dcrat | 9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe
Size

1.3MB
MD5

a5fc4e2cb2da56316afe676b08b1a1c2
SHA1

78d03dd64addcd58990263dd9a4ed40234fff44d
SHA256

9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930
SHA512

f82f8b829511949bd9c3016172e65e99dfd3e3bc3c2ba63712c1c4edb8ba10e57cd3711f01a4bdb3e625f73dcd53e8a6e524a385c7fb705d2e9c48bc9e7674aa
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2672	schtasks.exe	35

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019609-9.dat	dcrat
behavioral1/memory/2176-13-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/1156-150-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/2472-209-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
560	powershell.exe
2680	powershell.exe
3008	powershell.exe
2252	powershell.exe
2692	powershell.exe
2012	powershell.exe
1632	powershell.exe
3016	powershell.exe
1080	powershell.exe
2560	powershell.exe
2592	powershell.exe
2700	powershell.exe
2192	powershell.exe
3064	powershell.exe
2828	powershell.exe
2156	powershell.exe
2880	powershell.exe
2212	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2176	DllCommonsvc.exe
1156	sppsvc.exe
2472	sppsvc.exe
2260	sppsvc.exe
1088	sppsvc.exe
1680	sppsvc.exe
1092	sppsvc.exe
3048	sppsvc.exe
560	sppsvc.exe
2564	sppsvc.exe
316	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2152	cmd.exe
2152	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\es-ES\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\fr-FR\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\Speech\Common\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\75a57c1bdf437c	DllCommonsvc.exe
File opened for modification	C:\Windows\Downloaded Program Files\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\OSPPSVC.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1064	schtasks.exe
2360	schtasks.exe
2644	schtasks.exe
348	schtasks.exe
2572	schtasks.exe
2800	schtasks.exe
2900	schtasks.exe
1160	schtasks.exe
2068	schtasks.exe
3036	schtasks.exe
1952	schtasks.exe
1832	schtasks.exe
2188	schtasks.exe
2596	schtasks.exe
2004	schtasks.exe
2744	schtasks.exe
2796	schtasks.exe
2732	schtasks.exe
316	schtasks.exe
1288	schtasks.exe
1648	schtasks.exe
1584	schtasks.exe
920	schtasks.exe
1532	schtasks.exe
1780	schtasks.exe
572	schtasks.exe
2684	schtasks.exe
2564	schtasks.exe
2884	schtasks.exe
1788	schtasks.exe
2992	schtasks.exe
3020	schtasks.exe
996	schtasks.exe
2216	schtasks.exe
2236	schtasks.exe
1768	schtasks.exe
2624	schtasks.exe
1300	schtasks.exe
1280	schtasks.exe
1816	schtasks.exe
2948	schtasks.exe
2516	schtasks.exe
2720	schtasks.exe
1932	schtasks.exe
2764	schtasks.exe
2788	schtasks.exe
1972	schtasks.exe
940	schtasks.exe
2232	schtasks.exe
1292	schtasks.exe
2472	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
1156	sppsvc.exe
2472	sppsvc.exe
2260	sppsvc.exe
1088	sppsvc.exe
1680	sppsvc.exe
1092	sppsvc.exe
3048	sppsvc.exe
560	sppsvc.exe
2564	sppsvc.exe
316	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2176	DllCommonsvc.exe
2176	DllCommonsvc.exe
2176	DllCommonsvc.exe
560	powershell.exe
2012	powershell.exe
1080	powershell.exe
2592	powershell.exe
2192	powershell.exe
3016	powershell.exe
2212	powershell.exe
1632	powershell.exe
2680	powershell.exe
2828	powershell.exe
2692	powershell.exe
2156	powershell.exe
3064	powershell.exe
2700	powershell.exe
2880	powershell.exe
2560	powershell.exe
2252	powershell.exe
3008	powershell.exe
1156	sppsvc.exe
2472	sppsvc.exe
2260	sppsvc.exe
1088	sppsvc.exe
1680	sppsvc.exe
1092	sppsvc.exe
3048	sppsvc.exe
560	sppsvc.exe
2564	sppsvc.exe
316	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	DllCommonsvc.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1156	sppsvc.exe
Token: SeDebugPrivilege	2472	sppsvc.exe
Token: SeDebugPrivilege	2260	sppsvc.exe
Token: SeDebugPrivilege	1088	sppsvc.exe
Token: SeDebugPrivilege	1680	sppsvc.exe
Token: SeDebugPrivilege	1092	sppsvc.exe
Token: SeDebugPrivilege	3048	sppsvc.exe
Token: SeDebugPrivilege	560	sppsvc.exe
Token: SeDebugPrivilege	2564	sppsvc.exe
Token: SeDebugPrivilege	316	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1080	576	JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe	31
PID 576 wrote to memory of 1080	576	JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe	31
PID 576 wrote to memory of 1080	576	JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe	31
PID 576 wrote to memory of 1080	576	JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe	31
PID 1080 wrote to memory of 2152	1080	WScript.exe	32
PID 1080 wrote to memory of 2152	1080	WScript.exe	32
PID 1080 wrote to memory of 2152	1080	WScript.exe	32
PID 1080 wrote to memory of 2152	1080	WScript.exe	32
PID 2152 wrote to memory of 2176	2152	cmd.exe	34
PID 2152 wrote to memory of 2176	2152	cmd.exe	34
PID 2152 wrote to memory of 2176	2152	cmd.exe	34
PID 2152 wrote to memory of 2176	2152	cmd.exe	34
PID 2176 wrote to memory of 1632	2176	DllCommonsvc.exe	87
PID 2176 wrote to memory of 1632	2176	DllCommonsvc.exe	87
PID 2176 wrote to memory of 1632	2176	DllCommonsvc.exe	87
PID 2176 wrote to memory of 2012	2176	DllCommonsvc.exe	88
PID 2176 wrote to memory of 2012	2176	DllCommonsvc.exe	88
PID 2176 wrote to memory of 2012	2176	DllCommonsvc.exe	88
PID 2176 wrote to memory of 3016	2176	DllCommonsvc.exe	89
PID 2176 wrote to memory of 3016	2176	DllCommonsvc.exe	89
PID 2176 wrote to memory of 3016	2176	DllCommonsvc.exe	89
PID 2176 wrote to memory of 3008	2176	DllCommonsvc.exe	91
PID 2176 wrote to memory of 3008	2176	DllCommonsvc.exe	91
PID 2176 wrote to memory of 3008	2176	DllCommonsvc.exe	91
PID 2176 wrote to memory of 560	2176	DllCommonsvc.exe	93
PID 2176 wrote to memory of 560	2176	DllCommonsvc.exe	93
PID 2176 wrote to memory of 560	2176	DllCommonsvc.exe	93
PID 2176 wrote to memory of 1080	2176	DllCommonsvc.exe	95
PID 2176 wrote to memory of 1080	2176	DllCommonsvc.exe	95
PID 2176 wrote to memory of 1080	2176	DllCommonsvc.exe	95
PID 2176 wrote to memory of 2192	2176	DllCommonsvc.exe	96
PID 2176 wrote to memory of 2192	2176	DllCommonsvc.exe	96
PID 2176 wrote to memory of 2192	2176	DllCommonsvc.exe	96
PID 2176 wrote to memory of 2692	2176	DllCommonsvc.exe	98
PID 2176 wrote to memory of 2692	2176	DllCommonsvc.exe	98
PID 2176 wrote to memory of 2692	2176	DllCommonsvc.exe	98
PID 2176 wrote to memory of 2700	2176	DllCommonsvc.exe	100
PID 2176 wrote to memory of 2700	2176	DllCommonsvc.exe	100
PID 2176 wrote to memory of 2700	2176	DllCommonsvc.exe	100
PID 2176 wrote to memory of 2680	2176	DllCommonsvc.exe	101
PID 2176 wrote to memory of 2680	2176	DllCommonsvc.exe	101
PID 2176 wrote to memory of 2680	2176	DllCommonsvc.exe	101
PID 2176 wrote to memory of 2212	2176	DllCommonsvc.exe	102
PID 2176 wrote to memory of 2212	2176	DllCommonsvc.exe	102
PID 2176 wrote to memory of 2212	2176	DllCommonsvc.exe	102
PID 2176 wrote to memory of 2880	2176	DllCommonsvc.exe	103
PID 2176 wrote to memory of 2880	2176	DllCommonsvc.exe	103
PID 2176 wrote to memory of 2880	2176	DllCommonsvc.exe	103
PID 2176 wrote to memory of 2156	2176	DllCommonsvc.exe	104
PID 2176 wrote to memory of 2156	2176	DllCommonsvc.exe	104
PID 2176 wrote to memory of 2156	2176	DllCommonsvc.exe	104
PID 2176 wrote to memory of 2592	2176	DllCommonsvc.exe	105
PID 2176 wrote to memory of 2592	2176	DllCommonsvc.exe	105
PID 2176 wrote to memory of 2592	2176	DllCommonsvc.exe	105
PID 2176 wrote to memory of 2828	2176	DllCommonsvc.exe	106
PID 2176 wrote to memory of 2828	2176	DllCommonsvc.exe	106
PID 2176 wrote to memory of 2828	2176	DllCommonsvc.exe	106
PID 2176 wrote to memory of 2560	2176	DllCommonsvc.exe	107
PID 2176 wrote to memory of 2560	2176	DllCommonsvc.exe	107
PID 2176 wrote to memory of 2560	2176	DllCommonsvc.exe	107
PID 2176 wrote to memory of 3064	2176	DllCommonsvc.exe	108
PID 2176 wrote to memory of 3064	2176	DllCommonsvc.exe	108
PID 2176 wrote to memory of 3064	2176	DllCommonsvc.exe	108
PID 2176 wrote to memory of 2252	2176	DllCommonsvc.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c87a4e4b890356a83fbf7b4cab03b996ad90496788c203503dfc344aa9b0930.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\lib\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fr-FR\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\es-ES\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\en-US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SyU03ODmfe.bat"
        5⤵
        
        PID:1912
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2916
      - C:\Windows\fr-FR\sppsvc.exe
        
        "C:\Windows\fr-FR\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"
        7⤵
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1580
        
        C:\Windows\fr-FR\sppsvc.exe
        
        "C:\Windows\fr-FR\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
        9⤵
        
        PID:924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2192
        
        C:\Windows\fr-FR\sppsvc.exe
        
        "C:\Windows\fr-FR\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
        11⤵
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2428
        
        C:\Windows\fr-FR\sppsvc.exe
        
        "C:\Windows\fr-FR\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        13⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:992
        
        C:\Windows\fr-FR\sppsvc.exe
        
        "C:\Windows\fr-FR\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat"
        15⤵
        
        PID:2540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:904
        
        C:\Windows\fr-FR\sppsvc.exe
        
        "C:\Windows\fr-FR\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"
        17⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1912
        
        C:\Windows\fr-FR\sppsvc.exe
        
        "C:\Windows\fr-FR\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        19⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2116
        
        C:\Windows\fr-FR\sppsvc.exe
        
        "C:\Windows\fr-FR\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
        21⤵
        
        PID:2000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2120
        
        C:\Windows\fr-FR\sppsvc.exe
        
        "C:\Windows\fr-FR\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        23⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2608
        
        C:\Windows\fr-FR\sppsvc.exe
        
        "C:\Windows\fr-FR\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"
        25⤵
        
        PID:2076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Minesweeper\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Minesweeper\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2696d59dbb3301700e1c79db0e2c0114

SHA1
5cd8b60457d0ea7cca5406073897ca1a28f8374e

SHA256
ce853e66815d00945ed62ee31d6bf165e953e48589fc6f30a9b168d3dddd312a

SHA512
480630a5d7f996e4b5f34af55f8f42e3fd78497f227ce73885fe9751a51c06e28ac5ce2ebc84e44689909dce3c39dee2092b35ff2758e47e36becab6c14783a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aab7659113cc17cfd76225c7c261863

SHA1
83fdb65ca691a9f3d21fed20589b32708f1ed65a

SHA256
3055fe8d7cbf9065b3387080bcf379a550433975b3a4e55d028a073bc9dcae60

SHA512
4f32773f8b3094f08e8b48605acddafdff4227227ed021039dacb24cde676903248952d3521f541c5728106c0ff5708fb1d71328686965deffccc49764a8cba3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcfb8ba158b6152393510168b318b2da

SHA1
2c3022e9fbf21ae6736535138c080b725ca4fdc4

SHA256
0f65a5a82df686fa21847ed4afebe6777605530fd27445380d2db1bc11426bf2

SHA512
ba492ef24183a1215b057bbc7d5fbabb5cc05adb1b25f9b828eaaaa8c9ab673e02729d4371a7e0f1eca2923cd82c5dbb7ae39ffafbc51c2b5f247f0260ff76f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b0aa6c519bf2dbea8581b234144fe2e

SHA1
a8006294c602370f0dc11b303919906c9e3e0879

SHA256
4c9448e2a2207791df4db51ee9a17f3d77b96724d380d253e8e7d3fb37d1a05f

SHA512
024b82316a7324bb5d63bac7ecd187d5b72e54c5363a6a2042933454f58b9d5815dad84cadee76b7337384e1b644fbacc826437ec070549379c71f6c6c2c6445

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ada3ea383152319d5e028064aae1147f

SHA1
4e40669d0d9e53734db62cc922bae4115a0c339c

SHA256
54946e43891dc004335926a66a26d0de5cde0fead529c904a8a4470a6b031c91

SHA512
3f6f1d8611579be8c7abc4dc776ce4e5b046d45b5eddcb3299a58adc99e9cb7c13994979f6c8388887033e498c2ce3ed4a14169b38d13a453d7a21b9da466aff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
466de00b9b183c13934a2a7fa6e6b6a0

SHA1
8bf7fba867c9e9cfec9e9a57fe028655b35b3c83

SHA256
dffde3505c22db18585b9025dc23c1f95f810d693a393f8cde6490dffd8c1559

SHA512
519692e68b3cb7ac9a70fcea3d2d9fb6cc8c0e4b52b1bd7769a4e501476eba44b51ce8e49bf1e00c28aef49a6ce407fc19b7fe818bcf5edb89e5e5ad4fc7f4fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d1fab3259e0a513e6675fea6b4a61c6

SHA1
89facab555f3a3c8049da50679a97a0427245330

SHA256
bf9f0be188c3daa2d4700a0e606b2b33d1e62bf129721ef603ac10f606b4ddea

SHA512
dc779f4643e7b0f7520cfbb2af59af595f5e45d0f9db4befc23479456f0d594858b14094bf727aa41fa4ef85166c93b6e57cdd9931b5d8e02a04d43442d4fec0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
321b17e83c882730e3678be1c585f471

SHA1
1079f6d31cc7e11f72b1d1bc8f880f710be946c2

SHA256
9dee53374e83a74c995008f2f614d9ff06da7d9d37ab5581b711ff3a7410b5fe

SHA512
4df87463798e4463906e16dcb1f602f15886970ee819a935cf5593039bda7006e255c6d2978b039acc01c9482f5ef1dd6912212436ac372f996d32b5ae7e9cd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdf3642dbfa184bcd8be80d40717c39c

SHA1
f378625edcfa4446a66cf1261ce676374531cce2

SHA256
d414c0eccbd750fdd7342e0a76e7ae97a9bffb196e10b790db3f7baa903e860e

SHA512
8a56fdcdc88a38918b952f1bb5524f65a4af980261a024bf3049c3cf53469c019f2ffb188d5af7141c7e42b0fcf0ad060b5755a5c4f6f56214d622a46640bc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab48D5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat

Filesize
192B

MD5
277785719e48d0a0bd00852b31d09d31

SHA1
f6ca9bf0b3c814ab015a6679bfad904b95c6a8ae

SHA256
6984af1655bdb34874aead954bec81f94107bfba1e800c564cdf059a12c2a19f

SHA512
c3103765e2939eacf58a5bd0b819cfe2573460d7a2b7110fc9b3e7a8e28d9699f880d69633059003ba0c12865c543321b37c22dfdd0dc9142cff4810817916fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat

Filesize
192B

MD5
0e1c3b50a8326ec03cd3b5a92d7f0564

SHA1
cae3f863adee9529a1465b405ef35d3bcdf2f881

SHA256
a9656e4df1bc04814e35c3745b02f0ee13410509516a2671d32f2e7b98afe36a

SHA512
0b4a68744bd89414c00c9747ae78b32640a6a8237f60bcb6ea399972b6870af0efbcef06bab624e15922d4d0d6b6e40a32a14fc141ca217ff249f5f0f1078843

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat

Filesize
192B

MD5
b39e37f50be8eb1f65610e1a84f7f111

SHA1
647e018732a1db5b2733bb4efa84fb5c05d7fb5f

SHA256
083b7bcf5a53d3793ae9fb755e81f8cebe1e5b43be74667a86faeb4afdd9d826

SHA512
b4904f0b67fff4611d19658538af728a06443286f3efff2be9d834c63585d370a4290947436b2a26aeaa5ed7a96c2b0150f778bb4716712b2a9329397b2a8faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
192B

MD5
c74a1f56b45e1e7a539c9355d91aecaf

SHA1
ea62e8621d78ca59ff3e98abe8c9a7ab7ba1d13e

SHA256
f3f61839b18dc5068762491262a98b15fb71ff190ff121d5b2dc4d26cb6c8cb5

SHA512
82e39aa69148fdb9c39f92cd33cf3f5a4b27d6c04d33e7ae25eaa65b24c161ad29c8b4518375afa247edaf38a0c1c8301b5a248b8e221a9df5e897d3bd07cb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SyU03ODmfe.bat

Filesize
192B

MD5
c58cec37c886d54e3d055ee724093453

SHA1
055b1296dad657e6740f21df5225f29890cb8170

SHA256
ef11cfee6481a44707b79884006f975c26308f82fb6a18638b316e9862bf2700

SHA512
21212a693b370c567723a036eed73b8ff17dfe98e6fa7a93031371a83a1b3cbe8e0b43e24897e1df29f4c96b54e0193350226824f181c35af9225320bac21789

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar48F7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat

Filesize
192B

MD5
ac65ee6c2c80f22bb4f29007ede4da92

SHA1
4d9c707ef9dc584e021781806cc3da1aa872e9a7

SHA256
1462549ca8e06782db4686fae962e774f4b3d5fb9ae2ea3d5c90a29fc0babf85

SHA512
f38402d62da5c1e85dceed923e297e0e19c104e1d7537265bfe437ebf175129727d6f8aa92a558cd31298b7e8928b816cca0c5d4508e511b5b84d53133ed28be

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

Filesize
192B

MD5
fea92c30e0fb900c1bf6aeec152b405f

SHA1
5ae96993d93adba089f70828cf178362168dd29e

SHA256
a12e1d7a6a8f50b5be355d6d9315755e73c2bcce69cf9496893b068429f2f5b9

SHA512
880e1927f713794eeae03a3dc2593926bb50daca7e10d1b5810d9c3c562e52321fdd8f9c761bf99ceb9990766f601be77da0c1462c6071a0d7aca1d50cc635c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
192B

MD5
81a09700eca7c92a9947bc7f37d266a2

SHA1
0dcbfabb8c1f8406dff9c58c5a6a0e04fd1836d0

SHA256
c82af2b2fe8fe8c3ecb7ee9fa1e090978b12e6788a19cfefeb45d8eb258e4e5a

SHA512
f5d883b065c7885b404306ceff63f82e41eee6ab55b968c2d3236c4cbef9ec5da0bc9b9d3c86ed4087d8bc062a4db6a943b1e962996048ef35f9a6f478c19f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat

Filesize
192B

MD5
fdfaa8e0d1ada29da7e48df4e1178de5

SHA1
2ca6dddea632f5e68698e867c6d5312f5c449cb6

SHA256
b6a34087e47869ecf5261919b3ca812bb315efd856060031ea798af24faffa03

SHA512
4379570f8e030a019edfa7c52079c4cb38345b6c39859c71c52d1edc1774d09417a821b0a327f376b2d062320f6e93a20094852c9436e5256c2e070b6ae5f988

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
192B

MD5
cadd5d9bede705ee92ea8bbe33240974

SHA1
c73064766dd51c92dd415f10e8be1b80366cf50b

SHA256
bb6af2cf9e099c617f696cfd54fa29189d7c6dbc85697db19e1ffe37bfd23076

SHA512
17302a60a34a250938d5fa37cae98dcf1a9fe68799b4fa7fbf5d79e4ff2a0dc1d2dd7bc8df630cf0e2f9905d3f816188708079c80633975203545638715e6501

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

Filesize
192B

MD5
d19b0ea7e4990bf5ce4b4976ceaef64c

SHA1
3addfb7b42f8bbff3c70ac8e421b933b9a1e1625

SHA256
88f28e84f99ac34840e174ddc3f2ef7b3a4b014b6621dbdcb1c2b9a8287c1894

SHA512
af0bfb8e24e2d3517b4baa0475372465702b37fdafa0eee899d3545b9c23695721ce0637909c94a546adc3cd828a4ebf6664b65eb54c18c92a83481518e5c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63c767d0ec41e9fb0ffe024177df2d0a

SHA1
3f4278ecc6a51b6924c854edbf09e6730757b047

SHA256
e2d44103cf5702715f61d816c4ea0cdd755395f67a919ffee1d55328079b5ba2

SHA512
02abc65b63db227750693a59c212b4f51248167bf3017a90be9864864896cce8f5ee6ad639b70c4031ee925859d692c470cd45bb07591baba848142f62b8fb1b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/316-684-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/560-66-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/560-67-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/560-565-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1088-328-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/1156-150-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/2176-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2176-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2176-13-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2176-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2176-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2472-209-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download