Analysis

  • max time kernel
    145s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 02:21

General

  • Target

    JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe

  • Size

    1.3MB

  • MD5

    387324709c0a9d8986ef46494a80ea24

  • SHA1

    19d1271cd48e42a88ec2e02254efac61e2c2b64c

  • SHA256

    c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def

  • SHA512

    f2a0ae08559c298b44d7e32ba3e4e56c609975ba02dd3de04c4a2253c6a13daeea7c5b56c95d524df9a54559ffd27a71cd78eb53a9ba89654286681629e82bab

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2f3e89a44f9fd3353c2ef68b77280937638a747b44305dbde714ac935861def.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1464
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2360
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:860
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2308
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1548
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2184
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1936
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2204
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2384
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:376
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\twjiYCOL1g.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2448
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2500
              • C:\Users\Default User\System.exe
                "C:\Users\Default User\System.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1752
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
                  7⤵
                    PID:2084
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:1308
                      • C:\Users\Default User\System.exe
                        "C:\Users\Default User\System.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2336
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
                          9⤵
                            PID:1956
                            • C:\Windows\system32\w32tm.exe
                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                              10⤵
                                PID:1764
                              • C:\Users\Default User\System.exe
                                "C:\Users\Default User\System.exe"
                                10⤵
                                • Executes dropped EXE
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2340
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
                                  11⤵
                                    PID:2268
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      12⤵
                                        PID:2564
                                      • C:\Users\Default User\System.exe
                                        "C:\Users\Default User\System.exe"
                                        12⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1836
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
                                          13⤵
                                            PID:2780
                                            • C:\Windows\system32\w32tm.exe
                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                              14⤵
                                                PID:1516
                                              • C:\Users\Default User\System.exe
                                                "C:\Users\Default User\System.exe"
                                                14⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1788
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
                                                  15⤵
                                                    PID:2760
                                                    • C:\Windows\system32\w32tm.exe
                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                      16⤵
                                                        PID:1588
                                                      • C:\Users\Default User\System.exe
                                                        "C:\Users\Default User\System.exe"
                                                        16⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2552
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"
                                                          17⤵
                                                            PID:2588
                                                            • C:\Windows\system32\w32tm.exe
                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                              18⤵
                                                                PID:2132
                                                              • C:\Users\Default User\System.exe
                                                                "C:\Users\Default User\System.exe"
                                                                18⤵
                                                                • Executes dropped EXE
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:284
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"
                                                                  19⤵
                                                                    PID:568
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      20⤵
                                                                        PID:2352
                                                                      • C:\Users\Default User\System.exe
                                                                        "C:\Users\Default User\System.exe"
                                                                        20⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:3020
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"
                                                                          21⤵
                                                                            PID:376
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              22⤵
                                                                                PID:2720
                                                                              • C:\Users\Default User\System.exe
                                                                                "C:\Users\Default User\System.exe"
                                                                                22⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:1944
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
                                                                                  23⤵
                                                                                    PID:2012
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      24⤵
                                                                                        PID:1216
                                                                                      • C:\Users\Default User\System.exe
                                                                                        "C:\Users\Default User\System.exe"
                                                                                        24⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:1484
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2812
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2912
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2736
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2564
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2632
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\lsm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:796
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2088
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2312
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2628
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1716
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Favorites\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2856
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Favorites\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2744
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2096
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:284
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2868
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1996
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2948
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2020
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2116
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2964
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2296
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2280
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:268
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:340
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2124
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1128
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:272
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1608
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1236
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\System.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2524
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1824
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1956
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2180
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2444
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2240
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1528
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:752
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1728
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\spoolsv.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1412
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Temp\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:564
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\spoolsv.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:972
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2420
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:1676
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Scheduled Task/Job: Scheduled Task
                                          PID:2136

                                        Network

                                              MITRE ATT&CK Enterprise v15

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                f7a45bd1b7e07e2f256ec9984caf202c

                                                SHA1

                                                8842e08f5a43a6c86b497485a4d21fed6f0ccdde

                                                SHA256

                                                3f4d09b2bef361cdee545d806253f974419ba626ce1ade396f61125546d9cd1c

                                                SHA512

                                                6664a7d7fbeefa8032fe98d53610f71a7e7daf36748a39cdf5fd8d20318f8451f94c89666980b2955b3264fc4f2a46126367f9217376817f55e53e014adb3262

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                6637a1a6630579712a31dedac0a940b6

                                                SHA1

                                                0328b0e5f630b4c9a48bef37e375fb9ca1175a8e

                                                SHA256

                                                930ce325c2eee6bb049f7ba307252f1a237d2b7d490ef100f5c8a3e74ba326b7

                                                SHA512

                                                d3ab37ee67386cab561a2991d792728737524cdb75d52780f957e0a12a2815aba87743a9784777f38f17a267d3ea084e492d1ecbaef5a5e8c468fd8b58c03ab8

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                8511165c94cb57b2e7bdae07f3be2c87

                                                SHA1

                                                6c39e792394229883bfd57add26eadc12f4a9c29

                                                SHA256

                                                ec48a7092b8e8021097998acca0ad0c805252ebed3ccd1fec5ccf85f18aab689

                                                SHA512

                                                160b78fbb1588e9396db14976ebf8cd4a468bbf38e765fa2bb811ec4e82dc6b4917b3352ad76c3cfe285b99433e577c1db1392383a2f2347bee2f02257ff9170

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                f13a06954a35af48aabe35384343db8f

                                                SHA1

                                                6f120c097c96fe8676cddcae6a0bfd6fda4fb70d

                                                SHA256

                                                ee0e20a45bd264b5f307360e572ba97480d869818f30ee0d7523b7e3b9922ca6

                                                SHA512

                                                663417098e93bfb4dc0f67020c6c95d5b50ad46539c38347f22a02abd075329c859a3c416d349de336203ec7de14c1e99dc20693b07b21b6451b0d6547d12cc7

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                c470ef76f65a11554a4874e37bc161bf

                                                SHA1

                                                4cd3e9ec9ef7137dfba59881dd51024c9d4d1c4b

                                                SHA256

                                                fda26a542ed6e75894d6bd62a8bff8c55b5843d10e04e1d2147270b995c2f4e9

                                                SHA512

                                                9e239913ced8403c9b03048002d3c4d5d7aab3aad99cebbf6cc9a6c71b8bb5e88e7d88795c341c077f80eba0e69af62682a155197ea4663727875d443c7490c6

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                1a37268821742d497e6175aae5592313

                                                SHA1

                                                7dc0acacaf935b6c071e7cfd44a02b8939c7e553

                                                SHA256

                                                448bcc9cc1d3881b1d4a90e2fddd72558fc8d5f8a48a7e108a9cbca91e5cc21d

                                                SHA512

                                                b407fb80c81c32e01dd06ce55f82d830b09679540af0d37ecd6630a4b1d4d1d59bb47f445e72713e4c5f2ead6cb44f0879647febffb8bdbb35b8a091d4b60be1

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                f159f427a78a2a6bcc0f11c763a446af

                                                SHA1

                                                d64aaf39ab345b28a04db9268035397769966d03

                                                SHA256

                                                070eb3dff7d5407fd27bf8c9a57dfcb03313e6740a3ee2166d945649e16eb270

                                                SHA512

                                                f29fdaf737e080f4e9fc4f05c2add9b2425b15b3fc8622e0a6ef904948d6fb89a02aeedd956fb90e81e7e374210c32b137a1f91d76811b3e0011cc19aa5816e5

                                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                Filesize

                                                342B

                                                MD5

                                                949bbdd9f0596f149d83d4d9025e9ebc

                                                SHA1

                                                c03abb21c0b408113de16ea388aab7b0f43210e7

                                                SHA256

                                                d186657da0dd646084c969a15e2d66a4c243316cb2a4943fc101bc4763e9952a

                                                SHA512

                                                3c23de1b9fd2a3c9395cf4c786a6f7f09fdb436a2268d4c594f9a95dc947c10f25be4cf494019e8fbab7942426e7d0a588f954b75ce48f25fd386598f6e8021b

                                              • C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

                                                Filesize

                                                197B

                                                MD5

                                                3b2418f59a47016ea773eb4492e9a5c5

                                                SHA1

                                                e1c5c1542ec0511d14b0b3b19a44f2ce797e8bc2

                                                SHA256

                                                b1db49ba1af1d76069b27523d06b6a814957378ba7afd412c3900c07406e17f9

                                                SHA512

                                                7b7c73c21a674292c54c27270149e5e163589c76c8e789c8c31ae301958b464b1b3a63ac06472162c71b028bd3afe7f94460c15480e1c9867a542d250973df76

                                              • C:\Users\Admin\AppData\Local\Temp\Cab8E8.tmp

                                                Filesize

                                                70KB

                                                MD5

                                                49aebf8cbd62d92ac215b2923fb1b9f5

                                                SHA1

                                                1723be06719828dda65ad804298d0431f6aff976

                                                SHA256

                                                b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                SHA512

                                                bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                              • C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

                                                Filesize

                                                197B

                                                MD5

                                                20dc8461d992db0114fdc1ee20854326

                                                SHA1

                                                aff1b6cd9e6bb5854f2b5f195b04f0886db74e47

                                                SHA256

                                                59621bf4f5b9a798f5826b71818ac66d1f9a968d2509b04e5a255730e0b19ceb

                                                SHA512

                                                6a21b28ccb0baecddadff43a0d02ec9f0bd7870bfd31cee87ae62751eadaeb3d11df0291f45668b05cb7879d5c6b5d63bbda8638e7a857575df3bb3c5cfdd44b

                                              • C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

                                                Filesize

                                                197B

                                                MD5

                                                915b8fbef34331608657dbcaaca2e36e

                                                SHA1

                                                0a898194a1b35c38a517634201d5400e47bc7509

                                                SHA256

                                                31c408675f6a9215f34561908aa714da6fd37bd8d30c367a5873a93135bceb50

                                                SHA512

                                                4e899a1884f186e3033f6e655d3dd0e309b9434a2d7d6df6801fdb0c34aeed793278e6b680caf8e696c94f260766778f7a485bf94587292145527aa1d1391dbf

                                              • C:\Users\Admin\AppData\Local\Temp\Tar8FB.tmp

                                                Filesize

                                                181KB

                                                MD5

                                                4ea6026cf93ec6338144661bf1202cd1

                                                SHA1

                                                a1dec9044f750ad887935a01430bf49322fbdcb7

                                                SHA256

                                                8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                SHA512

                                                6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                              • C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat

                                                Filesize

                                                197B

                                                MD5

                                                4f16af83a7e44444a7e2466b1da1f285

                                                SHA1

                                                5652dcb31da82832ced9f05859668721c6e409f2

                                                SHA256

                                                afed3b6f8c43ab38d1506009e05386d9e2cb3fb840b8c349d8ac2917fdee6992

                                                SHA512

                                                b9ee1e0b267545eff87a9892c4425801d46e5e9b18d78824e707d278bbc1be19d8210305f12675f7d2350859c8ddaafd17ecdde3964993980945490f9f1731d0

                                              • C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat

                                                Filesize

                                                197B

                                                MD5

                                                c7eb8e3da3cf503eb3ef39a7e7fc6268

                                                SHA1

                                                bac7189ee60bcac8e9b59f51579e88b4ad11c3f8

                                                SHA256

                                                b552ca5ca4a7dde27a43907d59561769b0f73935668c8fe1b0ffe5529fda33cd

                                                SHA512

                                                83b63ed3ebf2a943965cf2369fd2ce50e59baba4c28c7e32bddbe25259261a8a0d40ca9d7127c8b55068966308cd9b221f74f2e52c2e6811f2268e3515c13377

                                              • C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

                                                Filesize

                                                197B

                                                MD5

                                                09c4a27cd234fd3a14ed8bda6e4026c0

                                                SHA1

                                                c354de76a65ee4736d4418ececcb35c9519167da

                                                SHA256

                                                295fcf040abda43179a31ad580a0ad13d9969360fe85e5103a391ef1f1a46eba

                                                SHA512

                                                3edbbffec76fc3ea176039feb81eee7c1a85f09220a20156c5e8b3144102867533355fbb940970eb7520ae27511e0b2215a63a4f85aaf59aaadbbab1b18277bc

                                              • C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

                                                Filesize

                                                197B

                                                MD5

                                                0714a1f694fcbc84192bc180e05ab621

                                                SHA1

                                                785feefa9c966e16c8e502dc3805789ecb12dd24

                                                SHA256

                                                82ed1beea105835e1429f081ceaac6410d262095fdcf4b99d833d960fd4e50f4

                                                SHA512

                                                771987941946cbb593dced7d6ee97ab1098d462c2a8d2497283a39fbed6fd4f424bd18c78611448e37d3364ff6f9e3f644d9f0440b0217b845699f81143dc719

                                              • C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat

                                                Filesize

                                                197B

                                                MD5

                                                51ef442bd92b27c6aba77ae0c80e10fd

                                                SHA1

                                                0145033651b791b7d9a5cb8fba6c73b2d68cef48

                                                SHA256

                                                b6d286b390ab719fcff9c233c31aa3fbff5e467111d71e12465ac3de24fae366

                                                SHA512

                                                1ce02d03db018b5bb1edec85f870caca6d116cab4094a873280ad02e10319883abdf3170bc8534d62ac4f56d7bb4681297e57c68f82619b0a4fa06e73c921382

                                              • C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat

                                                Filesize

                                                197B

                                                MD5

                                                e391415892fec318bf7b6a3fd6006c9b

                                                SHA1

                                                00dc0294d706fb0ee3e88a69c68ec48ebf851415

                                                SHA256

                                                3c6ac803798c072f8aa92f927677d53d4d1c047ca3194acd8b5498f4c238740c

                                                SHA512

                                                db2bbf17e4b23053afd9b2a7732ecf5b211bef3f9139049ac65b202f256b9d04a0fdb6494ad3157ff270a8371990532005018e6edb0cadae7f406e55a5894fdb

                                              • C:\Users\Admin\AppData\Local\Temp\twjiYCOL1g.bat

                                                Filesize

                                                197B

                                                MD5

                                                7a173966039006c6e8305eafad71c712

                                                SHA1

                                                045d23d073772645c1fc75952d0d11e39bfea06c

                                                SHA256

                                                a9b236cf1bb407f71b3e0f1939ec6a96084b1dcabe84f1fe0f62f49583e7a3a8

                                                SHA512

                                                48708d6ef3b6f7e605b4fd82eb5ed83dad783cda30ba8832147787dd8f6807efbe56665096f18d24fd2313a686c40d10815a5d2f2af95ed892b77f2952d4dc64

                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                Filesize

                                                7KB

                                                MD5

                                                d17e23f02b6633501bca2a5ad7796d79

                                                SHA1

                                                14c2d5940d1d9c9d2843a94352d2bebaf4a50a13

                                                SHA256

                                                309658de76cf98356dc0ca1f5e73effc38ee718a85654847c0ff69a312e57f38

                                                SHA512

                                                01ead4bd93416ef35d7704637c60617279432a6d4ead9ea7d6eefbcddf15171ae4f6fabd246f3122f9cf3b683b82fcea543f3b4e4f82b6a237d518a6c213b24c

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • \providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • memory/284-486-0x0000000000F80000-0x0000000001090000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1752-130-0x0000000001140000-0x0000000001250000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/1836-307-0x00000000013E0000-0x00000000014F0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2132-76-0x000000001B540000-0x000000001B822000-memory.dmp

                                                Filesize

                                                2.9MB

                                              • memory/2384-87-0x0000000002700000-0x0000000002708000-memory.dmp

                                                Filesize

                                                32KB

                                              • memory/2552-426-0x00000000003F0000-0x0000000000500000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/2708-16-0x0000000000150000-0x000000000015C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2708-15-0x0000000000160000-0x000000000016C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2708-17-0x00000000002E0000-0x00000000002EC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/2708-14-0x0000000000140000-0x0000000000152000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/2708-13-0x00000000011B0000-0x00000000012C0000-memory.dmp

                                                Filesize

                                                1.1MB