Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 00:25

General

  • Target

    JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe

  • Size

    1.3MB

  • MD5

    8c6e53853dc49576ea358ba4f80a9de8

  • SHA1

    0a75ca262f3ba2fb18f8917a9eb7f09b3c381fb2

  • SHA256

    230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde

  • SHA512

    efbf7eab849266bd571c190bb092a44e4a7b9fbfcb8c47920267de5cd867c6d73461da7328571680933cb1b9107de3f38ee41cdad6e9d4f0916c02142111b054

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 9 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2508
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1852
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:956
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1372
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1136
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2468
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1364
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1528
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2460
          • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
            "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1680
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2284
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:1288
                • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
                  "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2156
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1816
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:2628
                      • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
                        "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2952
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat"
                          10⤵
                            PID:2996
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              11⤵
                                PID:1760
                              • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
                                "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1264
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
                                  12⤵
                                    PID:2972
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      13⤵
                                        PID:1564
                                      • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
                                        "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1508
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELd0wzhjGt.bat"
                                          14⤵
                                            PID:1940
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              15⤵
                                                PID:2624
                                              • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
                                                "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3040
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
                                                  16⤵
                                                    PID:2884
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      17⤵
                                                        PID:2188
                                                      • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
                                                        "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:344
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
                                                          18⤵
                                                            PID:1692
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              19⤵
                                                                PID:1768
                                                              • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
                                                                "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:604
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
                                                                  20⤵
                                                                    PID:2904
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      21⤵
                                                                        PID:2060
                                                                      • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
                                                                        "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1436
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38GCmEMl12.bat"
                                                                          22⤵
                                                                            PID:2816
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              23⤵
                                                                                PID:2728
                                                                              • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
                                                                                "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2068
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"
                                                                                  24⤵
                                                                                    PID:864
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      25⤵
                                                                                        PID:300
                                                                                      • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
                                                                                        "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2852
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"
                                                                                          26⤵
                                                                                            PID:1596
                                                                                            • C:\Windows\system32\w32tm.exe
                                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                              27⤵
                                                                                                PID:2596
                                                                                              • C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe
                                                                                                "C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe"
                                                                                                27⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:1672
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
                                                                                                  28⤵
                                                                                                    PID:2624
                                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                      29⤵
                                                                                                        PID:2760
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2632
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2624
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2884
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2596
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2628
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2676
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\services.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2432
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Documents\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1940
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2032
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:560
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1744
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2816
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2776
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2920
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2968
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1304
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:844
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1740
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1432
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1500
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2000
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Videos\lsm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2072
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Videos\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2012
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:320
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:632
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2528
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2052
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\audiodg.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1256
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2132
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77a5c561934e089\audiodg.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:408
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\Installer\DllCommonsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2452
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Installer\DllCommonsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3040
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\DllCommonsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1524

                                              Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                c85280afa2439c4ac2f0b3091e27a6a3

                                                SHA1

                                                1f2cb61db993c3006fd2feb92fcb5891eb3d08b8

                                                SHA256

                                                304795494304972dede2c82c4314eca0d4ade4160d385200ab93111a81cebe89

                                                SHA512

                                                34bfe5c81d9be52671911c4b746fa5f5bfe04e62763e65f59fc99d850a731dd3ff14ddcc168febd64c29816b293e6e1dcac3e9c1b29902051080a338fa7417c6

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                532b42dfe51d94a98d4bb6a9cc4ceb7f

                                                SHA1

                                                326b1ccadff15b745d67564065b2d10febf31298

                                                SHA256

                                                abc0c530c4293c4cac2c5f941d433841d7267f2fc739a27251a15c1cc46a466e

                                                SHA512

                                                2726402c06c4d5b25a4cb6fc64199324ecd20f3a24c8bee363b648a6aad482ee6df94a8a1dae8bf80c2a5de938e3b8f1440367ec44a888a4ef379f697d387445

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                ec4f53953732085387e369279376d3b7

                                                SHA1

                                                29a4aa714ec1aa01bc46ff97e4229acf3c2e5040

                                                SHA256

                                                153e858d911ae8af297d01bf14bb31ff3ac07b4f424bc4276ed7f6dfbb9cec7a

                                                SHA512

                                                66cc1854989157f92000a0e4886a51e38a960059434efead190817869b59449899f2fe18527728f6a7fb483423f7043bd6a1959a27fe169b900294cfbabba3a8

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                113efd5dcc7c2865ffa6c4eb8e40e7a0

                                                SHA1

                                                12042c2882aaa3cf67ff8a2b4b4bd66d961636dd

                                                SHA256

                                                7130c5294cc9f709e0fb2e50e691adddb29470acc1099ae79e58f6fb86622ff8

                                                SHA512

                                                469da0ed544ae87a1e17170160a7565f7e3834a483389f7faa618021ab2b1d29777ec5a1b02e47b7209313ee5d41c127ecfe85f6ec821b32aa4607121b512ba4

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                dd7828ffeaa6c043b95d2cb87d1cc6ba

                                                SHA1

                                                0716ea2346af5e758e56fdfe544644b8a0b7be2e

                                                SHA256

                                                f1e15f70783190ce9f2bcfa54fb8dbe074f3ef6252379c04cdb5f6bb28f2af6d

                                                SHA512

                                                00802b25f5d6853c8279342309f094a60fca76179d0fdf38f19daef6d738e4f29b30f744973bf8e331bdfeaf0dba480002ab8861800baab0dfa7f581cd5f4e03

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                e2d231216b5375350331730c44e8572c

                                                SHA1

                                                9a7ae9df184a989ed5bb8e07e1439529ecf33611

                                                SHA256

                                                81a20778db017f54f7364838d013d7c1c87e3da2bdca82ba5ef1c2bafee59c2d

                                                SHA512

                                                def52a4b5b19ee5ded793be8b258d7a514f1abc3ec0501ee19f74be9930b8f4bdbe0afe4435d95b542d1d1771b1266c790d6afe7686be2335de309a82855820d

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                b823f50d69ff52377a9226cd89eda52e

                                                SHA1

                                                b7c0bdc761ba50b19678b2d6f64ca2e48d178476

                                                SHA256

                                                19b69e532eae165d60ad95588d2e71103af22393a9fb10fce3e7c489b9dfc396

                                                SHA512

                                                469312db0707829946ab5404e8d4520bee2b0e966cf73dcf6e8bc90bb0cedb0634fcbe1d70a79f679555ac21abdeb5ff8cb577abc11b2a7e2930d562ac5550a9

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                50530f7eb7938c867f39ae036cc1bc34

                                                SHA1

                                                77157b733eb338c25b366f90836338e728834ca0

                                                SHA256

                                                4daebd0bc7524a85f30ea0e62387a82d8a529629eb1efcef5ae2469c8ec6a795

                                                SHA512

                                                b6e30f223a5513a4b49d72c9605c88c8dd2ed77f57bafd0408d7bd96225c5c25b38e1ea4c4323603d0d3fba7d03581498f6dcc0cc6ea8f6266f81cd3c5f501e6

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                247cd8502009c1481f54626484e06dd0

                                                SHA1

                                                6941ff9c1c54644be23f02f5167133b16016e66b

                                                SHA256

                                                941a7f226074c19946032bb370884d0b55c8504f30096c90170cfb8103cddd99

                                                SHA512

                                                ccec487eb4d4cf60453ede9786005aa8a50290204889f0408d32175054006c28677bbc21a189208300c9b3b29bf6849cee688781ea75d2abd857f664cbb55fe6

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                27bc23ffe3a001e5d8e4ee60b5695b46

                                                SHA1

                                                b48646faaf8b2752e3deca964723456213162ebe

                                                SHA256

                                                de906ea6e86fafd489c788f1714bd05943c9e81a400cf0bcc4c84734ae75ba0b

                                                SHA512

                                                ed4e31899945067df14486ad44c54b3030b4b0cbb09b92aa395178e3eb20630b8bc20fa901ea50f141c82266a33fc480ff5239c9814d1245fe95e4f273e515b5

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                40f8a1ea1ace081e0f6b3f7bd3ae61ef

                                                SHA1

                                                8e85c7a71527741100c9995d053dcb0bb2c39957

                                                SHA256

                                                ea38f453a4c878586b9287d5cc63bfeb939a3a4cdb80446a98a42472a36da900

                                                SHA512

                                                d713a38b41294f9efc6da2f8cb212c7bdbbbdbb697ff0b7bc59ad03bb5ca579ed4d83b9d4964176c7e1688816820d388081ec978c36178dc9b80c17c91b3119c

                                              • C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat

                                                Filesize

                                                221B

                                                MD5

                                                43535c91f384cc0ed89f3bb9e3f9e3c7

                                                SHA1

                                                c1700e3e57c1f0111357e78a898d3aa6dd8292ae

                                                SHA256

                                                ac497dcd85a44a616f5860293d080cb569d8e943a1abbb95072f2f704e4828e9

                                                SHA512

                                                acbe09d5e2d2edb93ef59c8734b626b7822e56477a844ac78ccfc9b65c043fc9cf60b116aa8acda9ee0e49794e781000ed10697a734a39dc15304be70285324f

                                              • C:\Users\Admin\AppData\Local\Temp\38GCmEMl12.bat

                                                Filesize

                                                221B

                                                MD5

                                                dae5af3b0b411d6ec59b502c39fe13c1

                                                SHA1

                                                6a6047715cd8d700e03ca9cd87784652f8f34369

                                                SHA256

                                                0035470ea3760517571eb6b52abc0cb6c88575d2f76ca7979f7d778b1e130ca6

                                                SHA512

                                                110a632a743ecbb5de3761db909fe080eec39c044c32ec6142dbc32f86387482cc84948292cc13ea94e274a5e65d80d3c2ec485d904b3d9ee9d2cffbd7b966ba

                                              • C:\Users\Admin\AppData\Local\Temp\CMv1BFFgLz.bat

                                                Filesize

                                                221B

                                                MD5

                                                b6d0bf90681ae0a1d7a2a96b7ee690c7

                                                SHA1

                                                4df1da39700ecc5ee84f4a7b203a8ae7fae84c07

                                                SHA256

                                                c47b5e7fe70e7a5e026325d307042e5b592bae7b6016a3ae8980181674886577

                                                SHA512

                                                4a840af78ac43e833c5ec352a37964b8da782d07c0e8692bd61c44249f9327e5f98bea4d36531bc7d387c60ca80e84fc2a39dee66cba8ad4a274c3827b10de97

                                              • C:\Users\Admin\AppData\Local\Temp\CabCCA4.tmp

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\Local\Temp\ELd0wzhjGt.bat

                                                Filesize

                                                221B

                                                MD5

                                                8032c1517f68d713b7d4706ceff8be25

                                                SHA1

                                                4c3e59c8faa2aa57bc25e7b9a31bfaa8a91ffcd4

                                                SHA256

                                                94ce376d2e7092fdcdb48068c4dacc3b653bf16993269abc5489f10579aa157e

                                                SHA512

                                                4250ec65b1b5e7b089d5781bc040d4027b08fb4d6485990380a47128c19dde8c490e422f6cf6e37a58ecbc89627892da40d8c95d8e13c3e2784e1f19ee29f4a1

                                              • C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat

                                                Filesize

                                                221B

                                                MD5

                                                5d1dc1ef6797bd1cf21b7913a0b77cec

                                                SHA1

                                                e9368b210cda957ac234b94dfbd807f8e838582d

                                                SHA256

                                                50728f1249977d8fb64d5e09d9953a684435555412958275782645244439ff2f

                                                SHA512

                                                3dbf0cde2453b5843f0f4b30c02826cfad83761ed02b738d59519dc31fd57339bb01077f40613bf8693cc38967fcb76c16f3a8740c689400c9063cc9d4f33eb0

                                              • C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat

                                                Filesize

                                                221B

                                                MD5

                                                b1e2674218470d647ea9025c5190452f

                                                SHA1

                                                c4dc7f52f92f4d66568612f6ec81f7add747a2a3

                                                SHA256

                                                8b90d00fd38411c1a94ac83019df5bcc19d927525a06ef7576b3e7547e776d38

                                                SHA512

                                                8cb0afe87b24bfdcb5e238ada7522d2ae98d6978e57ff809504c494e1dfe36bdb22f07aae95a5995e0a19cfd1e4f9562a03983268ae9e294cec3c397b826fd2a

                                              • C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat

                                                Filesize

                                                221B

                                                MD5

                                                7854a8919fa1f3c80b18f59cdbed8baa

                                                SHA1

                                                5a2c81923987aa52f0cf8af0293fa08fa8d58e55

                                                SHA256

                                                08edb1cd2ba88b1e953f843db99d3cc34aec053ae36dcb12e01dee699983fb19

                                                SHA512

                                                2e04e81b1693f1dc7f37c0c8869206f117400e3ca1b21444ba7a5fa19147545a37dc04bf32c356e90fe6997af33be3fe1db18dbf406a26c1dc4294344fa8c84b

                                              • C:\Users\Admin\AppData\Local\Temp\TarCCB6.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

                                                Filesize

                                                221B

                                                MD5

                                                11b5e9aa7df81ccf4709c7c772291607

                                                SHA1

                                                196882c0886826d7987f24e98c84d324405ab1d2

                                                SHA256

                                                02b3203102f5304e2609d950d9377d034e1308e9b6ebad1f82d732dbc1ea0ea1

                                                SHA512

                                                87a8091aa194b2e9e15d34bd9349523f2d8fd2b2dd14813c4880d7f87930cd2eafc49c20594731e64c467982b4e11691594022ff1c647904fcddc210bd8cf613

                                              • C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat

                                                Filesize

                                                221B

                                                MD5

                                                e98e8b506b3a979c0c7f6d40313c078d

                                                SHA1

                                                45d6419601b94756285621ab4d12d1935d0aedeb

                                                SHA256

                                                ddf16f61cde69b6f8da1f9d89ff3b5a090db8c4f3bf5065c4facab641f711253

                                                SHA512

                                                7448f3e45cbc1156f77c68068356a61dcc2b080ba099e55c1c833e25025ef566dc4e7bff2f78b4e292e5517a48428baea714ef0bfc8d94ae89a2f87d4e674cf3

                                              • C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat

                                                Filesize

                                                221B

                                                MD5

                                                eb4063b1cad028ddcf9538f266a2f5a6

                                                SHA1

                                                f0a7ec852ddd03aad16a4daf36026e20828a4d6f

                                                SHA256

                                                dd6c18ed6f6c8590c09dac26acb0dba324073835951a16774c79ceb6315a9a87

                                                SHA512

                                                96ba45336a530571ba532c98e16def3e2fd707f0d00776c03b179afa3a19cf4f5d1e7eba339b2b05b0dc530b1530e050d838a502581866fac1fba2f087576e6a

                                              • C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

                                                Filesize

                                                221B

                                                MD5

                                                1801d3c9923e204f7c9af38eb808d78a

                                                SHA1

                                                9cf255d3701d5a71f3cd74b4dc34c0583969d1a1

                                                SHA256

                                                d0bca1db6bf644842de24a93182a2c1c4e998e01cf7a4e0563ea2b6bd95db88c

                                                SHA512

                                                1aef6827cabbc804ae2b8d131f8e95c28a8b5bf1312801f603797945773a1572c0c9b7c17d240c30b1590f6efd5687bd1fcb06b48186faeb752b22f554eeef38

                                              • C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat

                                                Filesize

                                                221B

                                                MD5

                                                c2b6aaf359124af172f016f6738be0f0

                                                SHA1

                                                d4a37136aa904fdd07eb24171d0e00f72fa286d2

                                                SHA256

                                                8f0892e0052ff7f81dd491acc2000fb1a9575afcca13417ccc24b7bc54b7b570

                                                SHA512

                                                1cb7cef026afecf5feb9f018148c9cb6f26bb3a577fcd06934f8a260382fa061e561599a7626d5561b2801c0b05f25b077affd8b6fdd62deb1cfc92e36ba985f

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                Filesize

                                                7KB

                                                MD5

                                                69d171ed95cd2c975b32b2ac89f7eec3

                                                SHA1

                                                15ea22836736e4d7ba38f1fb8f8b11327933bfae

                                                SHA256

                                                45b49c811191608105dd11b0f84677403eff26bef149bc63841ce786a2683fe7

                                                SHA512

                                                4443ea2b0ab8312d5e9132206f58a780f6960f8fc62f0d560174d472cd6dfe8a5373ec976ae75f499c653d25e8e5c849ab0403df12ff50d9db048bd4815ed45b

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • memory/344-465-0x00000000001F0000-0x0000000000300000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/344-466-0x0000000000650000-0x0000000000662000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/604-526-0x00000000003D0000-0x00000000004E0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/672-57-0x000000001B530000-0x000000001B812000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/956-58-0x0000000001D90000-0x0000000001D98000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/1436-586-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1508-345-0x0000000000350000-0x0000000000362000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1508-344-0x00000000000D0000-0x00000000001E0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1680-55-0x0000000001250000-0x0000000001360000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1680-108-0x0000000000660000-0x0000000000672000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1852-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1852-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1852-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/1852-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1852-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2852-705-0x0000000001150000-0x0000000001260000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/3040-405-0x00000000001C0000-0x00000000002D0000-memory.dmp

                                                Filesize

                                                1.1MB