dcrat | 164027ada542847c265ba392675d697c79a4d2a37d7f5bb62d2248ed31a481e0

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_164027ada542847c265ba392675d697c79a4d2a37d7f5bb62d2248ed31a481e0.exe
Size

1.3MB
MD5

3bcf69632ca631159d7b79457aeb5cae
SHA1

3d8561764da880a4034ac6b838d83382e69b0557
SHA256

164027ada542847c265ba392675d697c79a4d2a37d7f5bb62d2248ed31a481e0
SHA512

7ef191602485bc2ddba9bc517764ae5ddba4735a1955bc69eb192bfee9b951226a15c3e85ad96e0f24f359f52c4479dd7b0c163c1a065b43cc2aab872fea2357
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2180	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2180	schtasks.exe	32

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016b86-9.dat	dcrat
behavioral1/memory/1460-13-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/1628-157-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/2216-217-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/2980-277-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2892-337-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/2424-456-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2052-516-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/2336-576-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/2440-636-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/2204-696-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2052	powershell.exe
2272	powershell.exe
1980	powershell.exe
1636	powershell.exe
2700	powershell.exe
2940	powershell.exe
1660	powershell.exe
2136	powershell.exe
1604	powershell.exe
2304	powershell.exe
1984	powershell.exe
2820	powershell.exe
2628	powershell.exe
1964	powershell.exe
2260	powershell.exe
1608	powershell.exe
2588	powershell.exe
2696	powershell.exe
1720	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1460	DllCommonsvc.exe
1628	smss.exe
2216	smss.exe
2980	smss.exe
2892	smss.exe
2500	smss.exe
2424	smss.exe
2052	smss.exe
2336	smss.exe
2440	smss.exe
2204	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2472	cmd.exe
2472	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\bin\server\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\server\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\ja-JP\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\server\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Boot\EFI\sv-SE\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\services.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_164027ada542847c265ba392675d697c79a4d2a37d7f5bb62d2248ed31a481e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2216	schtasks.exe
2640	schtasks.exe
2028	schtasks.exe
2864	schtasks.exe
320	schtasks.exe
1316	schtasks.exe
2712	schtasks.exe
3008	schtasks.exe
1832	schtasks.exe
764	schtasks.exe
2000	schtasks.exe
1620	schtasks.exe
2796	schtasks.exe
2768	schtasks.exe
1872	schtasks.exe
3068	schtasks.exe
848	schtasks.exe
1084	schtasks.exe
1784	schtasks.exe
2692	schtasks.exe
3004	schtasks.exe
1472	schtasks.exe
2404	schtasks.exe
2540	schtasks.exe
1556	schtasks.exe
1324	schtasks.exe
2064	schtasks.exe
776	schtasks.exe
1376	schtasks.exe
884	schtasks.exe
2664	schtasks.exe
2672	schtasks.exe
2868	schtasks.exe
2196	schtasks.exe
1392	schtasks.exe
1064	schtasks.exe
1676	schtasks.exe
1712	schtasks.exe
2608	schtasks.exe
2500	schtasks.exe
676	schtasks.exe
2828	schtasks.exe
2532	schtasks.exe
556	schtasks.exe
1236	schtasks.exe
2400	schtasks.exe
1944	schtasks.exe
1700	schtasks.exe
1068	schtasks.exe
1692	schtasks.exe
2680	schtasks.exe
2364	schtasks.exe
2044	schtasks.exe
2536	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1460	DllCommonsvc.exe
1460	DllCommonsvc.exe
1460	DllCommonsvc.exe
1460	DllCommonsvc.exe
1460	DllCommonsvc.exe
1460	DllCommonsvc.exe
1460	DllCommonsvc.exe
1460	DllCommonsvc.exe
1460	DllCommonsvc.exe
1460	DllCommonsvc.exe
1460	DllCommonsvc.exe
1980	powershell.exe
2820	powershell.exe
1608	powershell.exe
1604	powershell.exe
2304	powershell.exe
2272	powershell.exe
2136	powershell.exe
2260	powershell.exe
1636	powershell.exe
1964	powershell.exe
1660	powershell.exe
2588	powershell.exe
2696	powershell.exe
2940	powershell.exe
1984	powershell.exe
2700	powershell.exe
2628	powershell.exe
1720	powershell.exe
2052	powershell.exe
1628	smss.exe
2216	smss.exe
2980	smss.exe
2892	smss.exe
2500	smss.exe
2424	smss.exe
2052	smss.exe
2336	smss.exe
2440	smss.exe
2204	smss.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	1460	DllCommonsvc.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	1628	smss.exe
Token: SeDebugPrivilege	2216	smss.exe
Token: SeDebugPrivilege	2980	smss.exe
Token: SeDebugPrivilege	2892	smss.exe
Token: SeDebugPrivilege	2500	smss.exe
Token: SeDebugPrivilege	2424	smss.exe
Token: SeDebugPrivilege	2052	smss.exe
Token: SeDebugPrivilege	2336	smss.exe
Token: SeDebugPrivilege	2440	smss.exe
Token: SeDebugPrivilege	2204	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2188	2136	JaffaCakes118_164027ada542847c265ba392675d697c79a4d2a37d7f5bb62d2248ed31a481e0.exe	28
PID 2136 wrote to memory of 2188	2136	JaffaCakes118_164027ada542847c265ba392675d697c79a4d2a37d7f5bb62d2248ed31a481e0.exe	28
PID 2136 wrote to memory of 2188	2136	JaffaCakes118_164027ada542847c265ba392675d697c79a4d2a37d7f5bb62d2248ed31a481e0.exe	28
PID 2136 wrote to memory of 2188	2136	JaffaCakes118_164027ada542847c265ba392675d697c79a4d2a37d7f5bb62d2248ed31a481e0.exe	28
PID 2188 wrote to memory of 2472	2188	WScript.exe	29
PID 2188 wrote to memory of 2472	2188	WScript.exe	29
PID 2188 wrote to memory of 2472	2188	WScript.exe	29
PID 2188 wrote to memory of 2472	2188	WScript.exe	29
PID 2472 wrote to memory of 1460	2472	cmd.exe	31
PID 2472 wrote to memory of 1460	2472	cmd.exe	31
PID 2472 wrote to memory of 1460	2472	cmd.exe	31
PID 2472 wrote to memory of 1460	2472	cmd.exe	31
PID 1460 wrote to memory of 1604	1460	DllCommonsvc.exe	87
PID 1460 wrote to memory of 1604	1460	DllCommonsvc.exe	87
PID 1460 wrote to memory of 1604	1460	DllCommonsvc.exe	87
PID 1460 wrote to memory of 1980	1460	DllCommonsvc.exe	88
PID 1460 wrote to memory of 1980	1460	DllCommonsvc.exe	88
PID 1460 wrote to memory of 1980	1460	DllCommonsvc.exe	88
PID 1460 wrote to memory of 1720	1460	DllCommonsvc.exe	89
PID 1460 wrote to memory of 1720	1460	DllCommonsvc.exe	89
PID 1460 wrote to memory of 1720	1460	DllCommonsvc.exe	89
PID 1460 wrote to memory of 2304	1460	DllCommonsvc.exe	91
PID 1460 wrote to memory of 2304	1460	DllCommonsvc.exe	91
PID 1460 wrote to memory of 2304	1460	DllCommonsvc.exe	91
PID 1460 wrote to memory of 1608	1460	DllCommonsvc.exe	92
PID 1460 wrote to memory of 1608	1460	DllCommonsvc.exe	92
PID 1460 wrote to memory of 1608	1460	DllCommonsvc.exe	92
PID 1460 wrote to memory of 1984	1460	DllCommonsvc.exe	93
PID 1460 wrote to memory of 1984	1460	DllCommonsvc.exe	93
PID 1460 wrote to memory of 1984	1460	DllCommonsvc.exe	93
PID 1460 wrote to memory of 2136	1460	DllCommonsvc.exe	94
PID 1460 wrote to memory of 2136	1460	DllCommonsvc.exe	94
PID 1460 wrote to memory of 2136	1460	DllCommonsvc.exe	94
PID 1460 wrote to memory of 1636	1460	DllCommonsvc.exe	95
PID 1460 wrote to memory of 1636	1460	DllCommonsvc.exe	95
PID 1460 wrote to memory of 1636	1460	DllCommonsvc.exe	95
PID 1460 wrote to memory of 2820	1460	DllCommonsvc.exe	96
PID 1460 wrote to memory of 2820	1460	DllCommonsvc.exe	96
PID 1460 wrote to memory of 2820	1460	DllCommonsvc.exe	96
PID 1460 wrote to memory of 2052	1460	DllCommonsvc.exe	97
PID 1460 wrote to memory of 2052	1460	DllCommonsvc.exe	97
PID 1460 wrote to memory of 2052	1460	DllCommonsvc.exe	97
PID 1460 wrote to memory of 1660	1460	DllCommonsvc.exe	98
PID 1460 wrote to memory of 1660	1460	DllCommonsvc.exe	98
PID 1460 wrote to memory of 1660	1460	DllCommonsvc.exe	98
PID 1460 wrote to memory of 2272	1460	DllCommonsvc.exe	101
PID 1460 wrote to memory of 2272	1460	DllCommonsvc.exe	101
PID 1460 wrote to memory of 2272	1460	DllCommonsvc.exe	101
PID 1460 wrote to memory of 2940	1460	DllCommonsvc.exe	103
PID 1460 wrote to memory of 2940	1460	DllCommonsvc.exe	103
PID 1460 wrote to memory of 2940	1460	DllCommonsvc.exe	103
PID 1460 wrote to memory of 2260	1460	DllCommonsvc.exe	104
PID 1460 wrote to memory of 2260	1460	DllCommonsvc.exe	104
PID 1460 wrote to memory of 2260	1460	DllCommonsvc.exe	104
PID 1460 wrote to memory of 1964	1460	DllCommonsvc.exe	106
PID 1460 wrote to memory of 1964	1460	DllCommonsvc.exe	106
PID 1460 wrote to memory of 1964	1460	DllCommonsvc.exe	106
PID 1460 wrote to memory of 2588	1460	DllCommonsvc.exe	108
PID 1460 wrote to memory of 2588	1460	DllCommonsvc.exe	108
PID 1460 wrote to memory of 2588	1460	DllCommonsvc.exe	108
PID 1460 wrote to memory of 2696	1460	DllCommonsvc.exe	110
PID 1460 wrote to memory of 2696	1460	DllCommonsvc.exe	110
PID 1460 wrote to memory of 2696	1460	DllCommonsvc.exe	110
PID 1460 wrote to memory of 2700	1460	DllCommonsvc.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_164027ada542847c265ba392675d697c79a4d2a37d7f5bb62d2248ed31a481e0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_164027ada542847c265ba392675d697c79a4d2a37d7f5bb62d2248ed31a481e0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\server\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\ja-JP\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zYsBxlCPqE.bat"
        5⤵
        
        PID:3000
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2772
      - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
        7⤵
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1184
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
        9⤵
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:596
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat"
        11⤵
        
        PID:876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1968
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"
        13⤵
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1224
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"
        15⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:676
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
        17⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1736
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
        19⤵
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1720
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"
        21⤵
        
        PID:1088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2348
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
        23⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:900
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\bin\server\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\server\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\bin\server\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Music\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\Music\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\ja-JP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df1f0e3e8ea6454b7cfdc930bff9321f

SHA1
36baee98e45fcbb6b04c031dc1921a5f2b2587cc

SHA256
990e6de5ccd6669f459c69f99387a05cedcba5c80e99df994bafc1236fb7aa77

SHA512
2545cc2f6f64e875f1f47dc146285aca415d310785278a3f7d369e7f5374a65607722d1bad47771e5dd024b2b0d0aebfa26f6fbfe1f28abc286ba2a19831d465

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff5128a5391005533dee1513934c13e7

SHA1
348633229bc4cb61e6ffd8b0aa63035dbe43bf05

SHA256
25f9f47044e1b1af516ab1f465760499fec4ea546babcd585e6c9d65ed175b40

SHA512
d050f7aa479bada84b682982617d0dde23dad5bf72e1b9abc665120a8edef38af8206122fb560a8fadcf679e6809fb32ac9785d90b1772d59d42136197bddb5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c29e6995bb7521d524047d57769cd4f

SHA1
af7307f840c14cdc7038c38069df4bf93d0e4cc3

SHA256
172eb3fcca25e4d0ee4f70f2493a8e42fa088a84cfbe5ff22547891195d7c473

SHA512
143ee46391a2043cd83d3e8fc01aaa701e502db25d7d607948124409139bca8591184752e5d2fd729e5adc22a4cf6d5835f1c48eb992b28d551a639277adb3c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22e601118558c4c9eaf8e587fcb2fd25

SHA1
036831d8f992a90d7c5e29fabb4e6ffbb2a300e0

SHA256
cabb76e3f669bb8903497c6e085816d4f6a4b87e9db6ff66ecc6d3e3eab99293

SHA512
528fd05d92d4adaae482f4294165ffae7ff6d3ced1322b8eda718e31a9fea46445d18a6ed73592825c47186ea014e72c05397a9e9aa9ee707f079c0ba18058d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b90b802697d1a58cf91ad31bbb27615f

SHA1
7466dc332da8ca65ec7e029a4d4dba38f776422d

SHA256
b3c36838d93ceea2fa14f3a07533c8db08ef8a27d0c4e67c9204dca51f7f0346

SHA512
e0f6975686a0be08c6d91c13565bf458e245c2f6fee7e73bd1334c15084b3522a8405cf43d8cd97e8a0ab9fe3a970f7ab1b9ab316122506b0493b19cf0a068b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01975b3bf11efccf7875586b5609c854

SHA1
973b814cb5a387f12023b9028cf148362db446f3

SHA256
8ec74e52348c9138bc24cbf9dd104391f046f1831769e33a300387901418498d

SHA512
1bf163773315c05f34ffe3ca723f2a2e7454f7cbaefc32bde3bc6f8663a53c1c0034c0ae94331e1a15b7cd82549c6903fdcd9af90688a3eb1c19630864a54b52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc5feb9cb138ae7cc85396ffa2f362e8

SHA1
64523367da83a9775f4c8de5f79b08f7510ebe95

SHA256
af62e51c317001e83e8f261b457d6c3415d240ba6135c62983e16abd1588a2fe

SHA512
5a9b1bc93b492d62273a3e7cc41df84527cf3aaa80cf99035f197b6e34dc93b03edd34b72749e1efa3fb318f7e64fa3fd247884bf0c6a21825e96d696abc7e5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ec44147516d83d0362c37d57343d1c0

SHA1
6e9b1602b25cf9c4e570180dda5812372ca82f19

SHA256
93033cc9de61e6ac2d0cdd731cded5073f7a7fdbf7705595fbc164a40aa77af0

SHA512
ec6ea63add1237dba978b786284fba23b0ec037d15ec2f379c280aa73add549d8ef3505b58f4d7409bdac0b32a8f2c8c5c8e8dc8e6102ff73fe97f3b780b62b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

Filesize
222B

MD5
957aaa4d90cfde48d2745ba36c82d55a

SHA1
3514ba7189493a7e35570355f4c03c73b3b49234

SHA256
05688565e7549ea89c1f614d6a9755726a1b52641c05b5828afc39cd85b9e73d

SHA512
338dd023de92ae4ac070f44dee7680885063dc4374bb5c89da82be0fa2e35c70808e48cf65d3300eaf92731ecdb11423e2e9e14373d9ea712357fefc39475ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat

Filesize
222B

MD5
fcbb477d64eb9eb87c7b1b20b0207ac7

SHA1
5f40773d2878873caddf35607fd5c05f01b62b27

SHA256
3598c80fe2d75ecf4d732dca4ae618e4d6cf50f1955f8d6ead1fc8a359aea67a

SHA512
d84dbdd189e936d9d7fa02a148efd2c815ad81d2461dc4c7bf99c641b0ee2f5aa802cc6f31863dca1337ec1678ba91985ea83f354c7da54227669970dab2534e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFD45.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat

Filesize
222B

MD5
6b48281ac753bf58568de77836ee35af

SHA1
78d57bc725ad200154ffab0504051d567c45711c

SHA256
5969964279e142eb95a4208b4bff61b6e9a87df8ac1ee3c0e471c24edb10bc69

SHA512
442695d1d363459ae6e4474fffb38b9e3934f33c9e140da54d55e5a3635ec8fa8d268e4aa764ebf1b25eeb2107fbb9e9a463cf4490c126558dc94cb2382cd987

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFD67.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat

Filesize
222B

MD5
7340eb6118f59a4ebd9d4d37483c0e3c

SHA1
3d69642ed0da722f39ab7c216a939765b01f6726

SHA256
88deca30a983f8a46c2282b2d5a22521b09adaaec7f334f49aee0c7271ee0df0

SHA512
269d4ad9325fcd87d75765d9caec7cd60e2eaac78335fdd18c9cc5f141de1b17ab652d99c7db1503a22de341c1a91fd047083068e8cfb5a0143e0194c1fb38ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

Filesize
222B

MD5
c1a8149c28667760e3f0fa72b1c84c7d

SHA1
2fa0255fea5ca2116de40509ef0499e23550a2eb

SHA256
72f52d6c920e880896b39b830f9d2b632f6ee7bae9119fcefa1c7ac3b1168efa

SHA512
70c49c6fe7a1dea0e13af8d82fca50e1718208c6b1d04cdc98a2a49abef657f07c3e5710da179b588e488d270527278851ab8b1932b2cf1ec1453897388bdf5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

Filesize
222B

MD5
9d9f0b8c4764739a9ecb0dd50620625b

SHA1
059e7f5fd00fbf6b859d5c588991fcf8db94a092

SHA256
110c596d8575c25dc58658043d8bbc2572a7a67dd02bc43cedf1825a21d8eaa8

SHA512
c8ba41ad5df3a709c2df1a484bc70246284b4d7f2e22c97d67eda93966dfbd4c237d5b9b7f69b0b70d49cdccb4ef40f335ac5842fe3d07ecfdcafcf0a57c23b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

Filesize
222B

MD5
1358920835481e5b0bd89e65aa384da2

SHA1
ea0f77868ecec01c3b414e75259d215900aae674

SHA256
1128e10c5dab9341b39adbab5afde81a153ea8e61da63f0b960815f212168f10

SHA512
99211deadd37639ec46cd12e4153e5c912618c0ce174b046246748619034531f7818c6616fe707715f53764702ec3fa409782d6e000ef525715c425511d71713

Download Submit
C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat

Filesize
222B

MD5
8b2611b704b538e238ef168f4e5fe617

SHA1
0f2f74c142b54376b03e5ace7f76b17fa7bc761c

SHA256
d9805fb097b3b546e0f66aa8487f676ffef7382d280d67e2f5c3108e707dd94b

SHA512
6997a1cb3e2ce63a1c0e244a7f436ad5d3a94c08dea6b1bddc8aa29a7d31ccb24044fb4a31b370ef80206fac33e0fed65373ad995c3cfe3cff97be6181cc734a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat

Filesize
222B

MD5
f6b79fbbb49f270a63209030b06fde5a

SHA1
3962d36d0a0ba506b7878418c94961376eb89be8

SHA256
d03f6e4353bda958e65c77ec7cbbd4f00b00018c0fe46a66d51543e5ade6c1e3

SHA512
1dfdf7b31798612dced7f25b7c6049328b09c787eb88cc76be236fb594223dc21bdc614b1fdfc3edd131143215c14af904e4066f03fb5a08f698102ecbdd015e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zYsBxlCPqE.bat

Filesize
222B

MD5
5b06848547e71b55d722be3cb40da16c

SHA1
67b9d22b91a5b2e556b453cb7969950797376e28

SHA256
2228391c58e57ba7c5be779b540aaca08f42b0c34229d67dc4327a3ed35392cf

SHA512
5ee097af0c243bdc1ef31f3527ac46d90af0bc812b1dbfed048d94109af30085194af13bcf200eb130c85f1ae76c734320932b3b7a3f6c5ad6e709348a625410

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5a8669766e9199b349268480d2a00900

SHA1
a74ab3d7e95c32bf05c9341f5eb59a471fdf668f

SHA256
7dc8a29da6fbb7520c9ee2cc38c23438e563f2f807ba9f88c140a00ed038a857

SHA512
383f096528bd224b93673303876c9dcb1d21cbd82fb6c128b0253acb7c69ee4dba1c3765924112f161a86dab1b69ffe9d4ebfc34e1322c8745e0950f53d3b1fb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1460-13-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/1460-14-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/1460-15-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/1460-16-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1460-17-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/1628-158-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1628-157-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/1980-64-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1980-62-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2052-516-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2204-696-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/2216-217-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2336-576-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/2424-456-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2440-636-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/2892-337-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/2980-277-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download