Analysis

  • max time kernel
    144s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:11

General

  • Target

    JaffaCakes118_7904ef7344839fd1821fc0752a0fca2d1f2e5b960abad349965a765a938c83b3.exe

  • Size

    1.3MB

  • MD5

    0c93adef1f446b176823e9abadbace8f

  • SHA1

    29dd5b0869788817706bc9ae119d111e28af0cab

  • SHA256

    7904ef7344839fd1821fc0752a0fca2d1f2e5b960abad349965a765a938c83b3

  • SHA512

    9da8c2f41d65860c3732b8c269d676aa960187c530961030e745cea68934d4267a2301896fcdf8a86c100dd7305aed9480e51f5cfdfe89713e853fc24a5258a7

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 39 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7904ef7344839fd1821fc0752a0fca2d1f2e5b960abad349965a765a938c83b3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7904ef7344839fd1821fc0752a0fca2d1f2e5b960abad349965a765a938c83b3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2460
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2520
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\conhost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2228
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\WMIADAP.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:564
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2512
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2172
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:592
          • C:\Users\Default User\lsass.exe
            "C:\Users\Default User\lsass.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2420
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2284
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2224
                • C:\Users\Default User\lsass.exe
                  "C:\Users\Default User\lsass.exe"
                  7⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1920
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"
                    8⤵
                      PID:2264
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:2080
                        • C:\Users\Default User\lsass.exe
                          "C:\Users\Default User\lsass.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:644
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
                            10⤵
                              PID:2424
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                11⤵
                                  PID:2924
                                • C:\Users\Default User\lsass.exe
                                  "C:\Users\Default User\lsass.exe"
                                  11⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2940
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
                                    12⤵
                                      PID:2296
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        13⤵
                                          PID:2140
                                        • C:\Users\Default User\lsass.exe
                                          "C:\Users\Default User\lsass.exe"
                                          13⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3004
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
                                            14⤵
                                              PID:2340
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                15⤵
                                                  PID:2748
                                                • C:\Users\Default User\lsass.exe
                                                  "C:\Users\Default User\lsass.exe"
                                                  15⤵
                                                  • Executes dropped EXE
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2080
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
                                                    16⤵
                                                      PID:2512
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        17⤵
                                                          PID:2756
                                                        • C:\Users\Default User\lsass.exe
                                                          "C:\Users\Default User\lsass.exe"
                                                          17⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2424
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
                                                            18⤵
                                                              PID:1952
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                19⤵
                                                                  PID:2196
                                                                • C:\Users\Default User\lsass.exe
                                                                  "C:\Users\Default User\lsass.exe"
                                                                  19⤵
                                                                  • Executes dropped EXE
                                                                  PID:2484
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
                                                                    20⤵
                                                                      PID:2920
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        21⤵
                                                                          PID:3016
                                                                        • C:\Users\Default User\lsass.exe
                                                                          "C:\Users\Default User\lsass.exe"
                                                                          21⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2496
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
                                                                            22⤵
                                                                              PID:1144
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                23⤵
                                                                                  PID:2392
                                                                                • C:\Users\Default User\lsass.exe
                                                                                  "C:\Users\Default User\lsass.exe"
                                                                                  23⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:1740
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
                                                                                    24⤵
                                                                                      PID:2548
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        25⤵
                                                                                          PID:2468
                                                                                        • C:\Users\Default User\lsass.exe
                                                                                          "C:\Users\Default User\lsass.exe"
                                                                                          25⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1264
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
                                                                                            26⤵
                                                                                              PID:2296
                                                                                              • C:\Windows\system32\w32tm.exe
                                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                27⤵
                                                                                                  PID:1788
                                                                                                • C:\Users\Default User\lsass.exe
                                                                                                  "C:\Users\Default User\lsass.exe"
                                                                                                  27⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1952
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\System\System.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2940
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2780
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\System\System.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2924
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\csrss.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2768
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2708
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\csrss.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2616
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2000
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:644
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1720
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2928
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2888
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2468
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Desktop\Idle.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2312
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2320
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\Idle.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:808
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2916
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1596
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1288
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Links\conhost.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1252
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\conhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1764
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Links\conhost.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2692
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\WMIADAP.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2248
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2212
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\WMIADAP.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1440
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2280
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1520
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1476
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1104
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:2480
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\lsm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1480
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1888
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1040
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1600
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\dwm.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:880
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1924
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\Sample Music\dwm.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1680
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:812
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1380
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
                                              1⤵
                                              • Process spawned unexpected child process
                                              • Scheduled Task/Job: Scheduled Task
                                              PID:1780

                                            Network

                                                  MITRE ATT&CK Enterprise v15

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    4d5732c51892974e2bb7b81f6c7be2b9

                                                    SHA1

                                                    6bbc9a5389b019a090260e9bf712c08bc524640a

                                                    SHA256

                                                    136bf7849af2b2bbdd45251db13394251808ac02a6d46d8a7f9d096fd3b68bfd

                                                    SHA512

                                                    5cbe1c347f16fa1da6e2a745bf2d505e47fb4661019db5e46d612809d377abafcea37a58b0cca87fe50b61842ec8c0fae23b68bf38ed9d31f6b4e2dc16f60512

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    7c1c4aa989016a8987a70478d8500cff

                                                    SHA1

                                                    951920681378a3446ea35170919e0320070ecb08

                                                    SHA256

                                                    036c5bc4b8caa86b767e40b99398a289c5f77599ba815732278be604c22f64e3

                                                    SHA512

                                                    4dd48e8f2b0f729a9dd3d6728cdaa5af412dca380e48aec1020ce738966370bc75231daffa8832889300990e53a6a1da646cac17d2d81c84e910289a52ea0792

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    cf6642fc760e4a45d41216c08dcf5545

                                                    SHA1

                                                    056d80f50a75ade2323ecba78967c7c2265cbafa

                                                    SHA256

                                                    228fb233d45f341f26645a862f9ef8dfe5be3ce8afdaa7554a07d7acc83c8fed

                                                    SHA512

                                                    49e031d48f55b4ad74eb3b8f7613de2531d3d4af4c4288ed29fc73f6c02950b1ec3fcac1fa46a0929c01b98ef77d7acee0f3eb3e3916612e97550f92e7eac9fa

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    43e7dcd407864d5950a9728d13fd7afc

                                                    SHA1

                                                    28e398ed1c35ecece83cc48d06b794cc5e68d300

                                                    SHA256

                                                    eea07d9181fb65972f3c3b4f14c38d0606a8ba95ffdb489cc56cc6e44dea5fcf

                                                    SHA512

                                                    ce8625661e484036f07276758fa7d21eeaa67b0fd1b2d69354b28d980eef46ed697b73f87af6dbacc959413806f5f621c79acff21bef75df01b3985c5d32b788

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    50e6a400518aae2568aba99bd8b0878f

                                                    SHA1

                                                    8023d659771368150557ca562f3baafba08ba7b9

                                                    SHA256

                                                    02b0825772a0f740bce4f85c0ffda43cd164e0dfc18efdfe3addd0299dd132cf

                                                    SHA512

                                                    fd79c471f2b9816f97dcdcdfb48c66820a6c11f2ce5c75837624aaf239ef9a17817a275300712842dddb3d783a68a946a145241d3603594e7077746350981541

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    0063aeaf68412009b6682128059b9421

                                                    SHA1

                                                    e2e37f98fc313cf501637ffc3fa55b18d313e54e

                                                    SHA256

                                                    f52d5084eb686e9fa9fbf792505343a9df19cc2af85e53a5bf77163c680de0b5

                                                    SHA512

                                                    6c977f9c2437495b564af4b0d94bb508dc6a25a3f6afb34ba7836335fa854f3c91f92c3907e2c8143502f77a5bef9b1b66841fc25f4702384bd3e29c3fda3b27

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    07378f89ec73355ffc49f3f7bbc138aa

                                                    SHA1

                                                    83b18c8edc12a107e897de04607a75130f2d63c8

                                                    SHA256

                                                    a08f8d5ae3568e9a9b11c01bc8a5d71b917214cf0df9aab5cfc48901b09b661c

                                                    SHA512

                                                    3fc517f4e6f41d731375033d673fbaaacb8797d564a8412a046fc62ee42f641856353759092893afbc10ad062c46d41d883701665743a93bce1a05bb70a94af6

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    d33ee874712366bf069a2b2147a67806

                                                    SHA1

                                                    cba55154e0c3bc514017b5620f095b2ca2a21f29

                                                    SHA256

                                                    91fb8150885004581260c8e81008e5f012d7f9043a393d33acf6762b2487fc28

                                                    SHA512

                                                    78c440f207f7771344d10cd08b8fa43976b1d47e240ab26b5f083b5fdcae20d623144f7d7fb8d971bbdbd76d53a9f80ccf2f02487a0cbad8ae492da991afb471

                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                    Filesize

                                                    342B

                                                    MD5

                                                    92b3d175350b849cb3e88c3af5847795

                                                    SHA1

                                                    0bba3af7f7dc5b5500bf156ecab57767ccd6f2ec

                                                    SHA256

                                                    4b9e0ee317b4e73b1b7855b0eefd1592a223ba35294fe2e687b92ef4525bce50

                                                    SHA512

                                                    8e6022ca61ec4ff4563206346509c2ff4e59edf0ce6d184bab9102b660d3f9a5e0c5b36608f06445a5b7fdd0e62204c36e6088a4fb53af4d1e255cb0a8534e89

                                                  • C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    1cb3d51356af1d2e79a5157431038ba2

                                                    SHA1

                                                    859e0248a3f3a5ee88c9eccd0ec47aa17a6e29cc

                                                    SHA256

                                                    fe8585e6fe768f36bf68e75032da1be3b0c822d440aa297622e0bf8f330e7196

                                                    SHA512

                                                    ce00804564039d8622c4946ead229b49e0d856b7eebae18d3897a7856da32cc879b664ccbb7f107cefddf85e0c8de368ef85ba63f9f63bc7db5be322ccb0b660

                                                  • C:\Users\Admin\AppData\Local\Temp\CabFCA9.tmp

                                                    Filesize

                                                    70KB

                                                    MD5

                                                    49aebf8cbd62d92ac215b2923fb1b9f5

                                                    SHA1

                                                    1723be06719828dda65ad804298d0431f6aff976

                                                    SHA256

                                                    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                    SHA512

                                                    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                  • C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    38a4810ce8774178b6a92a385d46ad3b

                                                    SHA1

                                                    a7c50f39c8e648b67054e27abd798d0253c9aff5

                                                    SHA256

                                                    1c113ff9858aba301b3b695d21133c8dd545cca9083128abf93db05d68e0fd0b

                                                    SHA512

                                                    1525bfd5ad467ec2a8b493ddc5519570528c4e5eb9d1d026c6711616c5bd2eedaee51841ba3b6464229dc3c8b68877cd95936b93b9a493aca4c7c9c86d42a055

                                                  • C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    27f251dfd59c195b37c32a9f6ed1e52d

                                                    SHA1

                                                    3f35ed6b89f19d5541a6666fa072deac2ddbf719

                                                    SHA256

                                                    8669ad79b31487b5f28fac08c6beee89816323820a2fda30e62ae1e8f3e977da

                                                    SHA512

                                                    1b2c8a4bff9dd271d3099424c7ff52671ba1f79cf165ca8472b39599e9765aad39c4131b5f4dd4d92dee15d951dc05da72d4dd94c93d104cb3ce3cdfb73aaf70

                                                  • C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    b9518a0f23d324ea823f8ca805e49f72

                                                    SHA1

                                                    e2894745a5a37687a494e5174c8a4fea76607a45

                                                    SHA256

                                                    04b48ca6fe6c30f3ac1471f32c30e391bd3aefd7db9a30cc7339da3a39a5ed01

                                                    SHA512

                                                    d5bcf8fa187982aaf102c8ad2929d00fe4453db3aa9f84af2007c1ddeb62f32650886d0c384cc44b418af51bef10f07eed445e4fa2ffd568ebfff3a545e381e5

                                                  • C:\Users\Admin\AppData\Local\Temp\TarFCBB.tmp

                                                    Filesize

                                                    181KB

                                                    MD5

                                                    4ea6026cf93ec6338144661bf1202cd1

                                                    SHA1

                                                    a1dec9044f750ad887935a01430bf49322fbdcb7

                                                    SHA256

                                                    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                    SHA512

                                                    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                  • C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    5cf059a5d8342282e6da6efac8372888

                                                    SHA1

                                                    74182c78f8420a545e1a54ded82ad71efdef9f41

                                                    SHA256

                                                    b145ade1e5eea0335379a0a6fc0d76a25ca6ce63116b60c38fb64f36841f2ba0

                                                    SHA512

                                                    e27526f49f87d5e8f4fc5f0377bdb9aba0f59cdee5e173f49626a493d80ba532f40f6136a779a0c38972ddeef5d054ca5247556f03d67cd69bed24ab6b65afd6

                                                  • C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    91f9b11f96186b68c1fbcf4f401c8b7c

                                                    SHA1

                                                    8c3c6566b157c2bed1b1615e78a1bf186b1b63b3

                                                    SHA256

                                                    f4952d8f1b794f4f9594e505faf73f314ef8cd69709cce2483f288f64eb04d55

                                                    SHA512

                                                    9e6a2dd8d995389761aff304ddc90dc2a6bdf0f13f41defa80d58c2538eaef593c6d865da5f1bc69ea8ab0b512ae6d013e1dc0fb8908fafee6bc6bc4b1f6ae4e

                                                  • C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    3e2ec233ed95d11b68b781144e350b66

                                                    SHA1

                                                    799b74b3a64581e03ef6fcfb39f0fe5521ed47e9

                                                    SHA256

                                                    ea9863bfc8f22215ec33aa24675de0fb0021b45a23d5e1cfa024fc982f29ce1a

                                                    SHA512

                                                    8541c8ffce93f0b18dac88215ee2681cdeed628cc221416c1c00ec5f76304679ef8bfadb5067270c2173b12acda6cdf380d191357039759c2c086fdcd71b22b0

                                                  • C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    c381dc8ae50e9b69e9264137403cc6e2

                                                    SHA1

                                                    46fb9bb6b4bfa6754b5a9953a8288712204fa1d9

                                                    SHA256

                                                    5a5f89ae216ba764ad272f692714a62dc5f7f00eeb64bf69cf201552d9e01af5

                                                    SHA512

                                                    30599f95e8cd0f6a315fb4569ebfa10ff9a3611914f26993c480cb4d79cd09364e6bc6174ce23db62bf09a3e5bfb6c91c038f35d9680ada4aa095be9e7e9e15a

                                                  • C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    09d595833f4d476a098465283b6dafc9

                                                    SHA1

                                                    15a8dbd5a3cfb42e4b96613e1917925048917267

                                                    SHA256

                                                    a022aae62bb93c844320caff24d19533b2c7e22f2f2c59d43bd1d56dabf4e905

                                                    SHA512

                                                    9d0565d5934670e7af025c1fd30e101ae48db1762715e54d9b9e31f68fda173ac7e43bf807256557038b1bff320ba95b840b4303dbbe50f0ab41782e6e142055

                                                  • C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

                                                    Filesize

                                                    196B

                                                    MD5

                                                    3a71daebc58d501d2bb2858172b94d62

                                                    SHA1

                                                    37049df97aea859216770d26cc4338256b4e7aaa

                                                    SHA256

                                                    6a9b1d7942b03ad52b6936fdb6bd7f429cc466f172e4b74bea7d7fe125b2dec1

                                                    SHA512

                                                    7934f96d3deecdd19914948bcfd822bc6a452478417f8b843c2ab4aa6ace1f4065ee16afec2272a31ebb7633ce8bffa95a43d646966d33e25a00425c9acc7c71

                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O7W4XF1XZGEWDTO5ND3H.temp

                                                    Filesize

                                                    7KB

                                                    MD5

                                                    f27f62e083d5b970a67b1b9c8d17f62f

                                                    SHA1

                                                    29a4ee3c74dfbc373bd380ba126b8b66bf323e54

                                                    SHA256

                                                    3a7f72730112febd0096d9c26092cc4f4f9fba71d070f02aa508e22689a0db99

                                                    SHA512

                                                    4c3df891c2e6dfe6769f2a4088b1e2a123149a86aceaf2bc2cbb95228a4b7df69b846261b94af3b9aeb9da37da4782c1fb81db7f648fd77d28c5d8513bc27c78

                                                  • C:\providercommon\1zu9dW.bat

                                                    Filesize

                                                    36B

                                                    MD5

                                                    6783c3ee07c7d151ceac57f1f9c8bed7

                                                    SHA1

                                                    17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                    SHA256

                                                    8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                    SHA512

                                                    c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                  • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                    Filesize

                                                    197B

                                                    MD5

                                                    8088241160261560a02c84025d107592

                                                    SHA1

                                                    083121f7027557570994c9fc211df61730455bb5

                                                    SHA256

                                                    2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                    SHA512

                                                    20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                  • \providercommon\DllCommonsvc.exe

                                                    Filesize

                                                    1.0MB

                                                    MD5

                                                    bd31e94b4143c4ce49c17d3af46bcad0

                                                    SHA1

                                                    f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                    SHA256

                                                    b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                    SHA512

                                                    f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                  • memory/564-61-0x000000001B6B0000-0x000000001B992000-memory.dmp

                                                    Filesize

                                                    2.9MB

                                                  • memory/564-63-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

                                                    Filesize

                                                    32KB

                                                  • memory/1264-663-0x0000000001260000-0x0000000001370000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1740-603-0x00000000009A0000-0x0000000000AB0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1920-181-0x0000000000340000-0x0000000000450000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/1920-182-0x0000000000330000-0x0000000000342000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/1952-723-0x00000000003C0000-0x00000000004D0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2080-421-0x0000000001050000-0x0000000001160000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2420-50-0x0000000000270000-0x0000000000380000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2420-51-0x0000000000160000-0x0000000000172000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2424-482-0x0000000000470000-0x0000000000482000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2424-481-0x0000000000360000-0x0000000000470000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2496-543-0x0000000000330000-0x0000000000440000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2688-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2688-16-0x0000000000270000-0x000000000027C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2688-15-0x0000000000250000-0x000000000025C000-memory.dmp

                                                    Filesize

                                                    48KB

                                                  • memory/2688-14-0x0000000000240000-0x0000000000252000-memory.dmp

                                                    Filesize

                                                    72KB

                                                  • memory/2688-13-0x00000000013E0000-0x00000000014F0000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/2940-301-0x0000000000E10000-0x0000000000F20000-memory.dmp

                                                    Filesize

                                                    1.1MB

                                                  • memory/3004-361-0x0000000000F70000-0x0000000001080000-memory.dmp

                                                    Filesize

                                                    1.1MB