Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    21-12-2024 20:45

General

  • Target

    JaffaCakes118_7e79f7d7b4987a807747a1a641f5487077a4941c9a02566341be693a29904a7c.exe

  • Size

    1.3MB

  • MD5

    73b35cce0173c2127df65879f3b90c93

  • SHA1

    3d33490a91684fb1019c22e3d9fe6d35eef4071e

  • SHA256

    7e79f7d7b4987a807747a1a641f5487077a4941c9a02566341be693a29904a7c

  • SHA512

    ee444638b4244314178ea11812f2208b2c425e7320fb76747621fce640133e479d0c93b8f65a5a99c652e9a99746c9627f3d8e6b4a8a93d6deb2f0e6833f4440

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e79f7d7b4987a807747a1a641f5487077a4941c9a02566341be693a29904a7c.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7e79f7d7b4987a807747a1a641f5487077a4941c9a02566341be693a29904a7c.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1708
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2932
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2344
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\es-ES\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1556
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2104
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1156
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:880
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7jg5kmbdl1.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:764
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2720
              • C:\Program Files\Windows Journal\ja-JP\csrss.exe
                "C:\Program Files\Windows Journal\ja-JP\csrss.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2928
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"
                  7⤵
                    PID:1744
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:924
                      • C:\Program Files\Windows Journal\ja-JP\csrss.exe
                        "C:\Program Files\Windows Journal\ja-JP\csrss.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1968
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"
                          9⤵
                            PID:1656
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:1708
                              • C:\Program Files\Windows Journal\ja-JP\csrss.exe
                                "C:\Program Files\Windows Journal\ja-JP\csrss.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3012
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat"
                                  11⤵
                                    PID:1332
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:348
                                      • C:\Program Files\Windows Journal\ja-JP\csrss.exe
                                        "C:\Program Files\Windows Journal\ja-JP\csrss.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2960
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"
                                          13⤵
                                            PID:1992
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:1940
                                              • C:\Program Files\Windows Journal\ja-JP\csrss.exe
                                                "C:\Program Files\Windows Journal\ja-JP\csrss.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2120
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat"
                                                  15⤵
                                                    PID:2760
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:2736
                                                      • C:\Program Files\Windows Journal\ja-JP\csrss.exe
                                                        "C:\Program Files\Windows Journal\ja-JP\csrss.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:716
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"
                                                          17⤵
                                                            PID:2148
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2444
                                                              • C:\Program Files\Windows Journal\ja-JP\csrss.exe
                                                                "C:\Program Files\Windows Journal\ja-JP\csrss.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1432
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
                                                                  19⤵
                                                                    PID:1364
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:2008
                                                                      • C:\Program Files\Windows Journal\ja-JP\csrss.exe
                                                                        "C:\Program Files\Windows Journal\ja-JP\csrss.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1560
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
                                                                          21⤵
                                                                            PID:1320
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:284
                                                                              • C:\Program Files\Windows Journal\ja-JP\csrss.exe
                                                                                "C:\Program Files\Windows Journal\ja-JP\csrss.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2808
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
                                                                                  23⤵
                                                                                    PID:2292
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:1808
                                                                                      • C:\Program Files\Windows Journal\ja-JP\csrss.exe
                                                                                        "C:\Program Files\Windows Journal\ja-JP\csrss.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2668
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat"
                                                                                          25⤵
                                                                                            PID:2276
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              26⤵
                                                                                                PID:2892
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2604
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2624
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2756
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\taskhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2912
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2504
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\taskhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2896
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Public\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2524
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2236
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Public\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1720
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2512
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2572
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\ja-JP\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2976
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\fonts\DllCommonsvc.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2984
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\DllCommonsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1144
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\DllCommonsvc.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:348
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2316
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1652
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Microsoft Shared\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2004
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1812
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1528
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1396
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2396
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2032
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1956
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1924
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2548
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2796
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\providercommon\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2832
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1764
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2868
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2196
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2800
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2360
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:924
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1688
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:788
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:868
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1620
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:968

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              0313402dccde1172f898fede6fa46414

                                              SHA1

                                              a7a7849b595f175032e5ee65ae260fdcce2ffb65

                                              SHA256

                                              cdca676d9f0d73cdbe1161051a3b6b58b4553a7df2731efcea8ba82a25e5dbf9

                                              SHA512

                                              e10acbe2ce5a28d0f98a05ffd730734cb732d6e6997fd4cbf8b6120ab7238b0db427a332345a1d6c36a9e7fc93abd6a361c60c66a7c0053f30f2f91245ffd08b

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              bb89a9fcf52946e47f83c020e9e94799

                                              SHA1

                                              9e1b4e0d2c3d9ebc449c9ada8cc697f42e1cfa21

                                              SHA256

                                              6fc932ac8d6274a17e55a0b1b364371d0bd5b6971e20aeca75271a0246eb24fa

                                              SHA512

                                              1965e413f65bc837b025115ed227c4da51b9c63ad6866fabf6aa51ea8eab9dec81ac3379566e447ca90cd3481b5856819ca55224687a2a07d3df1b50f38c2efe

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              2a93f051448c1fc8a153168d9bf561c7

                                              SHA1

                                              edc70c3c7903debf4c7c7cb0596565c84d2c5a81

                                              SHA256

                                              4f4c7068d183ed6a76da07f46b19e2c79b0623ac7f6818acdd9cf7dbb90992d6

                                              SHA512

                                              4c5da04a41605c9ae8003d780a321eb22a1a6549065d0f0ac3852fef2419a57cbed4db876c7b0983291be4abcce52f602cce2b21bfb858cc895b73a44b79e63b

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              56c7e90706b0fbbc3d6a35eca440312b

                                              SHA1

                                              986b088dd5757158ddff7601c47545e1a9e40e96

                                              SHA256

                                              a0c3f27a5a3b69f7025b08042538caf97f9164a1edea95337d27968754493cff

                                              SHA512

                                              b6eca9b6aa8efdbf57a2ab1b27e90c9ca133a4cd6a731be78d7a4608d073bdcd9809dd931bbd9dabc8fe8e2ea7bacd4aacc824d7114555a3ccba0904d39de475

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              eaf1aa27d01d8a33e334bc39d8e9035f

                                              SHA1

                                              a85ba3e279975ff3e2195b482d3d78b1a5ed8183

                                              SHA256

                                              2f6c20958984fd7e9f6a8797c14b613b1d97b2a843c766979de08663805ec1b7

                                              SHA512

                                              5e1224251bfe1be07bff1f4af04ff31d6d72e7742ab8aa0fcd03bd188ff06ef58e2e645db3b04f9f970b482f3e93cd80879984f1bc3128ae47cc0112287da514

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              31350d9cae5512287ca9e31d02c2cfa8

                                              SHA1

                                              48e56b6395c2dd080f6214f843c5f377ca1eb27b

                                              SHA256

                                              acffeea79f4cb103fbddd6dad0c2100e8e02f48751aa1a211af46954f065b43b

                                              SHA512

                                              ba2135fcdd69902318534c8f6be3609b03019a2ef127db42b3f094dff3204784b12c40e199b48c74cbd3fc07aaec8e3f7d890ad7adb5f9a85e1d84fe50fbc7e2

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              61b030163182d999f053980aacb09d38

                                              SHA1

                                              b08dc2ba5fb89346e7c3f3f001e36051d2d44c4a

                                              SHA256

                                              92544e58382eb54bb2a608b9fcc86d849b23f7377663f97688c1630a0e4153fb

                                              SHA512

                                              2c880b78728e58a6469e497d9e4fa738520168199a15cfb221e5d31514c4a2316807412218bcfc64b72abdc4fa826582db5ee20688fe3b52d6e9770eb71a02a5

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              916b9a4287f282eb51bb5e525d33d56b

                                              SHA1

                                              53aa915a9e81abd44b20b15cbc55ed652dc91d5f

                                              SHA256

                                              429630faab674c4fd5fe9b23838bfd9cf093d5c7b33bf8ed5f421d715e1258f8

                                              SHA512

                                              e96a7d1175640159407180c7e04a03e50dde7492d7b75ef6c7d8d5bbe44696e2f9067ee1993d334f2138bc93294e9877a56113e3deb5685b7ebdd086d5e4957b

                                            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                              Filesize

                                              342B

                                              MD5

                                              9edcd2588cce6e59bca79dca49182d56

                                              SHA1

                                              9cc111decd5a2f0cf064fa145fe2acfbfdd21151

                                              SHA256

                                              befdafe6ca1e943189b76e34e1a8e87e83bd984900fed72ad72c8b1ec1fe1f43

                                              SHA512

                                              9826aff16157bd72404f5c3a104ba4b92021b199ae6a12edf2648d319ffe6f46d58d3e730448933202c09ac4ed2457a1a9d5de851acf169022b2bcb325f078d0

                                            • C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat

                                              Filesize

                                              213B

                                              MD5

                                              e1150fda82be003d80048644fdbb93ff

                                              SHA1

                                              fe05ca3ee39c417a0b9c84d9b885b23b243ba4fa

                                              SHA256

                                              1abdbdd357e01fb6d93a5752642f368f16075d9e51bf2e46a78d1bca8fe7dedb

                                              SHA512

                                              099e5d631f48a69660e6f253f971f82cba8401149e039c12b5a73b68368bb73b6f778e1875ec1f610f9e1ad4b306a77867f6bd7e94c504907542652ecbf96155

                                            • C:\Users\Admin\AppData\Local\Temp\7jg5kmbdl1.bat

                                              Filesize

                                              213B

                                              MD5

                                              3bbce121c6f1412b5dbde450084c805d

                                              SHA1

                                              6e70660a678f01c5456a47f5c1e46a43f78c5d67

                                              SHA256

                                              a03bc4e2b6fd7cb75eb3a5cba58471aa456cadc4b8c2c4aa754b4b4cd346eccf

                                              SHA512

                                              94baebbfc60b700b319a0d8de0750238bdd1fc924c5d82dbdc2a6aa4cd0a3e9f28f4c51f5807db09f39770f3adb738064e754871aaf32694c189008a82c2082b

                                            • C:\Users\Admin\AppData\Local\Temp\CabDC6C.tmp

                                              Filesize

                                              70KB

                                              MD5

                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                              SHA1

                                              1723be06719828dda65ad804298d0431f6aff976

                                              SHA256

                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                              SHA512

                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                            • C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat

                                              Filesize

                                              213B

                                              MD5

                                              7241491606984b73bb73584f349644c2

                                              SHA1

                                              1020e87a2205c85afbdd5c974ffda3c870d9f05e

                                              SHA256

                                              5c15c52f89531a8bd42076009944328bdfc92817561dd776c92cde1ca4b72f90

                                              SHA512

                                              5f4e3aa41608252cddadf8a50a1fe06dbd3b57c4da974b6b9e6ece9f109ab8c40daf6ca2b82463fbee0aee399531a7446609b68d6a9df30c54589a477c81cbc5

                                            • C:\Users\Admin\AppData\Local\Temp\TarDC8E.tmp

                                              Filesize

                                              181KB

                                              MD5

                                              4ea6026cf93ec6338144661bf1202cd1

                                              SHA1

                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                              SHA256

                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                              SHA512

                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                            • C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

                                              Filesize

                                              213B

                                              MD5

                                              b7c631ec6f9ac5db0e9d7bc4c49400c3

                                              SHA1

                                              917bff0ef0af844fd480aa44b0b5ba88be0fb1c1

                                              SHA256

                                              8c1559da487f3d43f402d7dbf01b0484a546167d31fc873bfc8c0d8bd6d73aba

                                              SHA512

                                              beec7584c3970fe155ee7402e777ec01548ce4a98609bce58dc53a4820152d8c85408a709c2ad4d668d21545d7861b298d4c6758c6dd1ff834bdb32c5b24a186

                                            • C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat

                                              Filesize

                                              213B

                                              MD5

                                              d12e9f347012ed1bdab6676cc6c49564

                                              SHA1

                                              9f6dd7bacf466fed68a78e339068c1100cf1b0fd

                                              SHA256

                                              4485fa35ba81a67997ca5fe0abd739558c1e74104541cb80f9635c0d5d28f130

                                              SHA512

                                              03323a36a6136a41a2e7cad3921bda1f53de6a25b98538a64c63cd931a2b680527cd799ac0408721fa884ba079aefaa021ae1559a4d85f618d3d6234655dba12

                                            • C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat

                                              Filesize

                                              213B

                                              MD5

                                              50d8adcdaee962ec78224eb246f6ba29

                                              SHA1

                                              42c885763c851f795eade5727513e2179ba31d6b

                                              SHA256

                                              470a99a6583072af27ae421312e3412a32e7d8c7a49eecfc6255ce1d6d45eb8a

                                              SHA512

                                              76f2a7d17df1287d7a8ddaa473f9f7e76a7869e8e65e8b550437e9b5891feed3b0b1f39a421c0ff1608b813d95b88de16b8db70422787325684d3006f88ebade

                                            • C:\Users\Admin\AppData\Local\Temp\bDGJqXcsCJ.bat

                                              Filesize

                                              213B

                                              MD5

                                              1fed7ca815b659fb2cecc9bc0b48cf5c

                                              SHA1

                                              fab72da0ae55a29eb225a2f000c1a5794567c330

                                              SHA256

                                              c9cc16b013060d4a9da27689582aafe71667194aaa6f58052b812e0b8b3815e2

                                              SHA512

                                              2ff6441160d01d3c00829bce8956d7be909d2d539c3a9bebd79909f28233b9e994495630c9e9caa2a23c02e5918c1b5dbf24fce08085c83f678d2a4da56be745

                                            • C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

                                              Filesize

                                              213B

                                              MD5

                                              1bf4d374d03c7556553a7eb4c4514a2d

                                              SHA1

                                              cf8c9fec9b06e80edd8b1dd5359a1ea9e0acb197

                                              SHA256

                                              598cde328db3e2ff36b1ef591b39c78164781ee0919b19b789828b97f29911e4

                                              SHA512

                                              9dce572ba9d3e6ca39fefd0f8808f5a1957e1e64bab89cb2227f481b529f2620111e28e67b70af941eb2ba36d4a827b84d83feffeb718c66fa8dcd6acdc22738

                                            • C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat

                                              Filesize

                                              213B

                                              MD5

                                              0b1bd68918e88ab766c4559c1f829266

                                              SHA1

                                              719d35b6c797c3cbf82458b22c0d9d1450abf85a

                                              SHA256

                                              29c87d14185d00f4c37bc22b78135c7294cc8e0e81422bea2f0a233b4799a3f8

                                              SHA512

                                              fa6f7fb813e0b2db34c2294586b91f65f5fe64954252c15917cb7d3d4e0ae92fc20f59fc15fdef880584a8ff54e289e9f615ceec824a9942ba7f3c248f51f900

                                            • C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat

                                              Filesize

                                              213B

                                              MD5

                                              b5bef556c31d966b016891f43d2cd2c2

                                              SHA1

                                              9c9031372c984c6ba8cd27b6277b0109af3671ef

                                              SHA256

                                              ca15c2273d89944ac1901dd0c180db57522fd599834c9eedf50afa8e83a213d6

                                              SHA512

                                              ab65a33fcf33dc9eff7a7151fe447790e2f4c741bc8f85d4ff1e70b5f7653b119e035c658d84a83c97a53068957933b35a1d9fe82e2819af4ad13070b2636b24

                                            • C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

                                              Filesize

                                              213B

                                              MD5

                                              3fe57fcd8a32fe7dfb686ca07b5249c9

                                              SHA1

                                              d00f39ebe15ef3ee8e8839163b4c05ea1259b37f

                                              SHA256

                                              4e2854cb19ad52073c6d5adceb20893718ea03f42dbc8dc579d7c85b06135e70

                                              SHA512

                                              c18e8087d7a1bcad23a9c188c4131858d7c843a31916cb1f64e19db022b886aa8fccba34dce40608b18a722900c16d9e5062efa0f1792fd3540cd02cd82b4de8

                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                              Filesize

                                              7KB

                                              MD5

                                              c4b133bf6ec63bae12efbf930188fee2

                                              SHA1

                                              c9e1f5076e9a03a72faa0a5aeb2d801d05229b14

                                              SHA256

                                              b96e7c2ae30892974b6ec90cdab13c1507feae290a969b7d88a03f1201c536cb

                                              SHA512

                                              35e30f34abfaa5892adb4bb94ee9aa497bc7d4eb17496d4315e44e9cfc0082a212988f9aa77d0f391eb6fcee6c3fb56db38ac03640d9287476e0d4cf6f9a8399

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/716-419-0x00000000009F0000-0x0000000000A02000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1432-479-0x0000000000520000-0x0000000000532000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1516-61-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

                                              Filesize

                                              2.9MB

                                            • memory/1516-64-0x0000000002850000-0x0000000002858000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1560-539-0x0000000000440000-0x0000000000452000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1968-181-0x0000000001200000-0x0000000001310000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2668-658-0x0000000001230000-0x0000000001340000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2928-122-0x00000000010A0000-0x00000000011B0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2952-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2952-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/2952-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2952-13-0x0000000000120000-0x0000000000230000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/2952-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3012-241-0x0000000000440000-0x0000000000452000-memory.dmp

                                              Filesize

                                              72KB