Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 01:18

General

  • Target

    JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe

  • Size

    1.3MB

  • MD5

    5f4aab056bab46b7eebb56c88cb334e3

  • SHA1

    b9ff4b731f5e3d58f42a1000cbd96c6da6db0ee0

  • SHA256

    f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b

  • SHA512

    0cdc260b14c3b4c0d794411a4d7f17152bccd337be82152b9e7fae3eb993b996efa5ff47270b5115780b14d37a2b6af9312fc6f8ae040fd83cb5206d6f170f58

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 8 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f23b4d09d63b9aa0b310446271aed5ffa5909e06aa9eee43b5a2dacf692b963b.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2360
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1376
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:608
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2440
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\de-DE\taskhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2212
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2072
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1504
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FECcZAZ6Xv.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1736
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2068
              • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe
                "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2576
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1304
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2716
                    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe
                      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1972
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"
                        9⤵
                          PID:3060
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:2364
                            • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe
                              "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2868
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
                                11⤵
                                  PID:1564
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:2772
                                    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe
                                      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1736
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
                                        13⤵
                                          PID:2108
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:2528
                                            • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe
                                              "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2160
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
                                                15⤵
                                                  PID:920
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:2172
                                                    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe
                                                      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1896
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat"
                                                        17⤵
                                                          PID:2196
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:2068
                                                            • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe
                                                              "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1164
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
                                                                19⤵
                                                                  PID:1412
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2648
                                                                    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe
                                                                      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2080
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
                                                                        21⤵
                                                                          PID:2428
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:1660
                                                                            • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe
                                                                              "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2964
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"
                                                                                23⤵
                                                                                  PID:2420
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:3064
                                                                                    • C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe
                                                                                      "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1196
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"
                                                                                        25⤵
                                                                                          PID:2140
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:2264
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\providercommon\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2640
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2636
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2788
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2628
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:3052
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2884
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2840
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1792
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2132
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2364
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\csrss.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1800
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1668
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2868
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2924
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\taskhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1716
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:340
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\taskhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1964
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1756
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2208
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1164
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2284
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2560
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2052
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Favorites\dwm.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1856
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Favorites\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1012
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Favorites\dwm.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2036
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\spoolsv.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2276
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:840
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1092
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1604
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:704
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\audiodg.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1908
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2116
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:1904
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Scheduled Task/Job: Scheduled Task
                                            PID:2040

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            4cd38d7bf9d55086262d2ee564692f3d

                                            SHA1

                                            8bc0abfc7327bd5415bf9c53727abf72b8f06596

                                            SHA256

                                            f2c25e622d56bd1418c4fba1265ed622004b04a1f14147c444625bb511fd2684

                                            SHA512

                                            4fdc66aa5ac9167daa17669a48f95c3bb17913cde19a24a072147c9713b1a000d12920114eaa7b21530091a0c85218599dd646dee6ea7a9829b786e14a47f5dd

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            c6d101344adfa0e454d5fd4a40c4878c

                                            SHA1

                                            005660c4cce9a3e1643c4573f55445b76c6111df

                                            SHA256

                                            5e50fd3e4f8115cabb74ace3447dcb91f3efb6fa66b206af340a1b706a3179be

                                            SHA512

                                            fbb7e2f20b6b1ae3f30c035ef3125250b8a55c38ef600948064adce1cd2c0d194e3cde29b7e23ffbd7a6919126a39435dcd38b1fe1967c3c997d9c2820e5c441

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            ae4bee6f22d095fa95392803aff213ce

                                            SHA1

                                            63b9a01e2dae1458c5cb31570e2ae1f4c1e5f662

                                            SHA256

                                            4b89b9befe5a8782cb7e1858b4aedc18cbb9cf7f7f3df064f46eef6a088ad151

                                            SHA512

                                            05908780f51154e1758df2e5fb41cc05758d2fcfc736e4dc5a9561bf5e0a896817a213c78b09f984a5cb479456c1799675769c74c8bc06f9434e96e62eb2af4b

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            5f91b800ad9e88767598647d08fcaffb

                                            SHA1

                                            921ef8d69abe98152e8ad5860169d4deae26c412

                                            SHA256

                                            8681c456bea467d62b445feee5aafa09f364afa4da466cc6d0614ebea88398e5

                                            SHA512

                                            772d4fab10c31245ac48049224ebbaa1bb12d65c458408e11d68aa1e25ad0685604d0052bd419d68c5a33b4c8a761ef85b75b13ebe761c7229cb26fb15fd2183

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            c363be2a3b0819fd6bcbe43f0436967a

                                            SHA1

                                            7f41930c6a52e42ff315c7816942ba6d71afaa0f

                                            SHA256

                                            2cd986ab102d2e397220be6dccf967dc1cdd1440d78d30d556725ff4b47fb987

                                            SHA512

                                            dd50fcc40a8ae786592d28f1acbaa55775391651242f385cf2d026bc53c4af14be1da541d57816c3307317acdd4d724291a6adedc617d3ba9ec913adc2d25b4b

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            8bd00a64ec31724af2582b99107c85f1

                                            SHA1

                                            8558c640ffd1593470172c6d8c92e8e25c127c05

                                            SHA256

                                            b57bf44f5eb6bb5bd51338bd757dcbb0586a4c0495c002d6cb965c992872cc3d

                                            SHA512

                                            3a0a05bc80a6d8ab276c0cade6946e9e369c40f77a4c70dbf304138ee6ec6390c5b0e814882df1a1c7c0f8e37e24dbf0712ec89fb1224d4bac8b20eeffce5a34

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            60369dcd4ea5616ea70d299b16dbe0dd

                                            SHA1

                                            04c6b718b192541435523c85ec7707c948cd1298

                                            SHA256

                                            55c1ea4d2c573a63ed692ad857f46fa8e18995bbe7762f066a2422a8255b5d67

                                            SHA512

                                            cc51ba11841b4dc658c15b8f3947afbd8ca814f037e23df60b5cf05a4e8d7672602a622596ac4228a4aedf6111ca072115bea226b23d753341f08111f57597bf

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            2cba63ea073ae3a3f784efc450e5ae58

                                            SHA1

                                            9995a0677aa4bde7170388496cf0bb4dadbec489

                                            SHA256

                                            89e16192ebb96581e3d9afb511b933a3081a9de86ffe2d1145c59155d9b409ea

                                            SHA512

                                            658f508acd32e1f21e62dee994fd01f6a4571419f9f4f11a4b40e51ee5d66c395d4c992aa82952920da8391b3ea41ec4b48b59f8c6993b4c7bf5922785c461f6

                                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                            Filesize

                                            342B

                                            MD5

                                            934cc39be015773f2afb37a53cf2d5d2

                                            SHA1

                                            347240bc18caaee520043c04b594b6fe0ac75d39

                                            SHA256

                                            9292c3e83e9103fe2795b45b6d19fbd462c776f0d3f14555ea3a3bc43c5ea0b5

                                            SHA512

                                            4383bae6429db5aaf6763dd0692dd33a74c404e738b59737d5d1d061b51a5b073d5334bd850e7bfa619aafbddea33ea7b8417df1ae8f20ae78cd78c46e87b2a8

                                          • C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat

                                            Filesize

                                            256B

                                            MD5

                                            dfc91dc1cf87533b19b3df397dd7f0d1

                                            SHA1

                                            13e8587a2214df33637d49f4b3e6a883dd3876f4

                                            SHA256

                                            7ea60156bcae44bb0ca6094f8e3013c1011f4ac86e008d7a028cef8633bb265b

                                            SHA512

                                            2918b7c29ded47e079fc3f3600076139111246e0de5617a36ecc78b028e615ffbee7e0eba6dbfd47a892fda224ed7af0a97290ff0447b2d7fc757ea4556de72c

                                          • C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

                                            Filesize

                                            256B

                                            MD5

                                            6f9d2f27dba04af065949b437cc7faa6

                                            SHA1

                                            62ff69d8b2a1674d5a32d4365c60fbc25188fa65

                                            SHA256

                                            5043c9b076284ea5f8829181dac6a2917ee28f3383eb96b88475c6f0d6bd23d8

                                            SHA512

                                            50f1962c1bb754218bc670ab9345916da22841461ecd11ce9431fd7b976e3ad244a83a463b9b74755d704477b51d22fc96954431ef5aedd58cdb50fcc1255b2b

                                          • C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat

                                            Filesize

                                            256B

                                            MD5

                                            0c24faa6b31fd2444a8de94bddb8b7eb

                                            SHA1

                                            48e17755c24548147f77251b0bca7ac34c2354f5

                                            SHA256

                                            10170d83149b7d028ad270646caef49619979ae8df179961addf8cc3fc363e26

                                            SHA512

                                            7f8902ab8bace45be73a3e284dd61c46d1e95bdc9bd577f2b971536aaa3bd40afbc3483ef03eea947f336593d837907f83b0afeb5eb2db80afd401408d998a1f

                                          • C:\Users\Admin\AppData\Local\Temp\CabF4FB.tmp

                                            Filesize

                                            70KB

                                            MD5

                                            49aebf8cbd62d92ac215b2923fb1b9f5

                                            SHA1

                                            1723be06719828dda65ad804298d0431f6aff976

                                            SHA256

                                            b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                            SHA512

                                            bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                          • C:\Users\Admin\AppData\Local\Temp\FECcZAZ6Xv.bat

                                            Filesize

                                            256B

                                            MD5

                                            ae0661d0c6edb024fdbdccfae20a38b8

                                            SHA1

                                            7d2cc4195925465251a7350b29bcce7443482860

                                            SHA256

                                            822cbdbe90af5c018182124ce69651abeec210f4edec9cba514031858161ef41

                                            SHA512

                                            4f7a68ebe73d40592eb9374ea90661b87f0d0ef1901b2b33def12070239e77421014b3a7127afb9d59cd838d309a85ffc5286493a055395c7b229128ed8c798e

                                          • C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

                                            Filesize

                                            256B

                                            MD5

                                            b476262c9442db0e045976a35ab67b43

                                            SHA1

                                            195ddd5f08fbf85b5827d03817163d54fcafcc0c

                                            SHA256

                                            cd3345da9ac80b235ef0cd1f26676fc7ad27ecce9aef6854db6a644bf0355c1a

                                            SHA512

                                            4fb6b7400bb490233a0bc4ce5bff6836dae81e950b0d06d42fbbc3afc0b4b2d6d09e3b081aff152219d660682b6de5bcda5549e0c82c76496d5e9acecfd4c9e5

                                          • C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat

                                            Filesize

                                            256B

                                            MD5

                                            856e902c408723cda2a4fd8e9552d7fd

                                            SHA1

                                            d78e6e02ae27f84782338683ccafe83cc27ca6ba

                                            SHA256

                                            608bab5620d1dff0bf0b0bd276f64e20a72fe4514b2cfca6bcc5ea4b3e57e375

                                            SHA512

                                            0d17c8a3dcb188b5e496aca0558fe6be28de63b95ca05bcef0a2aa3dfb86ea7ddc06c74468d38d046abc6dd875a4541984d2999f05ccc80464b5cc29f48f534a

                                          • C:\Users\Admin\AppData\Local\Temp\TarF50E.tmp

                                            Filesize

                                            181KB

                                            MD5

                                            4ea6026cf93ec6338144661bf1202cd1

                                            SHA1

                                            a1dec9044f750ad887935a01430bf49322fbdcb7

                                            SHA256

                                            8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                            SHA512

                                            6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                          • C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

                                            Filesize

                                            256B

                                            MD5

                                            7f9f87742356f7265dd1ea58dec78fcb

                                            SHA1

                                            7115be39a2aa150a0346cc15cdead4ca6f978d1d

                                            SHA256

                                            561d1aea161447c3f871f92863d00c9294fe1d610d10c35ee66577901b3f81e9

                                            SHA512

                                            b16c9479b3580be2657bc1d7d1d5ab3ca393fea5dcbdbb45a50e3efddea34ba24586ba8a1ff1be736295e8c1dced42716bbfd6c9634d445f1090d7eaeee08396

                                          • C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

                                            Filesize

                                            256B

                                            MD5

                                            e92d37e09c8948138ea587336312be55

                                            SHA1

                                            b5c418c5d61ffa7771297603f34fe9cf0305925f

                                            SHA256

                                            9439b7f89b96193813afa5b589d4d3668f2698ef0b1e28e5f63380b794323a62

                                            SHA512

                                            987bac0e082b6412525df20d6ed018bb8b73870efa2c6aac1e17c6fe10d8eeb7338efac200eb4c2563e0bfce021287dec9e582484387a6a998045252c18d4909

                                          • C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

                                            Filesize

                                            256B

                                            MD5

                                            4b6051d1fc6a554206f506ba164a4b96

                                            SHA1

                                            2d39f30f52b245d252d1af8e63b24ba3c4f87c8a

                                            SHA256

                                            dd5d2d5f2621e40c2c7a0944daeba2f1bca98482b07133b9c1b98d6b961eaca7

                                            SHA512

                                            204dec3241f0c8651b2673b42b1614a55a9524946e2c27b12b82651263884aa07384ce0d0db87ebdab6cc966f6f04732e6b8a6bebfce97c19784a55b55c36195

                                          • C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

                                            Filesize

                                            256B

                                            MD5

                                            179b7fa3cb09d02eab44f1112f727602

                                            SHA1

                                            340978e73ddfccd5b5ec9c5e02af7f4a710d0443

                                            SHA256

                                            d883978ff66141dde22ab6923de567eacbc095c122f747cb42db6aadf9a2d84a

                                            SHA512

                                            64d746d2b8cb1e0da411dc84349bf7e8bc01fe5da8f33cee4d2e0923472f124d3cc69686a2bb8396d9d24dfcb4cb6fc01d41011dbb7d826b9c9ae1fc905a8259

                                          • C:\Users\Admin\AppData\Local\Temp\xHU7fKnwSZ.bat

                                            Filesize

                                            256B

                                            MD5

                                            34f6fff21005ed1ffb680d28a9d694be

                                            SHA1

                                            d270af3f0b60cb873a47fd9e961886f9b4dd5ebd

                                            SHA256

                                            07e48c32ffb6a115420c8d51429dfe46afc7d36db98159fa32253062360ad7ee

                                            SHA512

                                            6905c3eb07752dbe25cdd32703f0e1f8dbb54dffd376603bc9c1022a7d593f4a386d858f152932bb5cc37d2c6bac7152c6858640e1c533db2b5e908cea121ac4

                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                            Filesize

                                            7KB

                                            MD5

                                            10d8a959bb8112fa5a203fbeb7f24692

                                            SHA1

                                            053a935f2b611e9ef8f2834c83e0ae2f23df71bb

                                            SHA256

                                            fff96250d477977797caba7cf4584abd4e76267d01e5157a9357aeb5938a1b15

                                            SHA512

                                            067d7f06399089d6f77535e184abb9d9af6c5188af1cc8e16a4273e5c680f587e6e36706ca7c59ab5f3ea57cd0d6fbacec49fe3ddc167075e1b9fb3fbd76f2dc

                                          • C:\providercommon\1zu9dW.bat

                                            Filesize

                                            36B

                                            MD5

                                            6783c3ee07c7d151ceac57f1f9c8bed7

                                            SHA1

                                            17468f98f95bf504cc1f83c49e49a78526b3ea03

                                            SHA256

                                            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                            SHA512

                                            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                            Filesize

                                            197B

                                            MD5

                                            8088241160261560a02c84025d107592

                                            SHA1

                                            083121f7027557570994c9fc211df61730455bb5

                                            SHA256

                                            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                            SHA512

                                            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                          • \providercommon\DllCommonsvc.exe

                                            Filesize

                                            1.0MB

                                            MD5

                                            bd31e94b4143c4ce49c17d3af46bcad0

                                            SHA1

                                            f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                            SHA256

                                            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                            SHA512

                                            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                          • memory/1196-653-0x00000000010F0000-0x0000000001200000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1736-296-0x0000000000B10000-0x0000000000C20000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1896-415-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/1972-176-0x0000000001010000-0x0000000001120000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2080-534-0x0000000000520000-0x0000000000532000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2212-56-0x000000001B650000-0x000000001B932000-memory.dmp

                                            Filesize

                                            2.9MB

                                          • memory/2316-61-0x0000000001E10000-0x0000000001E18000-memory.dmp

                                            Filesize

                                            32KB

                                          • memory/2340-15-0x00000000003C0000-0x00000000003CC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2340-14-0x00000000003B0000-0x00000000003C2000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2340-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2340-13-0x00000000013A0000-0x00000000014B0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2340-17-0x00000000003E0000-0x00000000003EC000-memory.dmp

                                            Filesize

                                            48KB

                                          • memory/2576-117-0x0000000000430000-0x0000000000442000-memory.dmp

                                            Filesize

                                            72KB

                                          • memory/2576-116-0x00000000008C0000-0x00000000009D0000-memory.dmp

                                            Filesize

                                            1.1MB

                                          • memory/2868-236-0x0000000000180000-0x0000000000290000-memory.dmp

                                            Filesize

                                            1.1MB