc504316dc8886cf3480c76d9ebea4dcf6745fcd119aaaeaeea381da167172f9a24ecf7b2efcf9df8d78c8fc3842d0e07c9dd0c7391f497c92a40865631e969

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              e5102a3d8a541c5595b8e0d74146df53

                                              SHA1

                                              4cb5309b3374730388bedcfbf4cb8ce5646d5de1

                                              SHA256

                                              2c9f5b6c613f15312dfef2561bee1e24e87cfa813cb5ed9feabef03124e8ac74

                                              SHA512

                                              8f8996bbb8da1f5707421a0627085a20d0cc99e966b332e4b66955b4fc48e5896a3797303d7ba50bb458464b3f23c28e67d585d20320c0878a7d5411ce891ff2

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/824-538-0x0000000000390000-0x00000000004A0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1384-64-0x0000000002790000-0x0000000002798000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1528-478-0x0000000000F70000-0x0000000001080000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1540-418-0x0000000000A40000-0x0000000000B50000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1928-358-0x0000000000090000-0x00000000001A0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2012-62-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/2144-658-0x0000000001030000-0x0000000001140000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2188-598-0x0000000000070000-0x0000000000180000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2612-298-0x00000000012F0000-0x0000000001400000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2676-13-0x00000000010F0000-0x0000000001200000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2676-14-0x0000000000330000-0x0000000000342000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2676-15-0x0000000000350000-0x000000000035C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2676-17-0x00000000006D0000-0x00000000006DC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2676-16-0x0000000000340000-0x000000000034C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2916-121-0x00000000012C0000-0x00000000013D0000-memory.dmp

                                              Filesize

                                              1.1MB