Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:32

General

  • Target

    JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe

  • Size

    1.3MB

  • MD5

    efc2f1ade97d40cd963071750ed36d46

  • SHA1

    7f4f75fbcec9b09d321fac8971c28b5fb1a5bef8

  • SHA256

    878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41

  • SHA512

    1a3e54c109922847ee73d4df675c6e04b7d9d01bfba2ca252d108ca02265bd500635ca23215565713cefa329b6296d4ace49ad819c65ec216d3fd3ff0afb6903

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 36 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 10 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 12 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_878dcee76a13035d14d5356aa5dbcbd47cebac2895ec350ed84d73a50bc40f41.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2276
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1744
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2308
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2252
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1344
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\ja-JP\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1560
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2072
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1724
          • C:\providercommon\wininit.exe
            "C:\providercommon\wininit.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1080
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1864
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2588
                • C:\providercommon\wininit.exe
                  "C:\providercommon\wininit.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2900
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
                    8⤵
                      PID:1312
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2396
                        • C:\providercommon\wininit.exe
                          "C:\providercommon\wininit.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1272
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"
                            10⤵
                              PID:1344
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:340
                                • C:\providercommon\wininit.exe
                                  "C:\providercommon\wininit.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1528
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
                                    12⤵
                                      PID:2800
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:1936
                                        • C:\providercommon\wininit.exe
                                          "C:\providercommon\wininit.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2512
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"
                                            14⤵
                                              PID:3068
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2080
                                                • C:\providercommon\wininit.exe
                                                  "C:\providercommon\wininit.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1496
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"
                                                    16⤵
                                                      PID:2896
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:1972
                                                        • C:\providercommon\wininit.exe
                                                          "C:\providercommon\wininit.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2004
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat"
                                                            18⤵
                                                              PID:2508
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:1568
                                                                • C:\providercommon\wininit.exe
                                                                  "C:\providercommon\wininit.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2528
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"
                                                                    20⤵
                                                                      PID:900
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:2928
                                                                        • C:\providercommon\wininit.exe
                                                                          "C:\providercommon\wininit.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:1576
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"
                                                                            22⤵
                                                                              PID:1492
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2088
                                                                                • C:\providercommon\wininit.exe
                                                                                  "C:\providercommon\wininit.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:2416
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"
                                                                                    24⤵
                                                                                      PID:2976
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:2344
                                                                                        • C:\providercommon\wininit.exe
                                                                                          "C:\providercommon\wininit.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:2960
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"
                                                                                            26⤵
                                                                                              PID:1684
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                27⤵
                                                                                                  PID:952
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3008
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:3060
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2476
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:344
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2700
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2760
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2564
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2232
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:980
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1304
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2920
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1672
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1040
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:988
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1512
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2908
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2868
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1148
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\ja-JP\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:264
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\ja-JP\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:340
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\ja-JP\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1852
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2520
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2556
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2456
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\providercommon\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2784
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1740
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2040
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2340
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2024
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:424
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2352
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1328
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1360
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1872
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1528
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1568

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    713e9fada52a3e08ab3be3ae2c75cf9a

                                                    SHA1

                                                    3613a33ceda900b47a6c12eccd14f2051ed1e89c

                                                    SHA256

                                                    cdecbb27996999d6b5510b9673bf7c4a850199017ac4ce661ecc1330d1ffaf87

                                                    SHA512

                                                    e0fd1983a55322cf5d2d7e037a3b33d22bbf4c141bab2eb0cef4266912a06364a5b359812ea0e0dfdd9948246acf0dd58dc4baf2ed1d732ad3b6f7342d752aef

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    79b23b5222f6b3a194e7de77dcea551a

                                                    SHA1

                                                    9c6278f65aa8275b92e017c445a20507ea874389

                                                    SHA256

                                                    5aa18304cafb0498544e3340b97f3b22370fdeec6f60229fe4054cadd3248e89

                                                    SHA512

                                                    bba4d5adb36e257a42d9889377bf605654bf4353a2f59a5de27456d7381a362c951d23ebc9fe9a9e8819c0415cad57cb91d756d6ca868520a6506767197561e0

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    1f382e83bd4a2fda60a4bc3a42bfad2c

                                                    SHA1

                                                    e79ad2ed9a6a4045c49269674c3fc91a92a4fddf

                                                    SHA256

                                                    8757a9e7ff83b74a9017ab0e429229d133244227748a2ff9d8dbea700c86bae1

                                                    SHA512

                                                    c8f38f2f62907fe5390f4bc7ff8f2af33d38a638c209dc7487087a9adfa6925d4a083b11df0d58bfe7daea1cc2ab1d74e3b7e145a512ecabd612f74d2d511d08

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    08f14c04881d791b3e769d847903cef3

                                                    SHA1

                                                    d40c4f621eac148def500ab1ba9805688951b8f9

                                                    SHA256

                                                    59c54443aadfd75f76154dac8bb67f68797abefae63587d30b451fe6980d49c7

                                                    SHA512

                                                    2f374cf1dbfa53cf4f2a665e2efc75ec9ea707a8ca23cf1d68d8dac64bc16e615c233d85909b398aa7a8482a9ff8f5ab7dba08d9262081887a8217ba4e2dacac

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    cef8670a4d7aa437a3cc451e62dfa044

                                                    SHA1

                                                    23051182da822c7eee44e4bca038194789939bbd

                                                    SHA256

                                                    97c458b48b995606506bfe8dec66309624eee6dcf670865fd45562eddb788610

                                                    SHA512

                                                    57675dfa6169929cc1e4e0f5e42719c16771a94ed93dec7c7913fecb19c7ca0f77dfe4633c228d81c8ca1ae65d2322a005675c1d4e9a6b819ba6c84385236860

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    2c7afe5918aacedecf0c98d3cca96d63

                                                    SHA1

                                                    5cc35a63968b1e60991299ad86a3bdeb6cb0024d

                                                    SHA256

                                                    b9aa12c75bd964600e91c4deb954a08b4d6736383887b1b1f9ea741b900e0732

                                                    SHA512

                                                    6b604451bfe02af7f2891ad6590ce782e4946778c3c8671811a19a4e0fef84d8247f1e5d231f0e718811724dcdbb81137c584ca6c15b2dcdf96cd561d290e294

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    bf1e0480023b97aec6739a252dddf2f3

                                                    SHA1

                                                    5e59b987f013bae4c2e8b4ad67b1cb8d0f9d15a4

                                                    SHA256

                                                    0962025a63b3d381aa2bcb1dc66b846188b7923e82820d70a5d01b7d436912be

                                                    SHA512

                                                    701f59bc58c08ce1e1e1f445e7a8bdc5cf9c55a4870476afae745f2c740254505146d64484a7249c9e94c7747160add3ea24165e3e064cab6f2ab963c400d8eb

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    997e66d7985cd9dbfb54fdbcc32b1f2b

                                                    SHA1

                                                    1f0a730a74f09f48f6d39b7fca74770f3d88b077

                                                    SHA256

                                                    10d96f7482c54cbe0b1b76741d423bc90124423c061b2bab2bf3d7dadc78b84c

                                                    SHA512

                                                    f6668f6aeafb1121ed76af7cba499421a2187214d83b8e3e07eef437480221fb6711c9f2c5bf47405356049f3a13babf3c00e80eaf3c5b9a750ad59edd3e787f

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    a087bc3bdb03a3e5fbdee0f7212a109b

                                                    SHA1

                                                    7ff44c80e384381d6715a4cbed3e0f93ade38a23

                                                    SHA256

                                                    bc524a3aadbeb931f8f69c1785ff488907e1b138d5fbcc8d4fc9c0bbab263fae

                                                    SHA512

                                                    e4aed3215e6560cc9e93dcdd66b4c58fb0db8165db709ebdda9dad55454397f8d8e902694f14286cd05f80e6c60117e4d92366ca7b8be1a762426544e53f19b5

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    fb81cfa7e830a82fab3d169578236e3d

                                                    SHA1

                                                    9120a55e0f68411fd1596602b69d624af947b393

                                                    SHA256

                                                    231da49e64e83380b51402207fd85f6af9bef7f1d73f4c9a28087b5216beadb1

                                                    SHA512

                                                    de52117dca8098b440a36734a5accd8450cdaddc30f1afaff735848f4eb0c66df126baa8b18be95a8e6dffb54ff784c35d6d6a3cbe0db40c235e8993bf422a02

                                                  • C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat

                                                    Filesize

                                                    194B

                                                    MD5

                                                    4a58b1d13b1c044825656d7f47fed42a

                                                    SHA1

                                                    dadf6fd6a12052b1150c55d3e13822f7171b8b95

                                                    SHA256

                                                    986f58baab91f521df3ab36a6abeb722db87f3a6c1195f761d1acff74499932c

                                                    SHA512

                                                    db66d5673172f6855f00b8d71642c8c35c928167c029ceb88ef777822c514b06579ebb442eb315d7ec757c88f62aa8a560bbd7fc24132228ba878348e5b8eee2

                                                  • C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat

                                                    Filesize

                                                    194B

                                                    MD5

                                                    44bcf86e2edda18ce6957eb19d1e6a94

                                                    SHA1

                                                    4eda2f696dc78e93812d5e9e77343bf4e9f2a07d

                                                    SHA256

                                                    54751b022c0b4cd978a290a0a428867ffbcbe52c7471e1134b1829a8fd69e677

                                                    SHA512

                                                    2712d5510bd7b9d2666ce29c3c65f15d01ffb2f7cd2f117a880123b213a24701cb46ca03816700e4e4449284c85faa700b8c2a244453bf06988d26705b4b8f43

                                                  • C:\Users\Admin\AppData\Local\Temp\CabD480.tmp

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                    SHA1

                                                    1723be06719828dda65ad804298d0431f6aff976

                                                    SHA256

                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                    SHA512

                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                  • C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat

                                                    Filesize

                                                    194B

                                                    MD5

                                                    1712a999cb3208d876efae4b3e0b13a1

                                                    SHA1

                                                    c819991344936830b5ba7125986ba25d61de7f0d

                                                    SHA256

                                                    ec2643c8d2d98196645870d68ba569a21c30e636608a2677e21609c6257687f8

                                                    SHA512

                                                    d6e8e664fdf009f716df0db7b86e06e43105da8a81afdbac784c58b2a5e1cc0fdc5906226ecf4679d883f4aff64e91f394b0b97c969474a812dbe0a742224b43

                                                  • C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat

                                                    Filesize

                                                    194B

                                                    MD5

                                                    f09699b5dc3232b2fd245a3d992a2148

                                                    SHA1

                                                    2499f7d1ad1cbe8e12f79241b45895faf593b422

                                                    SHA256

                                                    228d90742ec6b0e39bb756f611b335976d960c3abfae9eb8c8fdf4446acea7fd

                                                    SHA512

                                                    cf1adf9fd957d0dc27fbf5d27570bfa1697a4621045f183c5b9ab72fb467238818ce93abeeb4e041fd0dfddf29b46052beec9358d8937561c988e5a0bc37b97e

                                                  • C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat

                                                    Filesize

                                                    194B

                                                    MD5

                                                    7395f753317e32eb3d7268fd6a98e5bf

                                                    SHA1

                                                    0bc23ed0638fd87853393fbbdc7326b222f6992a

                                                    SHA256

                                                    28c74bec9a8b43a5c19ddf85ba1d5b16dc320b5b7d02db20f8fe87fbb3bceaee

                                                    SHA512

                                                    785d047906b6a86fd7f274a921c02f1c220f3b712759ac33c93efa3512671bc4d67ea7510f93a047597b12bcbd94f7b73e6b10063cb4ed37bca196cd50dec31a

                                                  • C:\Users\Admin\AppData\Local\Temp\TarD4C2.tmp

                                                    Filesize

                                                    181KB

                                                    MD5

                                                    4ea6026cf93ec6338144661bf1202cd1

                                                    SHA1

                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                    SHA256

                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                    SHA512

                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                  • C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

                                                    Filesize

                                                    194B

                                                    MD5

                                                    8f96fb08565e1a46831b5b5e11b8b145

                                                    SHA1

                                                    8f6aeb8336139abb8692ac643d75533cfc6ab974

                                                    SHA256

                                                    80d01bc8338c0a5f342e568049be17565ca5a581afe320e81055a4c030807a2a

                                                    SHA512

                                                    ed0c2ce0bf4ec0f6813720f266cce5f40f4705e74129b945fc70d112d4a21711732fa53c98f625a46c30c9005955e49ea39169bfe01bcd74fe6b9b527771bd79

                                                  • C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat

                                                    Filesize

                                                    194B

                                                    MD5

                                                    dda5d5b4941e70c7e7ee4eb0af3b467c

                                                    SHA1

                                                    aaa569e5b1aa83bb8ce633fe02eaca694b889f51

                                                    SHA256

                                                    cd4981593a4d059afdfc9773f31fbbf67a38f6dc7fbb67f33f23803fa10f5d68

                                                    SHA512

                                                    0d729993bade2b3ed1f6db7da26c6c8d235150a3ccd9ea661a00284580dba8e7431c6c13bf85bf63e598dead0b57feed3e9e4e2889d97022ff6a7d7236876648

                                                  • C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

                                                    Filesize

                                                    194B

                                                    MD5

                                                    2319b7a71cf582e4dd4a772c35d9c412

                                                    SHA1

                                                    2cd8af0235f75357b4188591f1832d2285073623

                                                    SHA256

                                                    b3a7c74f9c235bd19bff44899b3aaea24f12aa585e462399519275c7a8179a13

                                                    SHA512

                                                    bef9c365293c4613a541bdd0ce8dadaca473fa756be0f98056397a6748868cf647c0d0e6b5af7861ba6b861ea29ad17044a6f56c07bf4a93c5283e51b4c21c43

                                                  • C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

                                                    Filesize

                                                    194B

                                                    MD5

                                                    136642c35424c32a8e30975a4d38a404

                                                    SHA1

                                                    063f6109b297e9744ff4ca9626ae70900921267d

                                                    SHA256

                                                    3baf416a6dbc57ddfd98a68ec7e47f31690096ad4ab59ff161b09da9f9c7f2aa

                                                    SHA512

                                                    56a4c3b26b9b425fc04bedfe6f6e8b32898e994e5548ee5f7c09cd824c0f6f30bc7e034b5989cc9be6835cd712cf559c0e163ba5dd86de23f12de1e3e4ea78df

                                                  • C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat

                                                    Filesize

                                                    194B

                                                    MD5

                                                    f0900c27c7574301cb9ac7c94c91eda8

                                                    SHA1

                                                    07e25cb8ff48a07230c8347ea21eb6e7cdf2e174

                                                    SHA256

                                                    13341d337b6bb8f836aec134d37b4bf55af6f2f6eaf34d6cc5c2a776040e028b

                                                    SHA512

                                                    e8561f9ba27e7b085bb1fdb2f3f8db4c480f95a70d42609b0bf4186bdb536e4968157bf8c1a6687a91d83811f2fb41b1b6d3cb0e1003e039926751eb15dfbe73

                                                  • C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat

                                                    Filesize

                                                    194B

                                                    MD5

                                                    c61fcb99753939925b3d9b038752f233

                                                    SHA1

                                                    9b910e8e33e82e7fdf446762f6dff26c346346dc

                                                    SHA256

                                                    e83930b98433adc2c437219899b24051fa2bee53243dd4d790c737771054e86b

                                                    SHA512

                                                    282fc85ae39c9b3bfddf330a5d91804a73df60c543f9e7baab39d2e16bb0e98ffaa80921434c16ff49282c58975d921a659d3fe480715f8e9501e95c6ae01870

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    f421ef38a65735191fb128b8d5e7effb

                                                    SHA1

                                                    68f2c2c6a831e9762ef0b523776114ffa2083306

                                                    SHA256

                                                    21efd8431e2a881f5ff68005dc97eb6073a8fb45da45dc953e4a7426d64cf607

                                                    SHA512

                                                    084279d13fd5db72b3109054155ffdb6dd566d955294400c9543c0ff1de3c97687bc1c0f10f40e3184a2ba583c8d8d69fb5dc1b3ec00f2f01d2cdbea0de22d40

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • \providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • memory/1080-48-0x0000000000D90000-0x0000000000EA0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1272-233-0x00000000013D0000-0x00000000014E0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1496-411-0x00000000000C0000-0x00000000001D0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1576-593-0x00000000004D0000-0x00000000004E2000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1576-592-0x0000000000270000-0x0000000000380000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1724-84-0x00000000026E0000-0x00000000026E8000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/2004-471-0x0000000000040000-0x0000000000150000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2004-472-0x0000000000540000-0x0000000000552000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2252-59-0x000000001B710000-0x000000001B9F2000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/2276-14-0x0000000000450000-0x0000000000462000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2276-15-0x0000000000460000-0x000000000046C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2276-16-0x0000000000A10000-0x0000000000A1C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2276-13-0x0000000001320000-0x0000000001430000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2276-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2416-653-0x00000000010D0000-0x00000000011E0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2528-532-0x0000000000A30000-0x0000000000B40000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2900-173-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

                                                    Filesize

                                                    1.1MB