Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 01:06

General

  • Target

    JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe

  • Size

    1.3MB

  • MD5

    9cd27df9b90df9bb1928b3d8548fd4c4

  • SHA1

    2f94e9e8aaa913dee25385328eb7236f6e775d83

  • SHA256

    1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482

  • SHA512

    3f2e5bac1fe4a1d8cfe9e5a312d92e53e8e0cd6f052f01a85b083f575e1a0ca1165bae34053b94b53c21be7fc35d75133e4a11b1039d57ce204d66532fcce3a3

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1fc1bb05571c3c986b20f9d61e53b31bf922b137ed79f70d46dfeba829bd2482.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1044
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2964
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1368
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:812
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:916
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:928
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1784
          • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe
            "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1964
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2888
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2624
                • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe
                  "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2052
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"
                    8⤵
                      PID:2908
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2320
                        • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe
                          "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2080
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
                            10⤵
                              PID:2204
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:1784
                                • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe
                                  "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1560
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
                                    12⤵
                                      PID:2924
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:1724
                                        • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe
                                          "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2980
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"
                                            14⤵
                                              PID:1356
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2580
                                                • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe
                                                  "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2060
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
                                                    16⤵
                                                      PID:2688
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:1860
                                                        • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe
                                                          "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1932
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"
                                                            18⤵
                                                              PID:996
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2676
                                                                • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe
                                                                  "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:700
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
                                                                    20⤵
                                                                      PID:2564
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:676
                                                                        • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe
                                                                          "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2652
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
                                                                            22⤵
                                                                              PID:2240
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:868
                                                                                • C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe
                                                                                  "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2840
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"
                                                                                    24⤵
                                                                                      PID:2272
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:2512
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1340
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2756
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2544
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1664
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2380
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dllhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:332
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1112
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1492
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1660
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Documents\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2736
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2800
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2824
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2844
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1932
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1816
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1348
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1808
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1740
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1636
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1508
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:796
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2032
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\actionqueue\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2008
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2076
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2992
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2068
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2916
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:772
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:3036
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1708
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2352
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:408
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1768
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1252
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2072
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\taskhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1324

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          53bdd94c080c82dc9909bf09b4fbd7d5

                                          SHA1

                                          2005df6eb322058f2a868dd25b7eea894e495320

                                          SHA256

                                          538c28bf49d7dc246dcb4b01f4f11af6825d21cbf255c098ac66aa74c4c4fee9

                                          SHA512

                                          ee85ea4e5d6953c76e60611bf6963722975ac26d9fd349fb3085513ac308bc6109abd5c4b9891cbaca158a3f34168dce073b4f285d009c27c01cf75e195fca12

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          1236f9e0bd8843cdaa6b47a4c15bf24c

                                          SHA1

                                          36cfd61d8506795182fdd4a3207f71dee3aeebab

                                          SHA256

                                          05a2849e76ce0ecc908467ad96b903839d67ceac04cef5b82ba9af825a5f41b9

                                          SHA512

                                          8d87067dee0a7a233984bbc910f99c96affc2dfa4d872cf6b9d57780b4627367dc33d528873a7a8615f5e992b131504ee29eba49263262b0a8fb89589cae4cf0

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          6ffbaf998b7e001de3d7e687dd59bbac

                                          SHA1

                                          7c5ba3f6759412db3765422da6793324189df591

                                          SHA256

                                          fcbbbfede6327a5d8db2af6fe517e4ee6c807b007dae9a9f454ab903cf173849

                                          SHA512

                                          12f2801cad26785ed341d2d32b009e1d86988c6592382a70ac83fc4ec6d03e92f7a73b324992b23c3e6bdd3dbbc1df3035d88abcbea059510d86b454b79ff371

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          43a33dce626f98bcbcf92be012d9f226

                                          SHA1

                                          33b2632d50c2a19a428524da7fc0854913a93236

                                          SHA256

                                          c58cc582f03ba818bbb864543a54367914c1d417f843060320f915e10b05f05f

                                          SHA512

                                          d76255ba7a0b15264b0d33243add25542be92b7ab92005de9afdefcb9620b3b7509a4f002afc5e8971cbf4a307aaba1a8c5f0862c2c168935981acaf38ee805b

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          839882427809a560106eabdfc9dd66c8

                                          SHA1

                                          cd77fed5761a4c2eea6d10fca72df1cd63e69330

                                          SHA256

                                          1e8c4ae0747bd211db2d686e8ceb2e376315166c87168f3745d61cd20d327b85

                                          SHA512

                                          f0a431531ddafbb504411b8384d3c5453c817323f7b04895adffce0d0007102df85cba1f44dc705e95974cda110dbfe44fd1c425c7480f4178740bf59058b990

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          4d0f1bdb5d1d0cd6c6d919933a5c7326

                                          SHA1

                                          084eff6d19b3b8d0c31298ee563667c4421ab5f1

                                          SHA256

                                          d8506c4da1bc7b7a6ad2aa3d2e7f5deb7ba4e7838603db86acb3fd11b1ef7e9b

                                          SHA512

                                          10ed4259a1ed99e11fe60e2160be33b1b5f88bbdada7e2550f7516e8785e28005bf9f5e2f77e31495e1469058ae833d58c93737eaf05481798d2f5d0cfd85bcd

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          5d164a30de2e370d28602da2e70aff41

                                          SHA1

                                          b8b1cd80a425f1d2fdbe56d0fbfdd16d3de4465e

                                          SHA256

                                          c9158251b7be95ccbd559a9bfc22f8d471015a36a743f3b3164595be5a73fe9b

                                          SHA512

                                          31ee8a180aa7c8dacaabe6853cb77e9592f8c84a87cbe1bc183f8fb8f1c65ea3e4416d5c7d4f89f5077bcc367d252bc837475c4cd5424beb76a4953a35736042

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          91b01f06f5e404aca0fc9de506fb114c

                                          SHA1

                                          2f75b2453ea786a32fe2caaee2e42ed50f97ee70

                                          SHA256

                                          93bb2944e0e657fcaf6c305dc28d543567cedce21147308a62cebfb30a86f9fa

                                          SHA512

                                          54194097a92da5733b856c754c302b7426cfa17e827eb4aea15db9d1b150d546d52991ddf58129c33d3ad9a15ca668b09f4bd1e506500d96252b6f3fd327c9c6

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                          Filesize

                                          342B

                                          MD5

                                          e79732abfceb70d5fcd45d4908ed30d3

                                          SHA1

                                          fbb4cc7b4fc9ce128987340b30976cc5a74b43f8

                                          SHA256

                                          1d3d937c8c4c5d33517c94243919b7c501705e17275d086abf6a079a60a6d050

                                          SHA512

                                          b7870012a72fc8a8d284e9ccd28aa787f05b3b177e91cebebf0ede8ecca0bc230d86d18a2c66211e895ae1a3b22371f20baab2cc1ab695a8bef6c9a1c70192fc

                                        • C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat

                                          Filesize

                                          240B

                                          MD5

                                          8e521d1747d50a620c4e5263406738b1

                                          SHA1

                                          f419ee78b21b5a72f64a0c0bd5037b9753f8ad9d

                                          SHA256

                                          04202a89446c7ab81208a4fb9afdfb957ab508a4014f9f7fa38ab112324661a6

                                          SHA512

                                          98e33e880f0f37a3ea576ed7126ca514fc8a13b15438b07ba7317ab95bc1e69c8609f1b23b67671d5d6888e5a29f9dda5695c732ef64012cd6ea91a102fe2667

                                        • C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

                                          Filesize

                                          240B

                                          MD5

                                          6a877b2b975c6d4c5d1a7b1203d8893b

                                          SHA1

                                          478648275cef0491c479a3fc23be85e07850ffd4

                                          SHA256

                                          72ee32120ff199fd3b78d6750f7375b8bd13caf6dd9a806e03f7ac244d8b3cc3

                                          SHA512

                                          ee0008a5cc470eac8fba8c20771bb92b2ba06d99c99ddd5881b022928d1a37fc0b2d7698b83ea0849be466084835f0686763f2235e529195cdb89ffa1517d9ac

                                        • C:\Users\Admin\AppData\Local\Temp\CabA4E9.tmp

                                          Filesize

                                          70KB

                                          MD5

                                          49aebf8cbd62d92ac215b2923fb1b9f5

                                          SHA1

                                          1723be06719828dda65ad804298d0431f6aff976

                                          SHA256

                                          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                          SHA512

                                          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                        • C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat

                                          Filesize

                                          240B

                                          MD5

                                          33505d3f6be2f3cf0b3569fea98dfa08

                                          SHA1

                                          c37b73adef63ed508043e93da7df1e554659bdc3

                                          SHA256

                                          d9ebf1b613e8be8b97a4e80661fb0adfae14dafcc2aa1c6e128dbd76af577456

                                          SHA512

                                          b05464066d7cbf75ffd6a3bb6c51747be598ef9e9d81917c4f3ad3280c8b47b64ab0fc18174fee2f3e9b6042134013c99662715e654c889dc6194e2d29f23482

                                        • C:\Users\Admin\AppData\Local\Temp\TarA4FB.tmp

                                          Filesize

                                          181KB

                                          MD5

                                          4ea6026cf93ec6338144661bf1202cd1

                                          SHA1

                                          a1dec9044f750ad887935a01430bf49322fbdcb7

                                          SHA256

                                          8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                          SHA512

                                          6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                        • C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat

                                          Filesize

                                          240B

                                          MD5

                                          2e87227e1b40db0a22e4002abdb05af1

                                          SHA1

                                          3ac43ca74f3b7c52aeef938391fe65e087ec0860

                                          SHA256

                                          d3f5f81adec0b623eaec1f2225d33f40c55b654d6691ce004f72729d0491afb6

                                          SHA512

                                          6c24fe3017d2e8aa3fe236b6f6512b48a6ed51ebab33502c4072a35cad97252f37baabbde8da98ac58d832e9e187a6aac6aab5fe0fc9e962a20067b51278bfe4

                                        • C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat

                                          Filesize

                                          240B

                                          MD5

                                          73d3eba7507da9988a5b5ee30de1a8f6

                                          SHA1

                                          1cfdfab8ee64fc5f17f196623466400be91b8e2b

                                          SHA256

                                          2066f2e0449888b94a0044438e8ad5de8e0389d7afae62feb8ff0110419ed85b

                                          SHA512

                                          ebe1fc902bd0f166e4f608041c9fcb884d2f52998606fa20a02f1ec342eb4a50b90d87d05332c9247fd60ef613b60bb187e7698e0a5496e1a2e9afaa55b0ca62

                                        • C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

                                          Filesize

                                          240B

                                          MD5

                                          666d0770e61ec8a8093c99248340e1ff

                                          SHA1

                                          92f6093e13cb7ec72d561fce542b348edfd72b92

                                          SHA256

                                          6d2b7af09b9cafac499ca42a64c5f8765a06db99f4d0d478a16a273be50fb20d

                                          SHA512

                                          d7474dd7d621d8d23ebd8c7b12b3321d3a85d4845d3c0604c2e74d39bddca43dcbe8f220bbc55ca3e970742a7fe74565f68d69156f86b4e448ff93c5a48345ef

                                        • C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

                                          Filesize

                                          240B

                                          MD5

                                          38054a1984719f687d86c5a2a52656a8

                                          SHA1

                                          651a3a5fbedd61dbcc3b8ce8464f6d138ab3c545

                                          SHA256

                                          b4baefb58b692017cf9a75466ad64d4dbcf5f074272631118c45995a48c449b2

                                          SHA512

                                          93136cb18243192d14ea9fb74aa4c483b0b05ba5ec5fa9dbbcd4191099e6445a891fc34e36ef444c27984955cd0a73261b7e24e3c2be398c2e00dff82ef9b5d7

                                        • C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

                                          Filesize

                                          240B

                                          MD5

                                          9e0962735271f557d2399afba6fd4b47

                                          SHA1

                                          c202dc28f9e9e61a35752161947164ae0918833b

                                          SHA256

                                          3d91488693043a47a5e399d40f8634b13fe81c377512940e331d2b30c492c0e9

                                          SHA512

                                          f9e38241a0558a7e1043aa42fb8615d4131d529949dce936dc506739c8c1a73e280c22d575376b15b80b35d46e241bb31b62260a71d5bd36324b74d8160e3b82

                                        • C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat

                                          Filesize

                                          240B

                                          MD5

                                          b00ec0ff0ad678282b2c68d2d53e7f6f

                                          SHA1

                                          17c65871a747fc94298b6d6802e9245418248ac1

                                          SHA256

                                          7cab5cfef135940b4a8e6ab196e418ca96302fd15ac67c0aed057d3cb7abe047

                                          SHA512

                                          9f0257440d922127a9c3af0d65f91a03b8aa7e52d3ef4a0581ba2e677833358f4c004164c8b95630c8afa729a5698689159659de661e280b9cba25db45f49555

                                        • C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

                                          Filesize

                                          240B

                                          MD5

                                          9d3d9892377cbe859eaaec58b644cc30

                                          SHA1

                                          a7588d6b0844b0416392fc6c6dd805912c5d5139

                                          SHA256

                                          4ecdb152930777358416d0f8db93afb6584c2f53c7d1ae3c20e4a93760256078

                                          SHA512

                                          6027c6eca324bd3554ef983fb4b75edf08aac04874ac96a8d2ea467836923674f3fce424e6ec4010d270aab6695dda288a9a5fa14ec18b05e051809725cd4849

                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                          Filesize

                                          7KB

                                          MD5

                                          07b444f1201256338a8c4917496be1b1

                                          SHA1

                                          746f3cb57e8567d9c3198f7fca43ed25f1c8be9b

                                          SHA256

                                          79ab50c127b9dd480f6b719c4b90e99277275ec73af49ede4aa8c871d0745a03

                                          SHA512

                                          e01ea04f438d5fb4008c26cb7e7e99d43fa39a41c16a8c2d451ed811738a043a2e4170773c2c0bee92c4fb6f028f1001c3ff8c5c416988a08167b4ca3bd97e18

                                        • C:\providercommon\1zu9dW.bat

                                          Filesize

                                          36B

                                          MD5

                                          6783c3ee07c7d151ceac57f1f9c8bed7

                                          SHA1

                                          17468f98f95bf504cc1f83c49e49a78526b3ea03

                                          SHA256

                                          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                          SHA512

                                          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                          Filesize

                                          197B

                                          MD5

                                          8088241160261560a02c84025d107592

                                          SHA1

                                          083121f7027557570994c9fc211df61730455bb5

                                          SHA256

                                          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                          SHA512

                                          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                        • \providercommon\DllCommonsvc.exe

                                          Filesize

                                          1.0MB

                                          MD5

                                          bd31e94b4143c4ce49c17d3af46bcad0

                                          SHA1

                                          f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                          SHA256

                                          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                          SHA512

                                          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                        • memory/700-538-0x0000000000C90000-0x0000000000DA0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/928-91-0x0000000001D90000-0x0000000001D98000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/928-71-0x000000001B830000-0x000000001BB12000-memory.dmp

                                          Filesize

                                          2.9MB

                                        • memory/1932-478-0x0000000000380000-0x0000000000490000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/1964-111-0x00000000003D0000-0x00000000004E0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2052-180-0x0000000000E30000-0x0000000000F40000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2080-241-0x0000000000240000-0x0000000000252000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2080-240-0x0000000001310000-0x0000000001420000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2652-598-0x0000000000240000-0x0000000000252000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2840-658-0x0000000000050000-0x0000000000160000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2904-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/2904-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2904-13-0x00000000012E0000-0x00000000013F0000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2904-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                          Filesize

                                          48KB

                                        • memory/2904-17-0x0000000000400000-0x000000000040C000-memory.dmp

                                          Filesize

                                          48KB