Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 21:16

General

  • Target

    JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe

  • Size

    1.3MB

  • MD5

    1ad2438558c7e3cd8d056fc3e82fa5d9

  • SHA1

    648af128b0c42514f6d8c3fefd26b40f709ce6ab

  • SHA256

    eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a

  • SHA512

    0afb9ee48dcd38e5e88bea63ba4f82b55b323c9dd8ee65c9905b3f00765fdc7d08f4b64fee3e327a16de0b992226fda48a59821ab3ef22342c4efea82f40ef83

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb7aeab45fa38000ca3f056c4ab4f9591da273abcd7902961c69caab690e951a.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2696
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:836
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2484
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2156
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2256
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3024
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2344
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2276
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\es-ES\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1468
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jlaUygCJur.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2204
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1056
              • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe
                "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1092
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"
                  7⤵
                    PID:2588
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:1536
                      • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe
                        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2024
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"
                          9⤵
                            PID:3052
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:2624
                              • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe
                                "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1948
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
                                  11⤵
                                    PID:2208
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:1168
                                      • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe
                                        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1300
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"
                                          13⤵
                                            PID:1244
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:2652
                                              • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe
                                                "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1536
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"
                                                  15⤵
                                                    PID:956
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:3060
                                                      • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe
                                                        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:872
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"
                                                          17⤵
                                                            PID:2888
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:1768
                                                              • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe
                                                                "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1640
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat"
                                                                  19⤵
                                                                    PID:2804
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:2760
                                                                      • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe
                                                                        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:352
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"
                                                                          21⤵
                                                                            PID:2500
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:1684
                                                                              • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe
                                                                                "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1824
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"
                                                                                  23⤵
                                                                                    PID:1960
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:2452
                                                                                      • C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe
                                                                                        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2988
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
                                                                                          25⤵
                                                                                            PID:2992
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:1116
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2588
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2636
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1828
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\system\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2744
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\system\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:536
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\system\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:584
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1036
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1644
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1152
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:824
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2672
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2956
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2116
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2152
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1516
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2312
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1956
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1964
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1096
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1064
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1212
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2812
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2012
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2448
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1636
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2364
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2180
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2124
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2104
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2992
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2460
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3008
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1292
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1008
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1216
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2348
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2856
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1412
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\AppPatch\es-ES\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2936

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              a273a30aae1c32040c23990502d73c5b

                                              SHA1

                                              6b0e49a4875cc02f97084e9ae3b2989a9c3d7c03

                                              SHA256

                                              8671fde64ada43c69f97547baeee66fc92bf7619f08fe7111248bf5e83cbbaad

                                              SHA512

                                              d2da8aa19167857286ca0384f5d10e5b47c0c95fcec74054126686e25be4ecf2b9573cc36520f841b7bd6901a69727fdd2652f056f6e87799471a33fac3cdadb

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              077cfaa8929366228ee68dcbbbd4f004

                                              SHA1

                                              bb88e31b26772c2cef24a6b2bd78cd8e9a979d68

                                              SHA256

                                              b3a3247a2293e1e970094e4732675d6995fc5bf8ac606864dba2cec5a81107e5

                                              SHA512

                                              424f1ef7a7354d53197c97618734abfa89714b359da6129104ada530f18b7a1ca764e354850ebf970e0b15d0f29f2c23455e18012af03b42b4389421bae6a976

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              c75cdd0e7f7de78fafbec12c42e22ba6

                                              SHA1

                                              e9e368c3d899e245be378dc9483e5d341653056d

                                              SHA256

                                              7836006bcd733e3c9542809d998416c83ea5ac3ff60ef1b487871ec112b71a34

                                              SHA512

                                              4d82ea04a3eacacf89d536a826ba13521ded65fbf58e86b62340f080020a48e0ea6c2e0e427273bdca7d66ed3285fcba9c3088b0e1303b72073a0775c135110f

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              acb9fc7243a6eb1f40164ca89d463065

                                              SHA1

                                              8a44d3ce8772c462d6ca7d63817184edc0611577

                                              SHA256

                                              4541b0bafdb1af5585fd447c315776b72c947e3a1cf7902b7c8bc19d26323bc8

                                              SHA512

                                              33fdab4ef1c4f54f43bc0766981bebcffa211bc0761e843dc1483de41e20fcf0f18695023a14c30a1a06202dbe3225f11850182b12f38627a7bcdc9de3958d85

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              23085f5ac63094c964f1709e0390ce84

                                              SHA1

                                              a397ef1afe78ed75048c5c06057a5670ec60b8d3

                                              SHA256

                                              7c15b680c278ecd078f6463fb9b8d33584f5bc251e48432f4711cc6b98911238

                                              SHA512

                                              3b30dc6d8bf9431ce1c2bb91bac8a654ff2ab801f1f20d55330276fe66d88fb67fecaabf5cdbb1e963c24603629b09db33b459c6f1fef0efc518c352b3fb94ff

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              45aa52af1dd1ef1a89d2f1153fb11a9f

                                              SHA1

                                              0a5134fd168a6f67d2c85ca4775deb23bf70aecc

                                              SHA256

                                              703405962080a3aaac271739fc32621a9117d8825b4dc3c47ad53379b3bff248

                                              SHA512

                                              98201d5bca33d612ac8c7f79ae0331d583c97ff1fd953b0f178100053e13cf0458c02519014cccdf300dc922cbefc0a3697803c937407aaf7ff8226fc34a2f1b

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              d9828e2c5d33d8096d8e65378736fd91

                                              SHA1

                                              05886d0fd346c1be51830adad6f194582f26d585

                                              SHA256

                                              d5218e03ad9b3fcb0021e80cea2db981f59bafe298daced0c2869d5da580e22e

                                              SHA512

                                              d2edfbb8e8cdb43d05b310b57abb7f7bed70b35897694cda4c489a2bc00c559f3abc53e92268daed136ac6d48029b5d7573e1d2862b4be4b38a88fab9e3757cb

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              fd7efbf3052f12e42870f2542a85b964

                                              SHA1

                                              a501948d78f0f65de587a2e5e68c80de669590af

                                              SHA256

                                              0a47f32e3899e9854d5316ed7e1fdd73c9a3c755eb5ffca9169a230d0c18928c

                                              SHA512

                                              ba7bba6060f263d43ac67d959de0e4e9ef79fa40b26d1ab19d0cef4e9f57d3cbbc389e66c7aeed8084f20e35177e6cd79986ba3986a2d5a66262d551ceaf1880

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              1fe950336c59989e167e6c0a1f8c6df0

                                              SHA1

                                              2d3353ac94f8fbd5866a3cc3bc84011371332c66

                                              SHA256

                                              9e7e55f38fa973567f1fdc12ad91d29050076fafc96ea41136fadcc9cc70903d

                                              SHA512

                                              d326b73d9a31c077eb98dfd26c33059b12c27a6f8abe8b8122d9cbc1e7bbb0b418c05be8a4780fc9e9ba50ea7d4420c664ab32daf23d34af75b1b99ed8a5c0f7

                                            • C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat

                                              Filesize

                                              225B

                                              MD5

                                              8ba5a02e9a7e42550932578b19c25f91

                                              SHA1

                                              fbda9c7d906b89d8aecf27dc63af66391deb60bc

                                              SHA256

                                              b51b1858f5a9f67892ffa4ecea88fcacfbfa0fcf5b391c462cd80fb2a5315b97

                                              SHA512

                                              feb71e0d07227ad30bafae8d6cec26298cda9cfc752dd1df4a413d472920b9515781a8b0d8f60b1f6ea4c829c8e19060d5536299494f38e1a223596bbf42dde8

                                            • C:\Users\Admin\AppData\Local\Temp\9BpIS9nw5f.bat

                                              Filesize

                                              225B

                                              MD5

                                              c6f5fd8852588e4b6bdf60c6b4e25746

                                              SHA1

                                              7c66d8fab6c88e9d380b276f7472797429ca4eab

                                              SHA256

                                              de038e8ad142d68ea9b9dacd119139a8e0c476b7f8eae3cdc434a781cec2bf8b

                                              SHA512

                                              cec71d487769931e52651b0b2b6e0ec60ccb6b1e68d58f196628c84d1771ea0e0fe92b88d5a6dd7aad852c20514997ade3c33e18908862a0504fdacae40294ea

                                            • C:\Users\Admin\AppData\Local\Temp\CabCADF.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

                                              Filesize

                                              225B

                                              MD5

                                              ccb2b8eb01867318e7077b73ece00ee1

                                              SHA1

                                              8cd979abb11064ca1da5c28c1531e18710cdbd04

                                              SHA256

                                              3956ec6df90af99fc0d88eb144def24c31347eda79e85b5a0fb483da0b843bc1

                                              SHA512

                                              9663b912d38ef892876982cc788ea2e90f31320e6010b7814925ef2853115c1f4e8182b9e3727c9fcf934cb56d35c0f0a6d777e71c0c11ccde8e79b7883c1967

                                            • C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat

                                              Filesize

                                              225B

                                              MD5

                                              7f70ee78558507d417adef7995728712

                                              SHA1

                                              5f66d6990442b397c899e2278453aa7e8c9885b2

                                              SHA256

                                              db7e28707291eac80fb911ebf09717580b84fb35db686254c59cc05b49c5a117

                                              SHA512

                                              a74dad31011e67f2d8bdc4d13334d4f4d9ad9d94815972fb087f11880751e2bd0d5226977f76a9e58cc419d685ab585c62bed7a42dbd55b3c44107a1d0a6628e

                                            • C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat

                                              Filesize

                                              225B

                                              MD5

                                              a72e929ed0142e7477adf7dfb0a3f20b

                                              SHA1

                                              bc22b3da2249586dbba16debb8d3caefea9ae482

                                              SHA256

                                              aab673a7e11f351d0235ba07aa6c0b81bd9773be2e02e519dba81fc4b552a520

                                              SHA512

                                              ea8a4f06c3a1e299dc4de376630ef7280235260464943fa5f05f7298d0a371a00f0fa9771332f14d13a4ed7b3ebf2bfb7557f65a635072902ec7e0091c74c70f

                                            • C:\Users\Admin\AppData\Local\Temp\TarCB02.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

                                              Filesize

                                              225B

                                              MD5

                                              3b74dd3edea84a6a7a85300813606866

                                              SHA1

                                              1d7b61d50c2726bfbd420cbfd8b5cd59ff9f7b40

                                              SHA256

                                              6d2e30eeb43748b89a90740acc30dc69c9885b951ab1f404aa4c67f380d46188

                                              SHA512

                                              0216db846968561ade308bfd1f91caa12803d50d29a678d9306cc98583624c4172ea41860816a4eebcd858726c80a2879ac7ecf124fce0582b24c13177950ffb

                                            • C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat

                                              Filesize

                                              225B

                                              MD5

                                              c535c7663a46aefd21b2155945e56e81

                                              SHA1

                                              7902e4d3d2b707c72a03845695692e466e30c8cf

                                              SHA256

                                              29489b1df31a3fc01d5083dff124286c9ca9822cb231b9149525a9d1fe892868

                                              SHA512

                                              34186cdd30c1a2baa26849265bedfd3c451846f63cef63a81694577e22931d2d7d0ad2b737d247d30f6625c8db1c90aaa8db2d14b923895f01b062e11118b37f

                                            • C:\Users\Admin\AppData\Local\Temp\jlaUygCJur.bat

                                              Filesize

                                              225B

                                              MD5

                                              4aa0981898d9ac22f9f9e1d8a2251bc7

                                              SHA1

                                              64e275386ebc23b3bbfeb30cbf3538945b8b2e6d

                                              SHA256

                                              f29db2fedc785a0e2b523a91a86ee43e833480524119c2267edac9e4435cbdf0

                                              SHA512

                                              571549f34a19ab18e99fd374e4e02b18341e76dbe1155caf792c95a30a6069485dcc4d4b2e2df624d9c3012b796e375211545842cb6a3450274f344401108453

                                            • C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat

                                              Filesize

                                              225B

                                              MD5

                                              3e38139f7a6a550836bdf06507d9b81e

                                              SHA1

                                              def23180c0baa224288f93812204d2ee6769340e

                                              SHA256

                                              c58009aee1afda86913ff0943409d7d1363855ddbc7856d53caefa09e88707b1

                                              SHA512

                                              0a1d5f416223a0f0aeae099cf343f8140f7a9e426f285b0bc0b3decde5a6ba8aa87dcbb1a0cf197c9c8e3c170728a61239ae08ef21f0c7006b2a8ac523d75dd7

                                            • C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat

                                              Filesize

                                              225B

                                              MD5

                                              c4a7372cfe78abae7a9b0b08e7e75a59

                                              SHA1

                                              d60b2eb827623df96ecaa73d535eb15b87538974

                                              SHA256

                                              c34a324c7e8964d0feaa939625553f54e0fe06426ec534497fb30c4948168945

                                              SHA512

                                              2334093e99d5b1897f6ea12b43d4af940ae4d6928af3c50d53516491086ca20cfc3e7beca2615671206b5124c7fed9bf5bec3b04a88312243cbebdd995455898

                                            • C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat

                                              Filesize

                                              225B

                                              MD5

                                              1fa80e36ed056bf9892059a7201e8fbd

                                              SHA1

                                              60f633a1c12fa64b8168db1798512617350458a5

                                              SHA256

                                              7425fc07afbf7d9dbae1ce791b87b48fc47b12628a1cbc1dacfbb3e95bb4b4c1

                                              SHA512

                                              dc366c18f71a29e50bf9fd0bc6fb5b4d023978bbffb7481a5a302b79e7afb4f8756d2bac9b07849cecd8e22e61a84eb79dfd7a17949e2a1e6bfad07366070b1f

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              c36b6269af848432de0998f095448a82

                                              SHA1

                                              8565bd86c0be3b21132d9fc4b6ce651cdad9b93b

                                              SHA256

                                              7cd22a63047b23515d2a29da683a5714cac0e2c9a0d0715652c0c856767bb9cf

                                              SHA512

                                              56d6f0e32a62218b3aebe442dbc2037b3f3113d81dd78abd05e045dea926304902d794647d78203dfd71e30566b70bb49882766a330f5e9887e7ec30b073793c

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • \providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • memory/352-542-0x0000000001330000-0x0000000001440000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/352-543-0x0000000000550000-0x0000000000562000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/872-421-0x0000000000350000-0x0000000000362000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/872-420-0x0000000000360000-0x0000000000470000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1092-122-0x0000000000350000-0x0000000000362000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1092-121-0x0000000000830000-0x0000000000940000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1300-301-0x0000000000160000-0x0000000000172000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1548-65-0x000000001B470000-0x000000001B752000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1548-68-0x00000000022C0000-0x00000000022C8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1640-481-0x0000000000340000-0x0000000000450000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1640-482-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1948-241-0x0000000001210000-0x0000000001320000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2024-181-0x0000000000260000-0x0000000000370000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2696-16-0x0000000000180000-0x000000000018C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2696-14-0x0000000000150000-0x0000000000162000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2696-13-0x0000000000F40000-0x0000000001050000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2696-15-0x0000000000170000-0x000000000017C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2696-17-0x0000000000190000-0x000000000019C000-memory.dmp

                                              Filesize

                                              48KB