Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:54

General

  • Target

    JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe

  • Size

    1.3MB

  • MD5

    d5603ed0e199733eca5dd23f9d4bcfd6

  • SHA1

    b6be4313c838be71cf85571f313811e1db13677b

  • SHA256

    38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7

  • SHA512

    feecbf9e51cd524934e0475e631fae5e95ed431124947ccc1d756f710a90dcaaa9d2b0ac6add90c0264a6e62182c0fa59521f53dcd6249d4714c319ea94aaa87

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_38ae6b2fe64b2c97e5c186f77ed23ce08925be29f2e0867daa21791666a4a9f7.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Local\Microsoft\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1748
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1072
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\smss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2240
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1844
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2416
          • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe
            "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2300
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2984
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:3024
                • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe
                  "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2212
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"
                    8⤵
                      PID:2920
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:1992
                        • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe
                          "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2396
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
                            10⤵
                              PID:1368
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:1488
                                • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe
                                  "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1008
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat"
                                    12⤵
                                      PID:1504
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2544
                                        • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe
                                          "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2760
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"
                                            14⤵
                                              PID:2032
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:1976
                                                • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe
                                                  "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2120
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
                                                    16⤵
                                                      PID:612
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:1740
                                                        • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe
                                                          "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:928
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"
                                                            18⤵
                                                              PID:2236
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2496
                                                                • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe
                                                                  "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2844
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
                                                                    20⤵
                                                                      PID:1064
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:2500
                                                                        • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe
                                                                          "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:3064
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
                                                                            22⤵
                                                                              PID:2408
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2060
                                                                                • C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe
                                                                                  "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2404
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"
                                                                                    24⤵
                                                                                      PID:1260
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:2936
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\AppData\Local\Microsoft\winlogon.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2720
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Microsoft\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2676
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Local\Microsoft\winlogon.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2728
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\OSPPSVC.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2156
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:952
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\OSPPSVC.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1628
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2440
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2428
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:584
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1732
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2956
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2032
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2752
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2948
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3024
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1216
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2976
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2572
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1312
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1204
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:976
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2064
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1016
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2128
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2100
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2364
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2204
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2508
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\System32\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2412
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1532
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1056
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:820
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1368
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:700
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1752
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:560
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2432
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1780
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1724

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0bcf5ceee88e67048a58ca56033af68c

                                          SHA1

                                          4e3a202e61cd767f5642001eeac1fb6b30d0bf41

                                          SHA256

                                          b2f291bf5d8ff870cb7acb632d89dab159dfd3e2558092ddaf29ff1031a70eae

                                          SHA512

                                          60fb31ea751c8f522439ae98ab427d9c19c7af9c96461d764f62bcea3f463568ebd4d5e24b36a1af1694213eb16ad2b7262d28c08e31d71e07d9a70bb78b4e1a

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          216113c7bfd9d3e23878b1b37287d0ab

                                          SHA1

                                          6f4320674cda9e64b2ec125504dd7f4d22a025f0

                                          SHA256

                                          d62b0ec408193052b997c41b4f138614eeacb2e4b43e17a93b4ce7934c3e39b2

                                          SHA512

                                          9391084a1cc6115a2dfa79cc042f3578d14c85face9b5550816e2c4b9106fe1ac0e21b196d6962f3983469d1b448c89a9f31cd1e29a0f9571c397fe3c0783e73

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          009e834494ccf422ddad2870d69db6a7

                                          SHA1

                                          217cd92980f41855a5a8dcd1c6754075f40cb1a9

                                          SHA256

                                          c7f7c1aeb3eea7e7775eeeeb9772a40d13e64e9403d87b1d02229a9827431dd8

                                          SHA512

                                          b4ff2007cef5696ffdcd8b2dbb2dfd36cc8abcb0f19ab8ae0eb553a795d23d740cfa4a8722820daffa0f801d9016b53e9a592731eaac05cb420ed5fd5c878d1f

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          dcc8ef9b89d7b954d3187c4c75de0809

                                          SHA1

                                          0d19d6f5301436c253619a5e3798516594acab97

                                          SHA256

                                          d9ecc69aba627b98b9ef5f39fce596567e187eaed708541bc5e01c301532b674

                                          SHA512

                                          c690364b34959c5618ca9ffeb9280809f32bd61d4e61659a9402c89896f3bd687d5d280d69b4f4eb2f10474f623f5835c4e86a02db5f38aa249ce84f5c90e2a2

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          407dd237dd3ba938ddd4256211771618

                                          SHA1

                                          5ca1fce2dcbcff0a316d295abc9735fc4c9769a1

                                          SHA256

                                          ef84a887f6d93b5a4290cdc7515ce612dfae6551bd8c4dcce2a60801abfc9190

                                          SHA512

                                          adf2eb1733a53a5dbc502dd348610007370345e772bfc062c2b82f73b45e8ac65be39a3639cb79caf9f9fd77f70ea8c2ec11b1c6720f58efde4dfc842f2ac486

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          0c276f15abeab7843ae9b2a1d3337e55

                                          SHA1

                                          f8dbf6ba8329d641947b88530cb89088be563561

                                          SHA256

                                          e2a71bd129e56b90e49795db22b65f7dc7b2eea66ca416a91b141d7c5f75b2eb

                                          SHA512

                                          46c6eb063c2324a09d837b05f5c4d3debc2800ea642541e85e4340f0948ac9962e025c496d051eea9f1fa094b9c2b912b9cbbd9778f5dba75ebf628e968dbfc2

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          e5b61d1f0ed7c53839d629de1320aef1

                                          SHA1

                                          348e153199ab3fcb9bc00280e1bc9da1b658430b

                                          SHA256

                                          dd0a0328f68cd8c732444e83fa0c2a0a8f178bd6d1d4f9c4885e4b60a297eafb

                                          SHA512

                                          2b03a568dd9aba5d2a380f8e87b4e8edb1537830bb7fe02aa9587940283d2d6904ec0d44ea2fba15243eaf75f07aa7ac71be5db14e77ccda00740fe8927e333f

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          49ec25fb2dd99afb311ec145de2a49af

                                          SHA1

                                          dc2d026f18935a7f06cba1d48cfc50cf7ad6803f

                                          SHA256

                                          e141fa114f9b29609cf6b88621ebf1cb5b30cc200fed13e41c05e69cf2f8a9a4

                                          SHA512

                                          6982faf7ae91a731a0e414e24fa1c83c0756cc3617e86c3abfd42c70685aeb8e3a8b8da01d20048b1a5c4b2422a669b1630fb1990de7fd6d9671f3cd69198b67

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          5a5cc09a8238628d6512ce26bd385ce6

                                          SHA1

                                          939b403bb362f866ec288cb0662128edc01542cd

                                          SHA256

                                          7b0271a04d0f33b4adb56d6ecdb560d6f280d72e1fc8ac50cbd639cb39827f0f

                                          SHA512

                                          c9c215320199e917b0b226491f64d4eb36c358bc4dcf76f8164d81cd3ca82afff24cc356ebf3d4431ab7cf3dc2c29ace9c3d7258d1b6b35389d54a787573cdb7

                                        • C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat

                                          Filesize

                                          223B

                                          MD5

                                          1929974adc56a5d5bc344f5b0286f9b6

                                          SHA1

                                          81d7d17b67f9e65e4f59edec3d8aa675e8ab3281

                                          SHA256

                                          151d5d900442739f95c2f7f34dc4328c92cede703ed5faaf0b23765a35bdedc9

                                          SHA512

                                          eb6d9bc4bee684050baa48b9670ce812ca940c44f58cabe5d5eb44f05afde4002e4ae60c9164f6378b612cef415780d91bc42ba87e810b6fe3db5aea08838880

                                        • C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat

                                          Filesize

                                          223B

                                          MD5

                                          4c3c5584a11bcb8d5e590bbb3d768e8c

                                          SHA1

                                          2da38980af27c01561ca351b48405f533af557d6

                                          SHA256

                                          531cf49a24008c82203c196ee229a60267a5faa03fb3e47186165002969d0671

                                          SHA512

                                          ac19f8e7faab2cab2502d36d0793f43523d39ea6b37d3e25c26664e79921e382cabfd702972ac8349510565071ef69640537566832c9dcca6793f4e20b8f18f7

                                        • C:\Users\Admin\AppData\Local\Temp\Cab9CED.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat

                                          Filesize

                                          223B

                                          MD5

                                          971d6a8c49c5c0b1148a4d5b3f12a8bf

                                          SHA1

                                          9d32e51d4f193c0369f8991c05960103fddbe498

                                          SHA256

                                          57d4dfbdc1f05baf519019a5ab37c446765c17ebe955e7601edb9c1099a77794

                                          SHA512

                                          8446be80ed229df78756df03eabe5ae1ba0b0b3e96efcacdac31e81af262b5f9d9f913aa892e15aedb65056260f96d1c2c9fbd96fa4c576aa89d89e7228d7f21

                                        • C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat

                                          Filesize

                                          223B

                                          MD5

                                          f8bc95ab949eff7024a33d649933c18d

                                          SHA1

                                          8bd31ca150ea90fc5e25fce153100d0abaa0a1cc

                                          SHA256

                                          47d62cbbc30ea93dfe58e5d12fafa8cf3ce46e105507fea6bddfed9859e58b43

                                          SHA512

                                          b812ea733e3ee733e7e6a29261033b10996ef02bac552431b209551b2fb8c581b9c564d4afc2165ffae36486a81a14a0848bf11db9fcdf589df5e6966e404c3c

                                        • C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

                                          Filesize

                                          223B

                                          MD5

                                          54283c8e9a3459aae4c6a4b95294b2b2

                                          SHA1

                                          3292aa9bcdf28fd73f9072ba8ec01c84c438493d

                                          SHA256

                                          f81d640cd958b7e2fd615756d42d4520bcc0303223e879fa5845396c44a41960

                                          SHA512

                                          408d055b64bd68bc0c786964dd663d063d7658591be45467a2a78386cb0e6427c2ae74867c6586e136dee54eab3178823558763bbd3cc6c5343bc2a0fde14342

                                        • C:\Users\Admin\AppData\Local\Temp\Tar9D7C.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

                                          Filesize

                                          223B

                                          MD5

                                          49250bb334f311efa1ad3a7568168570

                                          SHA1

                                          72a4cb31fab93b99dbdffa580820de4888dcd2ed

                                          SHA256

                                          59c29e2aacc3c1f19980503c416933463b773b8ff72640f4a263ba9b32895deb

                                          SHA512

                                          1791d938746b99b4fa24149e9a5fbacf0d488b5b09e170814d86d3de61b930844e07fac780b4a170af1a552ef25a9735dd5e2d99418aabc59e193730cdb3a21c

                                        • C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat

                                          Filesize

                                          223B

                                          MD5

                                          3bea9861c47f1742d24a240fc54ce41e

                                          SHA1

                                          95115f2442c9d8393e522976dd8346cbb7f80bfe

                                          SHA256

                                          6a5c56b4cb99d5d5c6489360cab4e9477abb2e5a51a3550deecb1fcfaaa54b2f

                                          SHA512

                                          f3aad945b8ed4eaff5076c1e1de209422d182cc00571c2e2ed448aa1d62277aa57ac81a329779e47d711fa710a529bb56735291751effa947e3f3cfed315c675

                                        • C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

                                          Filesize

                                          223B

                                          MD5

                                          5e57512b82b025111a0b6ea2a0323152

                                          SHA1

                                          dd36839a524be27b72fbe20738595cf588b0b57e

                                          SHA256

                                          458780b858738b0f1c4904f44f72c44e1469c821948c38cd84b2a0e9a8f6c579

                                          SHA512

                                          562b73f6ecd7b54011d33a5a4ca36caf21313aa7b77dcd0d1ba3676e65a0a79e3f708b5e8d8ed73f6ede81e60f3922c036f16da988e2da75bc0c6f1069ee8259

                                        • C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat

                                          Filesize

                                          223B

                                          MD5

                                          df868dd5eec6438730d89e1e50791963

                                          SHA1

                                          070b834fb6fc83b570efeaf76f6e72a820fdb5a7

                                          SHA256

                                          997052008b156aea30b80e9e5d2d5d62e1884b7b4745aa41c69a5c98d22ad90c

                                          SHA512

                                          b1cc2f54eabb470d48d8b1f5bd2dc0fd846332d2117cfbbc85b666cf323a909a16b24e0b4d97f0dd3d261692a7c5dc4766397bf06b0d717f30d37e9d8618590c

                                        • C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat

                                          Filesize

                                          223B

                                          MD5

                                          7e5dbd8c2fcf5f8ae2e58fbbc6c711c7

                                          SHA1

                                          a12e40a87a4e714fbde4d693e4e43b7779698645

                                          SHA256

                                          1e530d3a70600392daacc0b42f78a1bfc5fa4a96396ca9faf6aeba20b2f071b9

                                          SHA512

                                          3de39cc7b2efdcc41cb251c9af5b3a48f8b79f6498b1d9e4a341a77514948bb091fba2aae22233c681542a7a776970bba88e243cd281dac6842aecd4d7ca450b

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          0ab01ebeaa61deeceda46a2e5f8578dc

                                          SHA1

                                          5090cb6f4d49b56daaaefe66fc9348305c480ea1

                                          SHA256

                                          78387e6d556c05d1fca2f03a224145064374d51a3ac0c825947e92aa5b3bdf27

                                          SHA512

                                          d8b64f1c84b580fef216b136804d68ecb00c21f65e3d05decf2269e376ba97399637701108b696fe93ef2c2d97ba7ac151bc7ecfbf6d4e6b69eaf10931fe5c9b

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • memory/1008-301-0x0000000000E70000-0x0000000000F80000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2028-121-0x0000000001F50000-0x0000000001F58000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/2120-422-0x0000000000430000-0x0000000000442000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2120-421-0x00000000013C0000-0x00000000014D0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2212-181-0x0000000000430000-0x0000000000442000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2212-180-0x0000000000E40000-0x0000000000F50000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2300-50-0x0000000000B20000-0x0000000000C30000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2396-241-0x0000000000330000-0x0000000000342000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2404-660-0x0000000000E50000-0x0000000000F60000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2416-120-0x000000001B320000-0x000000001B602000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/2760-361-0x00000000011C0000-0x00000000012D0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2812-15-0x0000000000560000-0x000000000056C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2812-17-0x0000000000580000-0x000000000058C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2812-13-0x0000000001380000-0x0000000001490000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2812-16-0x0000000000570000-0x000000000057C000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2812-14-0x0000000000550000-0x0000000000562000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3064-600-0x0000000000020000-0x0000000000130000-memory.dmp

                                          Filesize

                                          1.1MB