Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2024, 19:36

General

  • Target

    JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe

  • Size

    1.3MB

  • MD5

    b309007b6a23a77c82518bb9ec9b0f98

  • SHA1

    0ae15aabf16eb3db456221d4533db4e469fa8926

  • SHA256

    6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188

  • SHA512

    7694ce141e251417f745d7866d8d643882b93011f860605f3168595a91d9cedfdaea8e80e5fd547a96573e42df03187634008fa6cdd8a4444b5ee53b4952ac22

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 12 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 13 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6f32959dd28420892d06a079294320a744f49a34442dd0a8da00d161ccb4d188.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2256
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2088
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:620
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\csrss.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1364
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1540
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:692
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1900
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1144
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tF0Pk8ddI5.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2988
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:2908
              • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:2684
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1128
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:2004
                    • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                      "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:2652
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"
                        9⤵
                          PID:656
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            10⤵
                              PID:1144
                            • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                              "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3044
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"
                                11⤵
                                  PID:2960
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    12⤵
                                      PID:1356
                                    • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                                      "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2704
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
                                        13⤵
                                          PID:2844
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            14⤵
                                              PID:2140
                                            • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                                              "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3052
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
                                                15⤵
                                                  PID:2208
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    16⤵
                                                      PID:1752
                                                    • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                                                      "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1688
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat"
                                                        17⤵
                                                          PID:1744
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            18⤵
                                                              PID:1848
                                                            • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                                                              "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2864
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
                                                                19⤵
                                                                  PID:1508
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    20⤵
                                                                      PID:2836
                                                                    • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                                                                      "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:596
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
                                                                        21⤵
                                                                          PID:2672
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            22⤵
                                                                              PID:760
                                                                            • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                                                                              "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2452
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"
                                                                                23⤵
                                                                                  PID:1052
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    24⤵
                                                                                      PID:3068
                                                                                    • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                                                                                      "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                                                                                      24⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:772
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"
                                                                                        25⤵
                                                                                          PID:800
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            26⤵
                                                                                              PID:476
                                                                                            • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                                                                                              "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                                                                                              26⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:1724
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
                                                                                                27⤵
                                                                                                  PID:2440
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    28⤵
                                                                                                      PID:1892
                                                                                                    • C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe
                                                                                                      "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe"
                                                                                                      28⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:2968
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2904
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2092
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2816
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2656
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2608
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2684
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:3052
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2192
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1836
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1124
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2852
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\cmd.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2856
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2372
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:864
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\csrss.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2800
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2444
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1272
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\spoolsv.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1136
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2920
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1944
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\OSPPSVC.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2308
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2712
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2512
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2212
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2236
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2496
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1892
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1704
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:1152
                                              • C:\Windows\system32\schtasks.exe
                                                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
                                                1⤵
                                                • Process spawned unexpected child process
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:764

                                              Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      584086fdf356051de3cb2d0c89661581

                                                      SHA1

                                                      5c41d1fcd6d2b535e9b5640fce9ec3ef67fc6209

                                                      SHA256

                                                      efeae8cb2738a383e34e9c3619a01ca007b57f5e2b469d928e2437339ce8b49c

                                                      SHA512

                                                      b2be492ecc38e3019b2c5c20fa508532293bdfafcb270b99aa14e3f3e10452d52441a103b50e811d089694a263fa37fa2f37a547a2a55a014a963df8ad74361e

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      adc0c3e0b6cf4325c2ea17aa01bbb5a5

                                                      SHA1

                                                      046e2c7be65dc94732b3f51baca6d15d78abbc2a

                                                      SHA256

                                                      d7cd8ab7cffb7c920264389de4c8f89f3e31fff38d095cbc142099f9eb4f2ce8

                                                      SHA512

                                                      a515a25a1d284bc331f7d31824116768fae05124a303b34c11bd2061abefd4c396d4e21a7de09df1646729c2a6357e72c3717b976898a14aa78b2448e548b17b

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      e10c7d45f691eb1e6c23bd3cb1cc9d20

                                                      SHA1

                                                      752f076e9f89799735eea83f7fa5fcbd60f3da25

                                                      SHA256

                                                      48a30a080abfa8f78b8c29b0678e825fb8793e811fad8516c8b3e8ca4a3d9976

                                                      SHA512

                                                      3cca636218ad9bd918c0674d5f4fffbd7268341121c0b79a610a0f1f56de393c635ce065c227c07d2c2e537619aebc3f0145f7eedb1910a0cd0f21509b94169f

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      88a8aaf82d63f99bce3b29d178ca0dc1

                                                      SHA1

                                                      bee2ffe8e6667b7025c1eb07ffe0e22b531810ef

                                                      SHA256

                                                      397eff7e1c8607357980ce01310a94f1453c02d91591801cdd1482e3550ccb65

                                                      SHA512

                                                      28ff7bafe254570caca72439782ea24d4195e1ffa95d0094e3a256f5f2b92fad61fce9b93c0cc7f0dc01903f8a7e169bae23a4095b11ecd1914c6b5fda04bb32

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      4398b1535c6430a52a4ff96184245a95

                                                      SHA1

                                                      29a00392ec259dfa55e6b4ba8db07a84431c0ac7

                                                      SHA256

                                                      243a6c586193e7327f5b83a3b85f1562a81b07657ddaf5ec76694a91b3f33645

                                                      SHA512

                                                      5130f9676968fafde601b325b67c5afaba8662998fae18c036d612565559fc629f16e2531fc6c2606acde5eaf2fece865548ea9d4d3bd29b797179d56372ad45

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      7944fd491f504885a4d53e677e3d9994

                                                      SHA1

                                                      6be602c62fe0cc64802f954d4a73d95e70b0c7cf

                                                      SHA256

                                                      99a06b06223ee1781590874cca2faa47700a611191634fcae7237ab9d87f4759

                                                      SHA512

                                                      4c047dec4fd264a80becf68a032957c0cde8c145b8c46104d41798b5e94c903fda98c770dbbd2a3dfacd6af75551c1883bfea0cc10f00a14e68bc6c2c05dfb9c

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      689266665021df8e703622fbab514d1a

                                                      SHA1

                                                      4d114dd9796bf1c40d7a46882e6bdf884236b5ea

                                                      SHA256

                                                      bc3c7276d185726194552299ee78feea529829460e11ec1a1ad966de38603c1f

                                                      SHA512

                                                      88683c0a245cf7785f942cc4d9ce1c9f7ede5c38fdfc65c251a16fd955d3e9357f45300a65c4aaada49a7d1bce084f50e43c0c86d8d67c8aa24a12e4be47ffbe

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      e9282b6905c727d52bfd73d36437520c

                                                      SHA1

                                                      26ab3351f0ac3edad5da5a6ae2413f1472dcb39e

                                                      SHA256

                                                      f065642757fe07192b10aa7b61dcb06b02712bec070afe867fc67ca9620d65ef

                                                      SHA512

                                                      b0483f5ab2cc86d2182d9049539d0282327eb0c2d94684251a15a059a8b75579289d7904c2bda81394a150bd52dc4f894682b1b7bdf04cbc1039d7862c9a2185

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      d3b719a983f8189247637e6c5c4d3d34

                                                      SHA1

                                                      57660927bfab7416cf01d87b34263e20a727e7f4

                                                      SHA256

                                                      165721b11c8ba505a6b5736fda56d50d8e75a602bed8f8497a66528e33c1e6ae

                                                      SHA512

                                                      8e4acc8abf2cc17ca7b253132438b7503653b51b8ffa9e56d0b4f14785378447539130df048cb7920c310cd7232c30ee6ddfed2c8027748d79676cb92f844832

                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                      Filesize

                                                      342B

                                                      MD5

                                                      f2d530af0d7f3263a819300b572d506a

                                                      SHA1

                                                      79925fa419c8cd6857056bcc226dc8df9f3d380d

                                                      SHA256

                                                      0d2103584ae04261723e33511a9713dd960e7ca50b1aba02489e3a42aa3eb6de

                                                      SHA512

                                                      dff76891c2353fbdd8805c0c3dd6e22dea5d18fa9203711c2b18fd9e4f94f81f9d49dc25832814c5755633f6d5d56bae8704b5b023d1fed87f334aabd673fd94

                                                    • C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      937cc04a0ac857f309c675cc3f3d5e70

                                                      SHA1

                                                      99ed770b3078c53cfdce4f1a76f655318b5aa596

                                                      SHA256

                                                      63666ab216ed392d1004f77e0465eab871cc72cb8fd3d778657a2ff2ebc36340

                                                      SHA512

                                                      95c77d341fe7da44d9c9f3856614e4ddcf05b62ddf73a29282387b9e2eb1b85bc746388b678f64dc4eedf1c6f7aa9546846a4860c63a12069d0ccdafb30e192e

                                                    • C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      98676b47956787315fb0bbe7b6d73d6a

                                                      SHA1

                                                      0e7aaf44f1f121de529ca3005ff9b70760225ffd

                                                      SHA256

                                                      a5dfaaee91837fb9f8d2950dcac1e2b87c3206791549ddee3bdaeb2f60cd685a

                                                      SHA512

                                                      fdbaf2f0629897c33229aa005b70d468f33195abbc9e32698ac0e1f7b035ab10ffe68aa731a54012034a177bbd368706f0604313710062ba618fda721152aad8

                                                    • C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      867731066b1d7f1f8502c866d676c08b

                                                      SHA1

                                                      90861a64c8ce9c7874ad6a653e7e421aeba29946

                                                      SHA256

                                                      4ae4af97eb46cc57c753234987f2677562703509db0b42571bf89426a85ea09c

                                                      SHA512

                                                      cf4aa6a4f770595088181df7a9381d92da5282455b095c262c4a832b2b2bd5b63e6847862fe30a721f16ba6bd72173efe3adb0cfb8d8653f8a5f6db465cdd426

                                                    • C:\Users\Admin\AppData\Local\Temp\CabF865.tmp

                                                      Filesize

                                                      70KB

                                                      MD5

                                                      49aebf8cbd62d92ac215b2923fb1b9f5

                                                      SHA1

                                                      1723be06719828dda65ad804298d0431f6aff976

                                                      SHA256

                                                      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                      SHA512

                                                      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                    • C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      38c0a7a17d0a50bf7a85633dea3218e1

                                                      SHA1

                                                      b49e147fac39bf2f1647756765f4e429c680d5b4

                                                      SHA256

                                                      4b181487500f55eaf2a795d8e51ff3d66c477cfe522b2d468ffa3f73a791571b

                                                      SHA512

                                                      e690dea26140e713d4bb947f8e511dcf660e9853137b53636b2a3635c5ba8b5f5daa498ac111362c5dd4a1f0639b083c5a5afd8ca843c74191b8de1c393d0f82

                                                    • C:\Users\Admin\AppData\Local\Temp\TarF887.tmp

                                                      Filesize

                                                      181KB

                                                      MD5

                                                      4ea6026cf93ec6338144661bf1202cd1

                                                      SHA1

                                                      a1dec9044f750ad887935a01430bf49322fbdcb7

                                                      SHA256

                                                      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                      SHA512

                                                      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                    • C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      61030d59ca0992cffcc24aaa5783f6e8

                                                      SHA1

                                                      8ff1a69fa00e4321c0cdb350cc5b5da5c359eaf9

                                                      SHA256

                                                      85d236eb209db5350a49d1ec2b208994e0a18571476233d9923195179fd3595d

                                                      SHA512

                                                      9a47915fe43655a3df4c320adca39a1a7507f6b72cc131260f4eceadf7561478260aacff66a1bf89668394c9ccefa7c2b0e962e82eb968e8357500441374db00

                                                    • C:\Users\Admin\AppData\Local\Temp\TfYr4aOzGb.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      93983360ad047a14280fc3b1f20387c3

                                                      SHA1

                                                      012f5e9649ddee97ce0d266180d7c2084896c248

                                                      SHA256

                                                      98bdbe17473ca47e8ea2114eaf3501fb51d56a2c7aef64828e179f0a34f0cc03

                                                      SHA512

                                                      c4983297471c3fa665b39fb02d923e39a11ddafb644636a3bc82afb81f755ea51153985e61b9f0f16d90509a90d90e326d210d36e1d03a03881164a33106eec6

                                                    • C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      0fd5b588fe14c851ac1c53f78212972a

                                                      SHA1

                                                      6bf021fbbd747e323d011c23666bf9186b8437fe

                                                      SHA256

                                                      58bb71843cc010abf78c70e43b3578fb5529da68f35022064e83608b641d7f84

                                                      SHA512

                                                      387328af74e4ba3f5b8772c661bc89fedb0c4ecb9be8731d4fba7e30883d60f3728212d69beb1a965d20efc70b7685ed9053ccbbd216a3f92c0728ba415da81d

                                                    • C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      2c05b95a0f03ce0cd24fd368f1cdf7af

                                                      SHA1

                                                      038542d25e6275881da15a8530a8f13c04738263

                                                      SHA256

                                                      2a0ea5f3c5588bbe501abf63fc9c787c6b7c37a6e4194609d50f5f9a8616272c

                                                      SHA512

                                                      83ac30c04f00be5955ddc9cd9d6f34241eaec93ccdc448852e849de504d9410f7643e3220e29fb79a7daaa290f5e82de179c189da075a8f29b3c70b050ae9694

                                                    • C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      7902d54b3619f7249f588f2fa56f0799

                                                      SHA1

                                                      77151382efea2735ab7b514703a23c9b603c6ec9

                                                      SHA256

                                                      69be0fb7cfc653467656eccec9636229c72e87ed3a5ec934ba5a55e2c499ee7b

                                                      SHA512

                                                      d69ddb810135d43a603161a20765d17d2116524fbbb3a38817e24d0f14cb336788cedefe16abc60bbbbb29f022765a3680a7653b9993c8d94cd0c7253a850e1c

                                                    • C:\Users\Admin\AppData\Local\Temp\tF0Pk8ddI5.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      a608bf029c6173e8b6c78cbcc28e2491

                                                      SHA1

                                                      e5f26b4cfe1a69ae2c13e834a45ef2cd0da5c245

                                                      SHA256

                                                      e2536cfd484b79b72adc6ef8c16ceef4d15605c11a32eaefd223c75a153edd2e

                                                      SHA512

                                                      991c4ddd1ac33cc186faf711672e785ca61f051d224e61bb0f6b316a593b308c06cd6a77d0ae899020d40cda2370ea7d8b179bdd79d7583cd7a57e627ad46d84

                                                    • C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      73e5960f5efc76305cfe7f538b07812b

                                                      SHA1

                                                      a8a0b4371bf1633e4ee0c3b8973feb01d2df1fa7

                                                      SHA256

                                                      ff07bace6a1c8e2e336e773e73aa43f0694d0123fd9f68e2fe42ec50fc0e4941

                                                      SHA512

                                                      430b0a4fe6334709e687f9fea6478033558c057dd909864fb532b7df32db195a98c6ef46d18ff22538399a908f8ae95e344b76d13a02fcd96994fbb4264bc53f

                                                    • C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat

                                                      Filesize

                                                      222B

                                                      MD5

                                                      108aed22b54854e0200aaa981963c08a

                                                      SHA1

                                                      56e2e874ebdac9ab4a67be1f9d571776caea3546

                                                      SHA256

                                                      5158fed39ad33613bf46f505ae22c4056b0f4d9952c2c1ca0ea74494885900d9

                                                      SHA512

                                                      08c02da2019907f43c993daa8b8b3d2e0944790e715a2a7d3ddd21e4850d9529729dc522ae661d3fe8cbabd1a5db42fbfdff85528d901c478f373236be294695

                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                      Filesize

                                                      7KB

                                                      MD5

                                                      affbc0e6f923b67b278b87a79b2473cf

                                                      SHA1

                                                      a14362d95299cf334ac07c8fe3ebc531cf7bae47

                                                      SHA256

                                                      4948cffbfec96fd8b4090522ba5e878550866e68b084ffbc5ca056d8e736c315

                                                      SHA512

                                                      98f4e3f1931cda32a23ec0ccdfbaf762e872b708e3fb434f04f73868c29a5a12b98a508a69e1114079f47f0d4c02c6fd61580d830e7a3a70bc98b55340f4159f

                                                    • C:\providercommon\1zu9dW.bat

                                                      Filesize

                                                      36B

                                                      MD5

                                                      6783c3ee07c7d151ceac57f1f9c8bed7

                                                      SHA1

                                                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                      SHA256

                                                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                      SHA512

                                                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                    • C:\providercommon\DllCommonsvc.exe

                                                      Filesize

                                                      1.0MB

                                                      MD5

                                                      bd31e94b4143c4ce49c17d3af46bcad0

                                                      SHA1

                                                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                      SHA256

                                                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                      SHA512

                                                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                      Filesize

                                                      197B

                                                      MD5

                                                      8088241160261560a02c84025d107592

                                                      SHA1

                                                      083121f7027557570994c9fc211df61730455bb5

                                                      SHA256

                                                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                      SHA512

                                                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                    • memory/596-520-0x0000000000130000-0x0000000000240000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/772-640-0x0000000001120000-0x0000000001230000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/1516-51-0x000000001B550000-0x000000001B832000-memory.dmp

                                                      Filesize

                                                      2.9MB

                                                    • memory/1516-52-0x00000000029E0000-0x00000000029E8000-memory.dmp

                                                      Filesize

                                                      32KB

                                                    • memory/1688-400-0x0000000000F40000-0x0000000001050000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2452-580-0x00000000010C0000-0x00000000011D0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2652-161-0x0000000000540000-0x0000000000552000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2652-160-0x0000000000F00000-0x0000000001010000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2684-101-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2704-16-0x0000000000160000-0x000000000016C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2704-17-0x0000000000550000-0x000000000055C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2704-15-0x0000000000350000-0x000000000035C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                    • memory/2704-280-0x0000000000150000-0x0000000000260000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2704-14-0x0000000000150000-0x0000000000162000-memory.dmp

                                                      Filesize

                                                      72KB

                                                    • memory/2704-13-0x00000000013C0000-0x00000000014D0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2864-460-0x0000000000120000-0x0000000000230000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/2968-759-0x00000000002B0000-0x00000000003C0000-memory.dmp

                                                      Filesize

                                                      1.1MB

                                                    • memory/3052-340-0x0000000000D20000-0x0000000000E30000-memory.dmp

                                                      Filesize

                                                      1.1MB