dcrat | b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe
Size

1.3MB
MD5

e58bb52089006e217b7652c510c431aa
SHA1

111af809f5c34e4eb1900814999c504f50f38189
SHA256

b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb
SHA512

11206de1ad8de98c7ce03633df6c0572a97d8af62ca029f4ced31774f6c2fd15fc9af794bcf9955ed1a2bb3c92afb7ebbc42a013d857a6faf7de848f62bcf641
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2112	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2112	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016ca5-9.dat	dcrat
behavioral1/memory/2904-13-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/844-82-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/2612-210-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/1780-388-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/1788-448-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/1524-509-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/1792-628-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/396-688-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat
behavioral1/memory/2076-748-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1048	powershell.exe
1524	powershell.exe
2240	powershell.exe
1704	powershell.exe
1904	powershell.exe
3060	powershell.exe
2232	powershell.exe
1676	powershell.exe
1792	powershell.exe
660	powershell.exe
2876	powershell.exe
576	powershell.exe
2840	powershell.exe
3068	powershell.exe
1260	powershell.exe
1052	powershell.exe
1980	powershell.exe
2660	powershell.exe
1680	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2904	DllCommonsvc.exe
692	DllCommonsvc.exe
844	wininit.exe
2612	wininit.exe
2428	wininit.exe
2900	wininit.exe
1780	wininit.exe
1788	wininit.exe
1524	wininit.exe
1800	wininit.exe
1792	wininit.exe
396	wininit.exe
2076	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
1836	cmd.exe
1836	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\fr-FR\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\fr-FR\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\winlogon.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\fr-FR\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\fr-FR\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\en-US\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\Setup\State\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Fonts\services.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe
1908	schtasks.exe
2212	schtasks.exe
688	schtasks.exe
968	schtasks.exe
2368	schtasks.exe
1340	schtasks.exe
1788	schtasks.exe
2612	schtasks.exe
2104	schtasks.exe
2912	schtasks.exe
2176	schtasks.exe
2780	schtasks.exe
2652	schtasks.exe
1296	schtasks.exe
920	schtasks.exe
2748	schtasks.exe
2776	schtasks.exe
1524	schtasks.exe
1628	schtasks.exe
2012	schtasks.exe
2736	schtasks.exe
2616	schtasks.exe
3060	schtasks.exe
1912	schtasks.exe
2316	schtasks.exe
1696	schtasks.exe
2664	schtasks.exe
2832	schtasks.exe
2076	schtasks.exe
1956	schtasks.exe
2464	schtasks.exe
2312	schtasks.exe
1604	schtasks.exe
2676	schtasks.exe
1648	schtasks.exe
1052	schtasks.exe
276	schtasks.exe
1644	schtasks.exe
1820	schtasks.exe
2252	schtasks.exe
1668	schtasks.exe
2764	schtasks.exe
2528	schtasks.exe
2516	schtasks.exe
1844	schtasks.exe
2448	schtasks.exe
608	schtasks.exe
1056	schtasks.exe
1768	schtasks.exe
896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
1704	powershell.exe
660	powershell.exe
1792	powershell.exe
2876	powershell.exe
1260	powershell.exe
692	DllCommonsvc.exe
692	DllCommonsvc.exe
692	DllCommonsvc.exe
692	DllCommonsvc.exe
692	DllCommonsvc.exe
2232	powershell.exe
1980	powershell.exe
1680	powershell.exe
576	powershell.exe
1676	powershell.exe
3060	powershell.exe
1524	powershell.exe
3068	powershell.exe
2840	powershell.exe
1048	powershell.exe
2240	powershell.exe
1904	powershell.exe
2660	powershell.exe
1052	powershell.exe
844	wininit.exe
2612	wininit.exe
2428	wininit.exe
2900	wininit.exe
1780	wininit.exe
1788	wininit.exe
1524	wininit.exe
1800	wininit.exe
1792	wininit.exe
396	wininit.exe
2076	wininit.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	DllCommonsvc.exe
Token: SeDebugPrivilege	692	DllCommonsvc.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	844	wininit.exe
Token: SeDebugPrivilege	2612	wininit.exe
Token: SeDebugPrivilege	2428	wininit.exe
Token: SeDebugPrivilege	2900	wininit.exe
Token: SeDebugPrivilege	1780	wininit.exe
Token: SeDebugPrivilege	1788	wininit.exe
Token: SeDebugPrivilege	1524	wininit.exe
Token: SeDebugPrivilege	1800	wininit.exe
Token: SeDebugPrivilege	1792	wininit.exe
Token: SeDebugPrivilege	396	wininit.exe
Token: SeDebugPrivilege	2076	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 1028	2972	JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe	30
PID 2972 wrote to memory of 1028	2972	JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe	30
PID 2972 wrote to memory of 1028	2972	JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe	30
PID 2972 wrote to memory of 1028	2972	JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe	30
PID 1028 wrote to memory of 1836	1028	WScript.exe	31
PID 1028 wrote to memory of 1836	1028	WScript.exe	31
PID 1028 wrote to memory of 1836	1028	WScript.exe	31
PID 1028 wrote to memory of 1836	1028	WScript.exe	31
PID 1836 wrote to memory of 2904	1836	cmd.exe	33
PID 1836 wrote to memory of 2904	1836	cmd.exe	33
PID 1836 wrote to memory of 2904	1836	cmd.exe	33
PID 1836 wrote to memory of 2904	1836	cmd.exe	33
PID 2904 wrote to memory of 1260	2904	DllCommonsvc.exe	47
PID 2904 wrote to memory of 1260	2904	DllCommonsvc.exe	47
PID 2904 wrote to memory of 1260	2904	DllCommonsvc.exe	47
PID 2904 wrote to memory of 1792	2904	DllCommonsvc.exe	48
PID 2904 wrote to memory of 1792	2904	DllCommonsvc.exe	48
PID 2904 wrote to memory of 1792	2904	DllCommonsvc.exe	48
PID 2904 wrote to memory of 1704	2904	DllCommonsvc.exe	49
PID 2904 wrote to memory of 1704	2904	DllCommonsvc.exe	49
PID 2904 wrote to memory of 1704	2904	DllCommonsvc.exe	49
PID 2904 wrote to memory of 660	2904	DllCommonsvc.exe	50
PID 2904 wrote to memory of 660	2904	DllCommonsvc.exe	50
PID 2904 wrote to memory of 660	2904	DllCommonsvc.exe	50
PID 2904 wrote to memory of 2876	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 2876	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 2876	2904	DllCommonsvc.exe	51
PID 2904 wrote to memory of 692	2904	DllCommonsvc.exe	56
PID 2904 wrote to memory of 692	2904	DllCommonsvc.exe	56
PID 2904 wrote to memory of 692	2904	DllCommonsvc.exe	56
PID 692 wrote to memory of 576	692	DllCommonsvc.exe	97
PID 692 wrote to memory of 576	692	DllCommonsvc.exe	97
PID 692 wrote to memory of 576	692	DllCommonsvc.exe	97
PID 692 wrote to memory of 2232	692	DllCommonsvc.exe	98
PID 692 wrote to memory of 2232	692	DllCommonsvc.exe	98
PID 692 wrote to memory of 2232	692	DllCommonsvc.exe	98
PID 692 wrote to memory of 1676	692	DllCommonsvc.exe	99
PID 692 wrote to memory of 1676	692	DllCommonsvc.exe	99
PID 692 wrote to memory of 1676	692	DllCommonsvc.exe	99
PID 692 wrote to memory of 1680	692	DllCommonsvc.exe	101
PID 692 wrote to memory of 1680	692	DllCommonsvc.exe	101
PID 692 wrote to memory of 1680	692	DllCommonsvc.exe	101
PID 692 wrote to memory of 2240	692	DllCommonsvc.exe	104
PID 692 wrote to memory of 2240	692	DllCommonsvc.exe	104
PID 692 wrote to memory of 2240	692	DllCommonsvc.exe	104
PID 692 wrote to memory of 3068	692	DllCommonsvc.exe	105
PID 692 wrote to memory of 3068	692	DllCommonsvc.exe	105
PID 692 wrote to memory of 3068	692	DllCommonsvc.exe	105
PID 692 wrote to memory of 2660	692	DllCommonsvc.exe	107
PID 692 wrote to memory of 2660	692	DllCommonsvc.exe	107
PID 692 wrote to memory of 2660	692	DllCommonsvc.exe	107
PID 692 wrote to memory of 3060	692	DllCommonsvc.exe	108
PID 692 wrote to memory of 3060	692	DllCommonsvc.exe	108
PID 692 wrote to memory of 3060	692	DllCommonsvc.exe	108
PID 692 wrote to memory of 2840	692	DllCommonsvc.exe	110
PID 692 wrote to memory of 2840	692	DllCommonsvc.exe	110
PID 692 wrote to memory of 2840	692	DllCommonsvc.exe	110
PID 692 wrote to memory of 1524	692	DllCommonsvc.exe	111
PID 692 wrote to memory of 1524	692	DllCommonsvc.exe	111
PID 692 wrote to memory of 1524	692	DllCommonsvc.exe	111
PID 692 wrote to memory of 1980	692	DllCommonsvc.exe	112
PID 692 wrote to memory of 1980	692	DllCommonsvc.exe	112
PID 692 wrote to memory of 1980	692	DllCommonsvc.exe	112
PID 692 wrote to memory of 1048	692	DllCommonsvc.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b7b11a65bec44bfb29fa4f96f57ffafbd7c0907ecf53ac73fc17efe0254e20eb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:692
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\lsass.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
      - C:\Program Files\Internet Explorer\fr-FR\wininit.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"
        7⤵
        
        PID:1340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2784
        
        C:\Program Files\Internet Explorer\fr-FR\wininit.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
        9⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2176
        
        C:\Program Files\Internet Explorer\fr-FR\wininit.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat"
        11⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3036
        
        C:\Program Files\Internet Explorer\fr-FR\wininit.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
        13⤵
        
        PID:1320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1804
        
        C:\Program Files\Internet Explorer\fr-FR\wininit.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat"
        15⤵
        
        PID:1988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:336
        
        C:\Program Files\Internet Explorer\fr-FR\wininit.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat"
        17⤵
        
        PID:1044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1640
        
        C:\Program Files\Internet Explorer\fr-FR\wininit.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        19⤵
        
        PID:2868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2676
        
        C:\Program Files\Internet Explorer\fr-FR\wininit.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
        21⤵
        
        PID:992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1664
        
        C:\Program Files\Internet Explorer\fr-FR\wininit.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
        23⤵
        
        PID:968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2912
        
        C:\Program Files\Internet Explorer\fr-FR\wininit.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
        25⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:308
        
        C:\Program Files\Internet Explorer\fr-FR\wininit.exe
        
        "C:\Program Files\Internet Explorer\fr-FR\wininit.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Setup\State\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a0db06ed5ad059aa38b0ab04ce3455d

SHA1
6f412f546d6be925b7121a2cde3df4d45a8a4045

SHA256
fbe64280811b18245489b313c8d463190cf03eb49a0f587ed8ee20ecae112f5b

SHA512
77700596b143869184539268ab4859f48558a3b91bdc0f0ab138b4d72d1dec94c02309a95cf55d2be88e358cc66f32dd9325bb5d51e53ec1208ccc91465609bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c527a8ae9c497f3aa12d950cd40d850

SHA1
34475ecde95e37a5110e8659767b394d14e19328

SHA256
e175deee6bcc76894f3068a554fa43d73d68125b3c502d36d9eb31995b26633c

SHA512
0b95bff1ff9d01174d0aedbe1175878a03c3f65a7f6fcd613a55e3a48eb73bce1682c6c84a819ba0242e36e3d8d3972f639f272f00ac1be98343a364e4416ee5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
825482156b76f0072e394decd55704b1

SHA1
3c5c317f795aea349ea9da21b58a404e4f27c4e5

SHA256
c38be7109e478a39b262135f7396fbb5824157fa83ae9a33d7ff5f95f8e41954

SHA512
b52e23005369f6c39c5060ecb671f55ef49943708faa70ce1b12c5ff6f03187e8bc6a5f8963c43a1dcb1a45633f5dad60a11498e64cda1d1e8e976eb77595791

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b035f1e505a17ea37f89086bb9f9d6fe

SHA1
84c7b09d7bf273d9705263521148c9e20e51f2d7

SHA256
2de0f316e4638a36b8131fad8fc442e7f5313baaf8b7e13ce5834401259230e5

SHA512
420791f760f3e716aaebf64ec359b44e9b15d17860f8f9d7ab7b26ec9ee94cccfc23989aaef836bb51b5881e7198906e714370f9ba9952c95d385e31b4ebd637

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
928e2d3be8a12430d9f46b918ba1636a

SHA1
a0ad84109206e798fad75c00ae81005d697fbfed

SHA256
5f67cdc9aa00265bfd643f34faa68e9d05975242afab126b9c79c3080840b56e

SHA512
4cb6b3a3e997a323d9df88a4ab13eb44ba2c48b63df52380d31f08cbcd222e239894c297746cea67a470552d8898bf5b5e6215ae6f021d95b8427e1b50aba42c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d636452e05e79f3d980a39ba909ae287

SHA1
53c0ee848a8a048832246e8ac7bebbaded41304e

SHA256
5c26ff7da94076d2ffcd591803ba366b29b68b2abdd262cdbfe9d1adc1532842

SHA512
8f8f60be0588f4d055f0e9fdff293cdcc99f066bb190016965b49c0dfec96c4c8c7dd8f6bbf04bc5ab732ec83d1ec67964391037af6166bda4bdae5aa3a86927

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c5ec5110b8d1c80278c65a965d32e48

SHA1
af5b94117da27d6e07b8c93f657721690b98e953

SHA256
751e4a0c77b096cf0aa7d94b6aa337e01721696cde4d11167687c1b59d21a82d

SHA512
fe3aea51d0288503e4f0a212b28239acd4eb57b38b233564289f315362d84bcac6f7523e807c66534143f8d49602328f60cd42fc5949ca97a4936a75d8f0ab2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ff5ddefca22a8eb9c703a36d6e49e52

SHA1
5fd3df650b4cd35302de13e7554ac3d5ef754096

SHA256
a1fb5fa67adda188ebc139896c5243ba6583fd83d47c1685dafa5411271f705d

SHA512
ae1a5e654c5a839b7c766e6deb79be415f7f8d4de1ea5ef4156d19c181ae27b4c23889f89ea0ce1ca8a9101b93301b41a4ebfbea10ace76a2ac1741b403aaf90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
334d76ea266f2c7881a36a8898bb62f1

SHA1
1956db8a48a4874b401e6c556fe36f9546b57772

SHA256
9442fb1bb9c1fd3b52b21ebc3b10d176a6674b4347e461da4d7953b899921f11

SHA512
b70add66ca1443fb0f1ad48bd086e4234168c75424baafbeb51b6a544d3ad24f3e31505ab833bfb995044b62b27436b68b3368da879fb69a42e1ad0d81c5a745

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat

Filesize
217B

MD5
915f5db1d2ec111cf1e5ad93dbe7892d

SHA1
8cd091a608bfe2510058d9d37c95efa0aff5f373

SHA256
05b5106dfb8e8476b4414105fcc505c4ea17e6e056f348bd7f970b00a54aca31

SHA512
111010dc58ad565f366c737e7ad9f4f3441956038275579124a07b49ea3c797c57433fa612d96a9177a9b3f153596ab0e23cb240b367431af684de164751e6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat

Filesize
217B

MD5
4c1b8de55abf08e4c045653cd483ed56

SHA1
669b47b6f9de8d69e5948e0048184bf128544632

SHA256
e3d3f59d18b3a8c5590d44373af4ce478a7508cfc4bd317cf428007b2dd682f8

SHA512
d275fb826e9932a7216163d633e665ff736a5b50fe8685bfc105d9d4b136950d29a9b2626f03d29bcc703cb662aced25daa5fa9701b286e78dc71da402ffd2d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDBFF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

Filesize
217B

MD5
b505b9052919e3e95821428e3dc8d3cd

SHA1
db13391a1bdbc5c0be3dc5692fdc53d4838d1ead

SHA256
f670ff4f75f387bbd99aed3212750ef19522657c39be6c3ac8a2736b2e08ebac

SHA512
ab0c7211bd15800b20909616b5660e47653ef39fa9195483f0315a16415b40cc3b7a00ef963c59ee23194a37722d257b5645e272e2960d023b87e2f055456221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat

Filesize
217B

MD5
d628067e191124897ab464c921eda444

SHA1
876b70b84f79121d20fc90ef0e51128ca025dc63

SHA256
9b5cc94b96eeaac1107e9e9ba930d043378323a79a6a266d823459dcde315d67

SHA512
80d6ec413d45bcac703e8ad973a8b7019d0b44f93ea00974f48d67394b5201e9b3c1e110d65eda6acdce0e2b576d2d0e517980a3febe11c598a9a89ec6c90ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
217B

MD5
bc6fda002e0d3b30f454d5f8980566da

SHA1
1d20d82da4559d57a7ee2f57f461784fad13917e

SHA256
e65e7f3e7b15e3df52d7dae87b1479560ccbc1ab58417b8828ff14891432e162

SHA512
d6a66144256337e58a26c979764530236b57197206df195159d82144181fd2f95f91934ba8f13e2ddbcf6eb152d7fc8c695da0d8710750d7d664e892a8067244

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDC21.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

Filesize
217B

MD5
05d0acd2b16028688866072f23a48a23

SHA1
6f77e39a5647a9dcfcff09a3a73c218a93a169b5

SHA256
09b63013898615cc0f44cf9d57dc57b38029512523524ed6b4d1ccf97310d1af

SHA512
9158d6f11cbe5a0b14dd5db545e63c046c67cc95fa1d128b9356937674c910f509e343eb4b7a09af00f59443b22bf07662ef3ac53c509071726f1c82f158ae2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
217B

MD5
8e13bdd0fa46fc9365730bd973aa8145

SHA1
4cc5405e217445417ed4af36c207d4c601c3ce54

SHA256
7985b17469e274d12e849c9e785ee9f1aa8927a8da0d3a0cfc533c826da7a335

SHA512
9b753d282ce35342ede09aef2f0a88507245fe03e526a2a37a60130eb9d2dc401aff1009d6806dd7a0ab6d250c2ef4648d5f48e280c8daa5156562ec94a9d059

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

Filesize
217B

MD5
3a4543d04407095c6c6f83a6d9843867

SHA1
24ea91efea4f7cde95bb59ea5b0bfe51a8615c7e

SHA256
dcdf92fe8cf49a9f5269f8c33ccb9f3693904c23fab8a3525139eff5b9192c72

SHA512
8ba9d1464a9ce2b14daf7fdac170034c94c4bc1dcca8c16edb5b8a5ceae0544d78ddc899eb946332cb12861fc0aaca41cf3bd8adb681f183d959c6dba0cfd6c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat

Filesize
217B

MD5
c0e4e5dba91a6293bdf1d1ce95ffd855

SHA1
a0c39319c532bb40cb6e9390baa30de78a0d4d40

SHA256
f4eb864119e7300f2ed44232598d0b8441f0dcc8c0b2662a26a3878bc85ad0a3

SHA512
af53b43221c9181c7332ac483e6aaeebaefe3ae7c9fa48ea23720b009a9d2417c581b2ea564aa1c5e362bc9f328e02dc98885f9426963455d255ce83d01013bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qpvm5o68kg.bat

Filesize
217B

MD5
46c3301bc8046bc48628f5922b97c26b

SHA1
0442702b09751c3e40b3f9a58f1fd95a9344b645

SHA256
b5efcdb49c2442d6cde1b2dd5d0c4ae021dae305336df69fb9a825083fdd9f0d

SHA512
6b0b4e37cfdf21f225f9e08f0c532c0ead6984354cc9f253a80d199c4e057fa6c53c976aa4e799a15cb835f7306393beb6178285a3ffffc7ef2283531ca2f29d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XBGBN5CLQ3CTMMQLIOSO.temp

Filesize
7KB

MD5
cf67a1f18737ee2393dd4f00d4b46e22

SHA1
db71c83f8fcf6338ef53f05ed746e3fda2f7b101

SHA256
a667b2a4b6719b94993918c0970fbf966de0e6b6b02a9cf0d6a07938e94f96f0

SHA512
3531f16391c048736cf4ac4908eb3ad3a0c34d48bba872e88d0c82227c35a2c577112a2a8501c0d7f498ded747c2b9ffcee7e59c44c4562623c0d8d0fa272c85

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/396-688-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/844-82-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/1524-509-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/1704-34-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1704-44-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1780-388-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1788-448-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/1788-449-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1792-628-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/2076-748-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2232-86-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2232-97-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2612-210-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2904-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2904-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2904-13-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2904-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2904-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download