dcrat | 90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe
Size

1.3MB
MD5

b5947c3bc5fcd3c71e22b064b7905d72
SHA1

ea57da4692da415bcf2d916128bd872ab049d5d0
SHA256

90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc
SHA512

65373fb64de699e432affd39907a2a9c1465687c23ab10036ed8280f11fda807eab01a9dc55514fc7a17c2946676194aea7c991027e4a2cf5bee66dada2df345
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2744	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016ce8-9.dat	dcrat
behavioral1/memory/2832-13-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/1172-73-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/memory/1832-192-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/628-252-0x0000000001240000-0x0000000001350000-memory.dmp	dcrat
behavioral1/memory/1748-371-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2108-431-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/628-491-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/1756-551-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
264	powershell.exe
1036	powershell.exe
1100	powershell.exe
3056	powershell.exe
2032	powershell.exe
1448	powershell.exe
1444	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2832	DllCommonsvc.exe
1172	dllhost.exe
2872	dllhost.exe
1832	dllhost.exe
628	dllhost.exe
2484	dllhost.exe
1748	dllhost.exe
2108	dllhost.exe
628	dllhost.exe
1756	dllhost.exe
2364	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	cmd.exe
2768	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
24	raw.githubusercontent.com
4	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com
38	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\AppCompat\Programs\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\AppCompat\Programs\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\ehome\wow\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\ehome\wow\ja-JP\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
944	schtasks.exe
2896	schtasks.exe
3036	schtasks.exe
556	schtasks.exe
1008	schtasks.exe
2960	schtasks.exe
3040	schtasks.exe
3048	schtasks.exe
2976	schtasks.exe
2804	schtasks.exe
1832	schtasks.exe
2176	schtasks.exe
2740	schtasks.exe
1932	schtasks.exe
2700	schtasks.exe
1804	schtasks.exe
2968	schtasks.exe
1056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2832	DllCommonsvc.exe
1444	powershell.exe
2032	powershell.exe
1100	powershell.exe
1036	powershell.exe
264	powershell.exe
1448	powershell.exe
3056	powershell.exe
1172	dllhost.exe
2872	dllhost.exe
1832	dllhost.exe
628	dllhost.exe
2484	dllhost.exe
1748	dllhost.exe
2108	dllhost.exe
628	dllhost.exe
1756	dllhost.exe
2364	dllhost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	DllCommonsvc.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	1172	dllhost.exe
Token: SeDebugPrivilege	2872	dllhost.exe
Token: SeDebugPrivilege	1832	dllhost.exe
Token: SeDebugPrivilege	628	dllhost.exe
Token: SeDebugPrivilege	2484	dllhost.exe
Token: SeDebugPrivilege	1748	dllhost.exe
Token: SeDebugPrivilege	2108	dllhost.exe
Token: SeDebugPrivilege	628	dllhost.exe
Token: SeDebugPrivilege	1756	dllhost.exe
Token: SeDebugPrivilege	2364	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2068	1972	JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe	30
PID 1972 wrote to memory of 2068	1972	JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe	30
PID 1972 wrote to memory of 2068	1972	JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe	30
PID 1972 wrote to memory of 2068	1972	JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe	30
PID 2068 wrote to memory of 2768	2068	WScript.exe	31
PID 2068 wrote to memory of 2768	2068	WScript.exe	31
PID 2068 wrote to memory of 2768	2068	WScript.exe	31
PID 2068 wrote to memory of 2768	2068	WScript.exe	31
PID 2768 wrote to memory of 2832	2768	cmd.exe	33
PID 2768 wrote to memory of 2832	2768	cmd.exe	33
PID 2768 wrote to memory of 2832	2768	cmd.exe	33
PID 2768 wrote to memory of 2832	2768	cmd.exe	33
PID 2832 wrote to memory of 1036	2832	DllCommonsvc.exe	53
PID 2832 wrote to memory of 1036	2832	DllCommonsvc.exe	53
PID 2832 wrote to memory of 1036	2832	DllCommonsvc.exe	53
PID 2832 wrote to memory of 1100	2832	DllCommonsvc.exe	54
PID 2832 wrote to memory of 1100	2832	DllCommonsvc.exe	54
PID 2832 wrote to memory of 1100	2832	DllCommonsvc.exe	54
PID 2832 wrote to memory of 3056	2832	DllCommonsvc.exe	55
PID 2832 wrote to memory of 3056	2832	DllCommonsvc.exe	55
PID 2832 wrote to memory of 3056	2832	DllCommonsvc.exe	55
PID 2832 wrote to memory of 2032	2832	DllCommonsvc.exe	56
PID 2832 wrote to memory of 2032	2832	DllCommonsvc.exe	56
PID 2832 wrote to memory of 2032	2832	DllCommonsvc.exe	56
PID 2832 wrote to memory of 1444	2832	DllCommonsvc.exe	57
PID 2832 wrote to memory of 1444	2832	DllCommonsvc.exe	57
PID 2832 wrote to memory of 1444	2832	DllCommonsvc.exe	57
PID 2832 wrote to memory of 1448	2832	DllCommonsvc.exe	58
PID 2832 wrote to memory of 1448	2832	DllCommonsvc.exe	58
PID 2832 wrote to memory of 1448	2832	DllCommonsvc.exe	58
PID 2832 wrote to memory of 264	2832	DllCommonsvc.exe	60
PID 2832 wrote to memory of 264	2832	DllCommonsvc.exe	60
PID 2832 wrote to memory of 264	2832	DllCommonsvc.exe	60
PID 2832 wrote to memory of 1856	2832	DllCommonsvc.exe	67
PID 2832 wrote to memory of 1856	2832	DllCommonsvc.exe	67
PID 2832 wrote to memory of 1856	2832	DllCommonsvc.exe	67
PID 1856 wrote to memory of 1696	1856	cmd.exe	69
PID 1856 wrote to memory of 1696	1856	cmd.exe	69
PID 1856 wrote to memory of 1696	1856	cmd.exe	69
PID 1856 wrote to memory of 1172	1856	cmd.exe	71
PID 1856 wrote to memory of 1172	1856	cmd.exe	71
PID 1856 wrote to memory of 1172	1856	cmd.exe	71
PID 1172 wrote to memory of 3016	1172	dllhost.exe	72
PID 1172 wrote to memory of 3016	1172	dllhost.exe	72
PID 1172 wrote to memory of 3016	1172	dllhost.exe	72
PID 3016 wrote to memory of 2612	3016	cmd.exe	74
PID 3016 wrote to memory of 2612	3016	cmd.exe	74
PID 3016 wrote to memory of 2612	3016	cmd.exe	74
PID 3016 wrote to memory of 2872	3016	cmd.exe	75
PID 3016 wrote to memory of 2872	3016	cmd.exe	75
PID 3016 wrote to memory of 2872	3016	cmd.exe	75
PID 2872 wrote to memory of 2736	2872	dllhost.exe	76
PID 2872 wrote to memory of 2736	2872	dllhost.exe	76
PID 2872 wrote to memory of 2736	2872	dllhost.exe	76
PID 2736 wrote to memory of 2904	2736	cmd.exe	78
PID 2736 wrote to memory of 2904	2736	cmd.exe	78
PID 2736 wrote to memory of 2904	2736	cmd.exe	78
PID 2736 wrote to memory of 1832	2736	cmd.exe	79
PID 2736 wrote to memory of 1832	2736	cmd.exe	79
PID 2736 wrote to memory of 1832	2736	cmd.exe	79
PID 1832 wrote to memory of 2536	1832	dllhost.exe	80
PID 1832 wrote to memory of 2536	1832	dllhost.exe	80
PID 1832 wrote to memory of 2536	1832	dllhost.exe	80
PID 2536 wrote to memory of 1824	2536	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_90069138984d18e1858771b00970bde889517e6d4fa8e921afef6ed64585eebc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\wow\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l75JQsuOqI.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1696
      - C:\Windows\AppCompat\Programs\dllhost.exe
        
        "C:\Windows\AppCompat\Programs\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2612
        
        C:\Windows\AppCompat\Programs\dllhost.exe
        
        "C:\Windows\AppCompat\Programs\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2904
        
        C:\Windows\AppCompat\Programs\dllhost.exe
        
        "C:\Windows\AppCompat\Programs\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1824
        
        C:\Windows\AppCompat\Programs\dllhost.exe
        
        "C:\Windows\AppCompat\Programs\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        13⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2564
        
        C:\Windows\AppCompat\Programs\dllhost.exe
        
        "C:\Windows\AppCompat\Programs\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
        15⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2228
        
        C:\Windows\AppCompat\Programs\dllhost.exe
        
        "C:\Windows\AppCompat\Programs\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
        17⤵
        
        PID:1056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1620
        
        C:\Windows\AppCompat\Programs\dllhost.exe
        
        "C:\Windows\AppCompat\Programs\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
        19⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2152
        
        C:\Windows\AppCompat\Programs\dllhost.exe
        
        "C:\Windows\AppCompat\Programs\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat"
        21⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1680
        
        C:\Windows\AppCompat\Programs\dllhost.exe
        
        "C:\Windows\AppCompat\Programs\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        23⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2532
        
        C:\Windows\AppCompat\Programs\dllhost.exe
        
        "C:\Windows\AppCompat\Programs\dllhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
        25⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Start Menu\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\ehome\wow\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ehome\wow\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\wow\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4c52339352361b9c724805268dc36c4

SHA1
82218eae031d118f8004b7d977762561f8170d36

SHA256
207e693f2d41bff02756a1ecfd6e706ff09ad2c24c5daffb84fe80c13088ab6e

SHA512
6df6469284dacb7a42b65da6e9e5e6ee03f037b557e152d7ee846319074f7dd58a7d0d57de86f24ff58adbffca0020ac38094e1c1dda32934d646da302664f31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be0073effa6585233439cf1816340e9b

SHA1
45160a668e306ac5e3ffa5bf0735b6e0bfae49ba

SHA256
b42f983358421fd51e2b5801a2175935f8fceef5c3a64682c4ed9dc92f063718

SHA512
dab64835693780e13b1b0b9209c889c9a20b966b5b7c30d06bb5196833db515d0a993bf0675553bef94d440b3db36571d858370f22e2a63fab40ae7e3d3ef77a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cf94a0e4e930109729bd7f802a6e70a

SHA1
f00b2c6668ea772cdb4640ccadd5d801be25e0fa

SHA256
2c2ef164b127f57b36d220a22a80ff44b00c4aa94c0d37501bcc02adff7254c5

SHA512
b6e142e3f9665aa1cf9787652da926588de3e721ca07937fd24954c9a64a3ab030fe4c5ead6a452e7bc82e4082aebedb1b494998e77193662ce57fd36f93e4e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48b11a7bf900a2884b6e03c7dca455e3

SHA1
66018f7b7bb653a6c00d2c493ad7763705d6a724

SHA256
04d5f8d7c911cbe53883ccc2452387adb0f24710cf85e8098d112a2f9fe6b78e

SHA512
1a38bb769c7d3c8bf20326e291dee4646c1fd7306c9adf74889de8390c2344a0dc742dab92b236b568af25817bab9576b3b2dbb5dd75716c030a75f92a9b8699

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
285894bf3e7b6c549c0d338605602344

SHA1
9b030668af57574dbcc9be139520f185dae859f6

SHA256
86ab319a984b5dfb6578d341175f937ef1c0b711c7525eecdaff6cfd739e9a13

SHA512
efddd8e2d0ec114f233d1f7dfb0f126784b335a877bd06f149569992270f045c9b51b7a06503e77adb2449c06c0e0419dd33a43df34915ded6d6c23b6f702a3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32956a9c7d9de7c4a445166823c10c42

SHA1
731caffd3662066be62311abb202d63ad4c7cc5e

SHA256
3ed5534030a24c7ab6e48fb302a025844b26bfa3e92422f4712fa271b18a6703

SHA512
f59d67fd6ce6458ac95816d592d57646a273c08c4ca91d53faa6526f3def6931c2b6c56d0450eb1c1300b0acd3aaab3dc5948e5ee48181ed56fb132e04461175

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eab59b6c2cb28e9f84d44b869145a6df

SHA1
f5d25a51b62e569f57c7066624a085aab53bc506

SHA256
cf0f33c0cab83ee95bc92e176f824cc8e26539f5bc40853a5a5528f1267a1ce8

SHA512
0eec136d46298666eabbafc00d0c0ecb8c7f3403081287df6254b9e79ddaeaacb741446d235cb1f163b408063142edd9d9c9e35915ae9a8e5da73fcdf8bbf912

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc12007d383bdda1d4b7302b1e641479

SHA1
592867be5701b8677c4c8ae66cf62d8fc988c571

SHA256
be92e5136798615867d2dbc2d08fe910a2a6ff56a295b31eaee882c7c3f94b6e

SHA512
0b9d6c6ed8ce6ff2ca06f2f5264229308756f5c14e1233f43ef5a09ca045005a437071e45b2e3996616b648c0f41192d6f5dcfa548c6e3894af9ca892ff3db6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98924265284bf7679225428e29dddf95

SHA1
aca00e17f30511b41c4f40c71a124f40b94f7cf0

SHA256
711efb85b518e2f5336f53bda935a97821238f8c697a5642596375d359d66662

SHA512
16f7194689eb442ef49a8823438bc7c056ae0d08fe2e971dedcfe5d61b7bb93ec95d4d5149e6f5d2e5558a338bb79140a5bcfc30c0c86433e6afc6e7f5c5c8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

Filesize
206B

MD5
b883cdfe77db2c588785683652e1f1ae

SHA1
906ac60cbb4f1052c584e52332cdee7373f90ade

SHA256
641dd6f573176b1d453275f3336a1b5d68d4331f6f7c099248bfcc963b333540

SHA512
3588c9b0939129fe75cdd9fc2062dfb472748630067ad1819e6b68c86e756512a1f03d6e1cdfe0480567a5e03f5ded0a484c0e1989218c9b824372932de2336e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFB32.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
206B

MD5
0cfd72622a0fdd86aa000c5cef322d9a

SHA1
882066e52850e8700975cffaaec8d59f7856237b

SHA256
1be8cdc01c60cecf72217653083225d190bc87f686124cfb46b47dd32323ad9a

SHA512
461081f973f4431e02a6b960f5c298f92c7a92edc215a17919e377d78440d9cc4e2d8ff9fbe3e2f1eb64a90f60626e9503a16452bc27844034cdf952be8488d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

Filesize
206B

MD5
3668606254c384eb8743b4921902dea1

SHA1
cd191972e792b95e07e76539fc8692263ad763f8

SHA256
c13248a119e254f617b1c15a89a6d1dcae87d5915bdfa38fda8a70d43a854eff

SHA512
2d028c0f6f7af078f9e7ed76394617e2628b41fc86475c7a27022e3d80afae88bfdf3e6677dc0847a75dbcdcd7800a80af15315b6af60a0e315517c18139650d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB45.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
206B

MD5
283f387070de19505ae9fc7d1b54f78e

SHA1
abae1eed2eda4cc85a89f12e92ecbaedb8626b34

SHA256
c7e685a816df085104fc614fca38159d9b0f390bf2f2a84d0b69fd630544aed1

SHA512
3f6bb4c2aa54c69e4e3de442cf7f01d31028daad48287d3e1b2765db7163507322651e190a7c4b939a4b82d3051689aef72cb8bd22abd20a2079a4316d90d4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

Filesize
206B

MD5
7e0098caca170c42eb05a5d2b3889cbe

SHA1
fb40c7df42ae03c902f8ed35888a87b1b74223fd

SHA256
43888f53900e17418260778a81b961416051945d0d3fe23cd1cb62cd4f806951

SHA512
b824c8a1dd218427957304a3f30ca3e7a3101e324e19e7bd1eb935596e6f414f272609b69acc3b5cac93e5eb4a0ce90396d876d736612febabeab2b7111134c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

Filesize
206B

MD5
f9199affc0042d71af5227e2c3824727

SHA1
7ee6566b48f51a14f6c14e1a45194f52bc606fe2

SHA256
98eda57e5010b1e47608e78e5aed0039767f3cda4d04a8b306136e5620ee97aa

SHA512
303f2c348b9e7efdddf0c312f5f32096c5e93596431f20f3b99c49a40b772a5dfccb1bc6735c22286840fd64ea39cac4d24dffc45b86ef0b6b0c0edc5fc1600a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

Filesize
206B

MD5
bde4b9e2fdaa9d033488618e225b45f7

SHA1
caf095d4ed0c40ca21284d62f8cb42556a809f11

SHA256
8fab0de4ddd60d66915a252a5ccfec4c499da4cede3ee8d12d7882adedc50c54

SHA512
ee551134c12f8bc1a0d259352db285536ef8242a7b92a3c9b40e7dcb9f3eb6bc980fa2c03d90525be55fefe031029a40cf0408d4313b38111a3ebcd94ca6f193

Download Submit
C:\Users\Admin\AppData\Local\Temp\l75JQsuOqI.bat

Filesize
206B

MD5
df830cb02d300d9ec0fd018fdd368b59

SHA1
586815f5711d388bd3b80b2661d33f48585662ac

SHA256
34c634219538490c68fc1f466d8276292ef86e3b01bce95911e6746236612e52

SHA512
909973c255c854621f3ee54f62c00365b26f2d6cd049b2474c13974ae64bcaa402590a2928d04d83208e00b62925de0bb500788bc996c9a7f42dd23ba5b4637b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqpXlQnQd1.bat

Filesize
206B

MD5
32ca2158c57c92a81112358a1671e629

SHA1
c8815dec49a0e39e2aa4c2ce79fbae79d252cb22

SHA256
25471f3268e8bf8d6e3d41876fb228851e34c12b4b7fb236690f3abcae8e4687

SHA512
6d8f3354e74c3203a20b486dc63473f276baadc140a13757dc36bd4f4c54ccaffbc6d64948f6b11bdd9dad3fc66e4a28c7cbe027fd44ba081c638087f84a0292

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

Filesize
206B

MD5
7a6b846ef82f9b99bc0866d0fc9147f6

SHA1
209f266f1a6a4cd69391b51989af463329c38db4

SHA256
f8ea1f242da2a6b5009d79290b65c0eb8d3341e4206bbbcb56538184cb9d3803

SHA512
e98b5cf59ebf44458c6c0da7175f8dcbf7e421cee3fed5d050e5b1dade077502a697fda367179de5798625075f1f433a2e12cba8a81ccbbba4d2f567909df587

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

Filesize
206B

MD5
27100655ceab00d0b33b2b133f0b17a9

SHA1
f42949c6e062f7f7d436c0a5af5a5c50265e2114

SHA256
84e8cbd4cd37e18c9e74a30ab552c7c21dcb30e3a3eeb6e09f3b9192444b04ed

SHA512
386c3890d6a652d29115e8478277b37c3f2f6ce210a6e4966a1b7586eff650eb57b076a3099b8073ed785b6edafd225e87670c184dfd446275c027194ad29e45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea3cffd5adc84f47130ee9d0079ac447

SHA1
f74b9ad2952b7d07211ca1d3b4962446e138e736

SHA256
2328555c0de5b3edf57586586a8b6fbd5e401e62ba68bbd06dd7f4131cad4d20

SHA512
d9f2290b210605c205f4ca3c5669fd46b85394bfe959107ddb18d6f949c7b02a184dd039e7d48b36c343ceb0abd954d6d8f82619d351731184ede0a46066f446

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/628-252-0x0000000001240000-0x0000000001350000-memory.dmp

Filesize
1.1MB

Download
memory/628-491-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/1172-73-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/1444-59-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/1444-54-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1748-371-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1756-551-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1832-192-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/2108-431-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/2832-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2832-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2832-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2832-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2832-13-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2872-132-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download