Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:32

General

  • Target

    JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe

  • Size

    1.3MB

  • MD5

    9df90b76b51132f647ee9f86db546997

  • SHA1

    cece87242699a541ed95931ddc1aced629b74255

  • SHA256

    c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3

  • SHA512

    b63c6468a7859f979154e513a7fee81e7c8c25cb2dd10c7b573d9d92d2a5794880223e17392dfbca27ad3d2cd0e46c729b28b51a51f053b8b5c9f6d6cc005f3c

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c85d95a4400f6854f78433a0edb05913016dbd89fd3295a96630b9c353739de3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1796
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1624
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:264
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2388
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows NT\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2292
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2156
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1524
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1536
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2464
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1956
          • C:\Users\All Users\Microsoft\Windows NT\taskhost.exe
            "C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2164
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
              6⤵
                PID:616
                • C:\Windows\system32\w32tm.exe
                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                  7⤵
                    PID:2440
                  • C:\Users\All Users\Microsoft\Windows NT\taskhost.exe
                    "C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"
                    7⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1640
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
                      8⤵
                        PID:3036
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          9⤵
                            PID:1192
                          • C:\Users\All Users\Microsoft\Windows NT\taskhost.exe
                            "C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"
                            9⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2084
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat"
                              10⤵
                                PID:2960
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  11⤵
                                    PID:900
                                  • C:\Users\All Users\Microsoft\Windows NT\taskhost.exe
                                    "C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2328
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
                                      12⤵
                                        PID:584
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          13⤵
                                            PID:448
                                          • C:\Users\All Users\Microsoft\Windows NT\taskhost.exe
                                            "C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"
                                            13⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1144
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
                                              14⤵
                                                PID:2572
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  15⤵
                                                    PID:2776
                                                  • C:\Users\All Users\Microsoft\Windows NT\taskhost.exe
                                                    "C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"
                                                    15⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1964
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
                                                      16⤵
                                                        PID:2892
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          17⤵
                                                            PID:1764
                                                          • C:\Users\All Users\Microsoft\Windows NT\taskhost.exe
                                                            "C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"
                                                            17⤵
                                                            • Executes dropped EXE
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2108
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
                                                              18⤵
                                                                PID:2460
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  19⤵
                                                                    PID:2160
                                                                  • C:\Users\All Users\Microsoft\Windows NT\taskhost.exe
                                                                    "C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"
                                                                    19⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2056
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
                                                                      20⤵
                                                                        PID:2532
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          21⤵
                                                                            PID:2716
                                                                          • C:\Users\All Users\Microsoft\Windows NT\taskhost.exe
                                                                            "C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"
                                                                            21⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:3008
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
                                                                              22⤵
                                                                                PID:1424
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  23⤵
                                                                                    PID:2852
                                                                                  • C:\Users\All Users\Microsoft\Windows NT\taskhost.exe
                                                                                    "C:\Users\All Users\Microsoft\Windows NT\taskhost.exe"
                                                                                    23⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:3040
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2788
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2936
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2548
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2780
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2628
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2512
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2580
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3036
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2084
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\taskhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1084
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows NT\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2500
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\taskhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2728
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1552
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1424
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2420
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1328
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2584
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2820
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2828
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1984
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2880
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2864
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2552
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3012
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2212
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2916
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2200
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2888
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2404
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2700
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:448
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Favorites\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2128
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2400
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1308
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1800
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:3052
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1636
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2136
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:772
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1480
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:876
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:696
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:484
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:376
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:2176

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        e084cb8c6f85bda75b4033941fbf23cf

                                        SHA1

                                        54f655e006234a4b9947208a0234050866a0306a

                                        SHA256

                                        d9d126d5efb0261c7e42ed1c8bdff643b641f39e5f9e72aaeecc44ceed1b6812

                                        SHA512

                                        5c9e222345b248f17df411ab0854e11c29afb2e4b9ce1c538184043d518528da06d4313a8a764a503effc4770512c46bf3de96eff6cf4c633fd3ce530800e6e5

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        7605089d9604da7ee4ade0dd2759e2ad

                                        SHA1

                                        4bbfb08b4cb92e488691c79f617cfbaf87abbc66

                                        SHA256

                                        dd9511c0dc8666c2e82c50f0ee62ecafe3efb1c9eae1ae43e7dfe53568cac1fc

                                        SHA512

                                        61a6ffb133ffe5e98ad80cbd1463b783e68ecd11ed984029afd2590178674a003422c7b08b3ba9adea8e252d7d291c998854bcdb7dd1404feeb7d805c0e70e6d

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        e1db2aebadc2af4f7d108947a73740b7

                                        SHA1

                                        e1c0836569566943b981afff25ccea015fb98ab5

                                        SHA256

                                        113abaef59295726ab7b51ea60e7051d22816869766929b7c54128719b5c9cb7

                                        SHA512

                                        1fdf5ea2da00712f1546c6610291590d0eb5370d217a89384895a5d0ae36e3f3f25916f46f17338b415fc195024ce4b7c12f65b70a297a88fe38635d4344890c

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        f2a9974caa281e19dd930f48dadaee09

                                        SHA1

                                        e55a75d321042f6eb2dc4c617b0ade11ba0d9ed1

                                        SHA256

                                        be5fc0f899c77e49a976439ead1ffe06afa3f4af07af5df1c05e4cda18098669

                                        SHA512

                                        c5ccdcb91a61174faa38d1fd67fbe83b4035ae10943634ced57d3ec7f8e04b68c1c03104a1ed210fe4369055a20418f781c928e50dd7eeaca0ec1dfab37b7a0c

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        803e403b5c55337ce8c8dd3029706b8a

                                        SHA1

                                        7b5d45c6a876bab8a1839637c66187ba28480f03

                                        SHA256

                                        0f359266ff6b758cc7bb41e2776596a9276d729746bedfbbad73ad755ae7d534

                                        SHA512

                                        43e8524b658925bce25909d792bfa2478e2169f35570f2af9c03217233cb85dbf1b2333e8b9eb6bc6d81a56d9cf23803a7a4da89823dddb2b637677a0ec43e1b

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        fcc660d71bedad21fc136e7b064c56be

                                        SHA1

                                        4dc6a6cb335d1026f2f42a7806a5fab858ce4514

                                        SHA256

                                        3266031608e9308d0e256f466f83dc9a563cf500fe8468cce3d1c8dc9b470b2b

                                        SHA512

                                        eb5732eacbaa85a3445faf609b94e806d6e9035b11ae35c8b0c91bd4e85f62120a638a3d47a05d6ac51161b451cc75557be680218a5b119add09b24c4bf29a1f

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        2d19dffc69f4b5917274923264ce98e0

                                        SHA1

                                        5da8884bd5f90b9ab9ed04a6d5a3ecae78c6878d

                                        SHA256

                                        6787333cc5d614829f72974a2efa18f4cde1e9cd57e8360c36ff133011caf282

                                        SHA512

                                        99e8bb3b5446a79f9a24d4e4cd58f6ee2cb8f6f398c75bde272ba489662fbf552e5261a3b0a26e1134d0b0a3b4e9520eaf32fc82181619a1c429336c87781109

                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                        Filesize

                                        342B

                                        MD5

                                        237cb50ffc7e8bc68648f79f0a978876

                                        SHA1

                                        218903ed01a8c459eb2a71faf04866224143abd3

                                        SHA256

                                        c96f0dfeba4140cd6f6e293f6cd303f900101445561d205caa8451be9e9dd268

                                        SHA512

                                        78a4e99e53f167c3e9c18c4acc5bd358e3a15e79056d2201498d07cc3b912f92e2b51d6a34df8a7ee71d54041e0c5f1e2c5385743c71fc2a2db16a0ed169a40a

                                      • C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat

                                        Filesize

                                        217B

                                        MD5

                                        f614676f9fbc45ed2554ccc83b10967d

                                        SHA1

                                        27052f9b5c6309a4e0be53640fa29cd31e6b559d

                                        SHA256

                                        cf5582b42f24b683aa03189652477448445888b3b42d2f8e400217ab22d5ecde

                                        SHA512

                                        447b4e7b2bb1b16ab5ed3aefd731afaa4dd3b8c39e2ba79aecb02adc1bc867eb3805467308187b117cf73c9185514a70c52ee8908da6e112fa1dd5b3ce5c776f

                                      • C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

                                        Filesize

                                        217B

                                        MD5

                                        e4910344cefcfd58d5e608452709dc4a

                                        SHA1

                                        17eab74500f9b47104d1cfc5cde95a29d56f5549

                                        SHA256

                                        6c4b2ffd4653c97b391f19d5418f3213344a96650e9b477a73d309acfa9a3edc

                                        SHA512

                                        c75671e012ea1f9d5d87903483657bcd1d423981ca504e3822d2ec73d5f0d2f464c3f412052c082946b7186b3163d1c7124ecfd152d6eb6ca3e3eb92fb4bc810

                                      • C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

                                        Filesize

                                        217B

                                        MD5

                                        f5f411d5fee8a6ab0c2d8c94b17385a1

                                        SHA1

                                        a968047916986e1eaa27b76e1d457578c5d2c23e

                                        SHA256

                                        08879c51a59c1067611d64b51ff55ea73ccd280a7b670513d0bdfa0bde3908c4

                                        SHA512

                                        1907ed44bfda8dac435ff93462331f331850a811c814d70022cea6bd94567d6a5d17eee7b9d624a1c6444fcd7e5d5b711c258c0c3a4569fc854f49551305b02e

                                      • C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

                                        Filesize

                                        217B

                                        MD5

                                        9730649b22cd0bdf2ebcacae2c23dd85

                                        SHA1

                                        79820c06f713acd4242150efd7b98908c04a05f2

                                        SHA256

                                        94dfe3c8a0705990a25a14cd7ecce2bb22513c710d87cb8ab060a678b9812c2b

                                        SHA512

                                        1ac358a807b28608cf35070f708e560f05b44bca8b43b388d5cd8430549c533a653c727d201733b03a942af92e163bda7622c17be2d6faa971d775861c615e4f

                                      • C:\Users\Admin\AppData\Local\Temp\CabED5D.tmp

                                        Filesize

                                        70KB

                                        MD5

                                        49aebf8cbd62d92ac215b2923fb1b9f5

                                        SHA1

                                        1723be06719828dda65ad804298d0431f6aff976

                                        SHA256

                                        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                        SHA512

                                        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                      • C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

                                        Filesize

                                        217B

                                        MD5

                                        2a9678ea24b81c9f50ff051e013af259

                                        SHA1

                                        516ecb1772ddbb82a8972d85da917e13d7b8900e

                                        SHA256

                                        4b3079db5fc51029de6b160b6f083a626b125ae5ef5a0890dd070bcfc3501021

                                        SHA512

                                        842667428e60639103c0c3e03509d67db25c4e93032792a4759d69856b431f5b5eaae670d25626dca998b01b8ac7a7bc7a91d97289bed7372c78f4f63df97589

                                      • C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

                                        Filesize

                                        217B

                                        MD5

                                        3302a119ce1be8790a8fbdaf2ffe92e1

                                        SHA1

                                        29c86b1775db318bfde291f92e5eb03a00676669

                                        SHA256

                                        c9d3afcd2d76b41f09a8f26e79fbf7c26451b0c1a719427fc1316e436fad3d26

                                        SHA512

                                        6daf2a40c888e6a7a7e9c019ac3b0550df58e6de9775f6ad47b4875998067b194966c04c937161f8ff7066a4bd7c5e5962f60ba2a2a79304dca179e237c61a72

                                      • C:\Users\Admin\AppData\Local\Temp\TarED7F.tmp

                                        Filesize

                                        181KB

                                        MD5

                                        4ea6026cf93ec6338144661bf1202cd1

                                        SHA1

                                        a1dec9044f750ad887935a01430bf49322fbdcb7

                                        SHA256

                                        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                        SHA512

                                        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                      • C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

                                        Filesize

                                        217B

                                        MD5

                                        c42cd59e7c5e6f445dd793919bce7969

                                        SHA1

                                        f5bc84f307b437d4a7960ada17a6411ad89c4769

                                        SHA256

                                        15bf87382b74e2ef81eac7e96ce90e2765b76bb2cea5d42aa8c706bf26b437a5

                                        SHA512

                                        dfee6d9be2c35ceb8fc1fbda1595b368499902e933c1b307a579b43d83fce2a9441f4c9c2d8ec170d3485b3ca85c811d7deb7d89a68b800704fa3e4c06defba1

                                      • C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat

                                        Filesize

                                        217B

                                        MD5

                                        752596a158081dbd7efcb53a28d1389e

                                        SHA1

                                        7a39549dc065d826734a8919f30f8d46ec269690

                                        SHA256

                                        f3534be1b9725e41d19d66058ff4757870e48b8b83004b5ca5183cfa2a0c8a94

                                        SHA512

                                        1c7dc5a81b61010a91723ce9b43ef1ccedb85ddb0472e1861c463853774363ab4ab9a21d2bdc3f4faf505e514b4306e1c2f85c9b1486a58712bcdcbeb395162c

                                      • C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

                                        Filesize

                                        217B

                                        MD5

                                        36ab40c613a51af2f8522d0459f5be37

                                        SHA1

                                        91b018a72b318fe85ee8ff16645198daa72da745

                                        SHA256

                                        e00e93b3d044de7483ca2c167874848a7307fbe35f4178b8780d94740c08794a

                                        SHA512

                                        ae484720e235983aa52006a851eefca627f11020d1eac5945b2b1b66141919acf5ed37a0724aeba471a23c8f770428aaf588e07f88174ee4bcd2cc36ce4fec02

                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                        Filesize

                                        7KB

                                        MD5

                                        5dd7be1278d60122bd8d86ec52f77830

                                        SHA1

                                        8989dcc2f1b712a51d73a4bb4cd052fd4cb8bd01

                                        SHA256

                                        a62f792980eb968723c8c47055aee1d987415292b308dced787a8c5ce81898de

                                        SHA512

                                        69afd405db79eef5df23fb371a670863caecb9936e4fd66b3a4f5407b47ff4ff9c966c3e5d9fcc5b64a1bb75778782a37062dbbd25412e1dba7879d10112ff15

                                      • C:\providercommon\1zu9dW.bat

                                        Filesize

                                        36B

                                        MD5

                                        6783c3ee07c7d151ceac57f1f9c8bed7

                                        SHA1

                                        17468f98f95bf504cc1f83c49e49a78526b3ea03

                                        SHA256

                                        8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                        SHA512

                                        c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                      • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                        Filesize

                                        197B

                                        MD5

                                        8088241160261560a02c84025d107592

                                        SHA1

                                        083121f7027557570994c9fc211df61730455bb5

                                        SHA256

                                        2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                        SHA512

                                        20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                      • \providercommon\DllCommonsvc.exe

                                        Filesize

                                        1.0MB

                                        MD5

                                        bd31e94b4143c4ce49c17d3af46bcad0

                                        SHA1

                                        f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                        SHA256

                                        b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                        SHA512

                                        f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                      • memory/1144-373-0x00000000001D0000-0x00000000001E2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1144-372-0x0000000000E20000-0x0000000000F30000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1920-13-0x0000000000070000-0x0000000000180000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/1920-14-0x0000000000350000-0x0000000000362000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/1920-15-0x0000000000370000-0x000000000037C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/1920-16-0x0000000000360000-0x000000000036C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/1920-17-0x0000000000380000-0x000000000038C000-memory.dmp

                                        Filesize

                                        48KB

                                      • memory/1964-433-0x00000000002C0000-0x00000000002D2000-memory.dmp

                                        Filesize

                                        72KB

                                      • memory/2108-493-0x0000000000F90000-0x00000000010A0000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2164-58-0x0000000001240000-0x0000000001350000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2328-312-0x0000000000360000-0x0000000000470000-memory.dmp

                                        Filesize

                                        1.1MB

                                      • memory/2356-65-0x0000000002350000-0x0000000002358000-memory.dmp

                                        Filesize

                                        32KB

                                      • memory/2356-59-0x000000001B4A0000-0x000000001B782000-memory.dmp

                                        Filesize

                                        2.9MB

                                      • memory/3008-612-0x0000000000440000-0x0000000000452000-memory.dmp

                                        Filesize

                                        72KB