dcrat | e488ef073c850d3de5b5dd7e087696a5b17d2a08d2edf8b9bf44070a482a02aa

Analysis

max time kernel
147s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 11:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e488ef073c850d3de5b5dd7e087696a5b17d2a08d2edf8b9bf44070a482a02aa.exe
Size

1.3MB
MD5

0a5cc64f2f77f6bc3271fe5feae3d707
SHA1

a0e400ce0a4914790da7af3634f559ed95bb26df
SHA256

e488ef073c850d3de5b5dd7e087696a5b17d2a08d2edf8b9bf44070a482a02aa
SHA512

8e873477bd5975e160c534ba1ebd6ca6714b63f07dac32314118afe8bbf47fd8100c2dab79f14e3d69351321945867848183e4b7ca0536a36c38f09ec0ace1cf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	420	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	164	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	196	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	3176	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	3176	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac2d-281.dat	dcrat
behavioral1/memory/4812-282-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/files/0x000800000001ac2d-280.dat	dcrat
behavioral1/files/0x000600000001ac37-339.dat	dcrat
behavioral1/files/0x000600000001ac37-337.dat	dcrat
behavioral1/files/0x000600000001ac37-812.dat	dcrat
behavioral1/files/0x000600000001ac37-819.dat	dcrat
behavioral1/files/0x000600000001ac37-825.dat	dcrat
behavioral1/files/0x000600000001ac37-830.dat	dcrat
behavioral1/files/0x000600000001ac37-835.dat	dcrat
behavioral1/files/0x000600000001ac37-841.dat	dcrat
behavioral1/files/0x000600000001ac37-847.dat	dcrat
behavioral1/files/0x000600000001ac37-852.dat	dcrat
behavioral1/files/0x000600000001ac37-857.dat	dcrat
behavioral1/files/0x000600000001ac37-862.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4812	DllCommonsvc.exe
4868	csrss.exe
2736	csrss.exe
1528	csrss.exe
2412	csrss.exe
4792	csrss.exe
2220	csrss.exe
4736	csrss.exe
5100	csrss.exe
4364	csrss.exe
4516	csrss.exe
4564	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\root\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Google\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\root\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4488	schtasks.exe
1800	schtasks.exe
4472	schtasks.exe
4292	schtasks.exe
3348	schtasks.exe
5028	schtasks.exe
5044	schtasks.exe
2264	schtasks.exe
420	schtasks.exe
4208	schtasks.exe
1116	schtasks.exe
2324	schtasks.exe
4948	schtasks.exe
3032	schtasks.exe
3760	schtasks.exe
196	schtasks.exe
4624	schtasks.exe
4568	schtasks.exe
1244	schtasks.exe
316	schtasks.exe
372	schtasks.exe
5064	schtasks.exe
4348	schtasks.exe
4520	schtasks.exe
1028	schtasks.exe
1092	schtasks.exe
4340	schtasks.exe
4548	schtasks.exe
592	schtasks.exe
1464	schtasks.exe
4920	schtasks.exe
4660	schtasks.exe
1176	schtasks.exe
920	schtasks.exe
2816	schtasks.exe
4288	schtasks.exe
4480	schtasks.exe
424	schtasks.exe
164	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	e488ef073c850d3de5b5dd7e087696a5b17d2a08d2edf8b9bf44070a482a02aa.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	csrss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4812	DllCommonsvc.exe
4812	DllCommonsvc.exe
4812	DllCommonsvc.exe
4812	DllCommonsvc.exe
4812	DllCommonsvc.exe
656	powershell.exe
656	powershell.exe
2200	powershell.exe
2200	powershell.exe
1840	powershell.exe
1840	powershell.exe
2208	powershell.exe
2208	powershell.exe
1944	powershell.exe
1944	powershell.exe
1004	powershell.exe
1004	powershell.exe
2688	powershell.exe
2688	powershell.exe
2456	powershell.exe
2456	powershell.exe
2200	powershell.exe
3052	powershell.exe
3052	powershell.exe
3672	powershell.exe
3672	powershell.exe
3788	powershell.exe
3788	powershell.exe
4752	powershell.exe
4752	powershell.exe
4772	powershell.exe
4772	powershell.exe
2688	powershell.exe
4120	powershell.exe
4120	powershell.exe
4868	csrss.exe
4868	csrss.exe
2200	powershell.exe
656	powershell.exe
1840	powershell.exe
2208	powershell.exe
1004	powershell.exe
3052	powershell.exe
1944	powershell.exe
4752	powershell.exe
3672	powershell.exe
2688	powershell.exe
2456	powershell.exe
1004	powershell.exe
3788	powershell.exe
4772	powershell.exe
4120	powershell.exe
656	powershell.exe
1840	powershell.exe
2208	powershell.exe
1944	powershell.exe
3052	powershell.exe
3672	powershell.exe
3788	powershell.exe
2456	powershell.exe
4752	powershell.exe
4772	powershell.exe
4120	powershell.exe
2736	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4812	DllCommonsvc.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	4868	csrss.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeIncreaseQuotaPrivilege	2200	powershell.exe
Token: SeSecurityPrivilege	2200	powershell.exe
Token: SeTakeOwnershipPrivilege	2200	powershell.exe
Token: SeLoadDriverPrivilege	2200	powershell.exe
Token: SeSystemProfilePrivilege	2200	powershell.exe
Token: SeSystemtimePrivilege	2200	powershell.exe
Token: SeProfSingleProcessPrivilege	2200	powershell.exe
Token: SeIncBasePriorityPrivilege	2200	powershell.exe
Token: SeCreatePagefilePrivilege	2200	powershell.exe
Token: SeBackupPrivilege	2200	powershell.exe
Token: SeRestorePrivilege	2200	powershell.exe
Token: SeShutdownPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeSystemEnvironmentPrivilege	2200	powershell.exe
Token: SeRemoteShutdownPrivilege	2200	powershell.exe
Token: SeUndockPrivilege	2200	powershell.exe
Token: SeManageVolumePrivilege	2200	powershell.exe
Token: 33	2200	powershell.exe
Token: 34	2200	powershell.exe
Token: 35	2200	powershell.exe
Token: 36	2200	powershell.exe
Token: SeIncreaseQuotaPrivilege	2688	powershell.exe
Token: SeSecurityPrivilege	2688	powershell.exe
Token: SeTakeOwnershipPrivilege	2688	powershell.exe
Token: SeLoadDriverPrivilege	2688	powershell.exe
Token: SeSystemProfilePrivilege	2688	powershell.exe
Token: SeSystemtimePrivilege	2688	powershell.exe
Token: SeProfSingleProcessPrivilege	2688	powershell.exe
Token: SeIncBasePriorityPrivilege	2688	powershell.exe
Token: SeCreatePagefilePrivilege	2688	powershell.exe
Token: SeBackupPrivilege	2688	powershell.exe
Token: SeRestorePrivilege	2688	powershell.exe
Token: SeShutdownPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeSystemEnvironmentPrivilege	2688	powershell.exe
Token: SeRemoteShutdownPrivilege	2688	powershell.exe
Token: SeUndockPrivilege	2688	powershell.exe
Token: SeManageVolumePrivilege	2688	powershell.exe
Token: 33	2688	powershell.exe
Token: 34	2688	powershell.exe
Token: 35	2688	powershell.exe
Token: 36	2688	powershell.exe
Token: SeIncreaseQuotaPrivilege	1004	powershell.exe
Token: SeSecurityPrivilege	1004	powershell.exe
Token: SeTakeOwnershipPrivilege	1004	powershell.exe
Token: SeLoadDriverPrivilege	1004	powershell.exe
Token: SeSystemProfilePrivilege	1004	powershell.exe
Token: SeSystemtimePrivilege	1004	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 4740	2764	e488ef073c850d3de5b5dd7e087696a5b17d2a08d2edf8b9bf44070a482a02aa.exe	66
PID 2764 wrote to memory of 4740	2764	e488ef073c850d3de5b5dd7e087696a5b17d2a08d2edf8b9bf44070a482a02aa.exe	66
PID 2764 wrote to memory of 4740	2764	e488ef073c850d3de5b5dd7e087696a5b17d2a08d2edf8b9bf44070a482a02aa.exe	66
PID 4740 wrote to memory of 4276	4740	WScript.exe	67
PID 4740 wrote to memory of 4276	4740	WScript.exe	67
PID 4740 wrote to memory of 4276	4740	WScript.exe	67
PID 4276 wrote to memory of 4812	4276	cmd.exe	69
PID 4276 wrote to memory of 4812	4276	cmd.exe	69
PID 4812 wrote to memory of 2200	4812	DllCommonsvc.exe	137
PID 4812 wrote to memory of 2200	4812	DllCommonsvc.exe	137
PID 4812 wrote to memory of 1840	4812	DllCommonsvc.exe	136
PID 4812 wrote to memory of 1840	4812	DllCommonsvc.exe	136
PID 4812 wrote to memory of 656	4812	DllCommonsvc.exe	134
PID 4812 wrote to memory of 656	4812	DllCommonsvc.exe	134
PID 4812 wrote to memory of 1944	4812	DllCommonsvc.exe	132
PID 4812 wrote to memory of 1944	4812	DllCommonsvc.exe	132
PID 4812 wrote to memory of 2208	4812	DllCommonsvc.exe	130
PID 4812 wrote to memory of 2208	4812	DllCommonsvc.exe	130
PID 4812 wrote to memory of 2688	4812	DllCommonsvc.exe	128
PID 4812 wrote to memory of 2688	4812	DllCommonsvc.exe	128
PID 4812 wrote to memory of 1004	4812	DllCommonsvc.exe	109
PID 4812 wrote to memory of 1004	4812	DllCommonsvc.exe	109
PID 4812 wrote to memory of 2456	4812	DllCommonsvc.exe	110
PID 4812 wrote to memory of 2456	4812	DllCommonsvc.exe	110
PID 4812 wrote to memory of 3052	4812	DllCommonsvc.exe	125
PID 4812 wrote to memory of 3052	4812	DllCommonsvc.exe	125
PID 4812 wrote to memory of 3672	4812	DllCommonsvc.exe	123
PID 4812 wrote to memory of 3672	4812	DllCommonsvc.exe	123
PID 4812 wrote to memory of 4752	4812	DllCommonsvc.exe	112
PID 4812 wrote to memory of 4752	4812	DllCommonsvc.exe	112
PID 4812 wrote to memory of 3788	4812	DllCommonsvc.exe	120
PID 4812 wrote to memory of 3788	4812	DllCommonsvc.exe	120
PID 4812 wrote to memory of 4772	4812	DllCommonsvc.exe	113
PID 4812 wrote to memory of 4772	4812	DllCommonsvc.exe	113
PID 4812 wrote to memory of 4120	4812	DllCommonsvc.exe	119
PID 4812 wrote to memory of 4120	4812	DllCommonsvc.exe	119
PID 4812 wrote to memory of 4868	4812	DllCommonsvc.exe	118
PID 4812 wrote to memory of 4868	4812	DllCommonsvc.exe	118
PID 4868 wrote to memory of 4564	4868	csrss.exe	139
PID 4868 wrote to memory of 4564	4868	csrss.exe	139
PID 4564 wrote to memory of 1176	4564	cmd.exe	142
PID 4564 wrote to memory of 1176	4564	cmd.exe	142
PID 4564 wrote to memory of 2736	4564	cmd.exe	143
PID 4564 wrote to memory of 2736	4564	cmd.exe	143
PID 2736 wrote to memory of 4952	2736	csrss.exe	144
PID 2736 wrote to memory of 4952	2736	csrss.exe	144
PID 4952 wrote to memory of 3836	4952	cmd.exe	146
PID 4952 wrote to memory of 3836	4952	cmd.exe	146
PID 4952 wrote to memory of 1528	4952	cmd.exe	147
PID 4952 wrote to memory of 1528	4952	cmd.exe	147
PID 1528 wrote to memory of 4896	1528	csrss.exe	148
PID 1528 wrote to memory of 4896	1528	csrss.exe	148
PID 4896 wrote to memory of 2088	4896	cmd.exe	150
PID 4896 wrote to memory of 2088	4896	cmd.exe	150
PID 4896 wrote to memory of 2412	4896	cmd.exe	151
PID 4896 wrote to memory of 2412	4896	cmd.exe	151
PID 2412 wrote to memory of 348	2412	csrss.exe	152
PID 2412 wrote to memory of 348	2412	csrss.exe	152
PID 348 wrote to memory of 2304	348	cmd.exe	154
PID 348 wrote to memory of 2304	348	cmd.exe	154
PID 348 wrote to memory of 4792	348	cmd.exe	155
PID 348 wrote to memory of 4792	348	cmd.exe	155
PID 4792 wrote to memory of 2520	4792	csrss.exe	156
PID 4792 wrote to memory of 2520	4792	csrss.exe	156

C:\Users\Admin\AppData\Local\Temp\e488ef073c850d3de5b5dd7e087696a5b17d2a08d2edf8b9bf44070a482a02aa.exe
"C:\Users\Admin\AppData\Local\Temp\e488ef073c850d3de5b5dd7e087696a5b17d2a08d2edf8b9bf44070a482a02aa.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\root\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
    - - C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1176
        
        C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3836
        
        C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2088
        
        C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2304
        
        C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
        14⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:776
        
        C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat"
        16⤵
        
        PID:1640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4744
        
        C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
        18⤵
        
        PID:4576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3592
        
        C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
        20⤵
        
        PID:4548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2228
        
        C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"
        22⤵
        
        PID:4740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4876
        
        C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        24⤵
        
        PID:4444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:376
        
        C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe
        
        "C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
        26⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:5084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\en-US\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\en-US\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\root\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a165f887c05fbbf17baff31cff67fd8a

SHA1
21e6592f1eecc754163a651f069dcf99781915bb

SHA256
7dc1ea1f6dc68a095613a97a255655e0abe75d19741620f1f180c4d19524dfdd

SHA512
801bff0ccdfd85d4546ebb7a95dd8bbe6f1c2146f71953109b25b54cc3910762fc1e65154263086ec67f68c54d83f4639fa0c4978c2e6969607d0d49600ddd09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a31887d7164f991008f8abe8bbbf477

SHA1
51e655985596b0325ec2c2bdc47f2c0027801e38

SHA256
b8888505095732312531200a7881f63c159639f6ff5661bbcd95f6903d5ebf04

SHA512
1663507c30d92a8156da6404ce06a3c85a7ad986fda92766922a947de884a52bdf57c7a6f7ed1ec4a12c7320634d284c50c390ac6019ea5ce5847dbfd80fd2e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7cc204e0388f81de8a8f36970b1fb77b

SHA1
c4d3ccb3d7e78bd124883a5e08d913c3d1b82ec1

SHA256
94f5f7f88a7a6c670e55deca207307409014681d3154b60cebe64ada4df40368

SHA512
2a5ccd5ea250e8b6acd87a36ac58ca373a01a904808a508a575b1c3dcfe4c35c6d0a6595d08933c193c0325a3e4d31172d335f52a37044b80e06a7977ee33680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7cc204e0388f81de8a8f36970b1fb77b

SHA1
c4d3ccb3d7e78bd124883a5e08d913c3d1b82ec1

SHA256
94f5f7f88a7a6c670e55deca207307409014681d3154b60cebe64ada4df40368

SHA512
2a5ccd5ea250e8b6acd87a36ac58ca373a01a904808a508a575b1c3dcfe4c35c6d0a6595d08933c193c0325a3e4d31172d335f52a37044b80e06a7977ee33680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6680195f49f753e99844911d48b174fa

SHA1
21349fcfc9609dd6b3317ac92c605d977474cab5

SHA256
f0267c4bf0203965d92b53949f93d9525c0c475baa59ea1fbca46791aded36fc

SHA512
31c23cca0c294ab4bc622dac71555decc0fc7e3a393e998ae36179b439b5d2c6c9aa15501bd0a230687b1658a0427ca2a1a7739834c6ee9863a82c52035f6ee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9362673911792a65046165856fd2d88

SHA1
aa8366e9fc331c74ad638003dad78168b1536e53

SHA256
83aca8a195a1ca7caa69356a59039b51e6eb425e0a44d6ad3ad4a03b69a91534

SHA512
5cb5b77eb6fccb2639be3069a70f14d964d5b478272d1abab4d8df079ac1ab99a9b6e23c253b55eb16dc4c91297e2c8a56d92763c1d367369bcf24a4105c3642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6680195f49f753e99844911d48b174fa

SHA1
21349fcfc9609dd6b3317ac92c605d977474cab5

SHA256
f0267c4bf0203965d92b53949f93d9525c0c475baa59ea1fbca46791aded36fc

SHA512
31c23cca0c294ab4bc622dac71555decc0fc7e3a393e998ae36179b439b5d2c6c9aa15501bd0a230687b1658a0427ca2a1a7739834c6ee9863a82c52035f6ee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b9362673911792a65046165856fd2d88

SHA1
aa8366e9fc331c74ad638003dad78168b1536e53

SHA256
83aca8a195a1ca7caa69356a59039b51e6eb425e0a44d6ad3ad4a03b69a91534

SHA512
5cb5b77eb6fccb2639be3069a70f14d964d5b478272d1abab4d8df079ac1ab99a9b6e23c253b55eb16dc4c91297e2c8a56d92763c1d367369bcf24a4105c3642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4b37685415d51638e2f3761531f7dea8

SHA1
3b680439406cbd199d9c2126c5020e2814ea249e

SHA256
98bce2451f9ded3120b5182cfd8442d94372aa903de58265e0612372d3295380

SHA512
2116ab1893a9291534abb4ca52ae9beb954af34f3a848449c262fc5768df006edfd8e0eec80f05280025e529bb73af7ebea93b6b4596217cf191d194619ce5b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a622b8b9caf275b6fe530b04c8c0f19

SHA1
7fd6bd00761170a35d7cbd18f825a58767940f53

SHA256
ab846dcac1ad37e46322df2877a765966cca6aa8dbad37f3a43a205c55582b20

SHA512
86d4c8c913f9250fcc475e5d33d944f43740273af8e63d5ceaba5a644830f5271a844038d59a39db8aef85730c4b4e39a27ea6ab3a57e52075cb2aae357c8bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8489154eb7ff000759f180058015d4c

SHA1
794f68285c3f761bb8dc41386396cb0029e578f8

SHA256
a9f1590cc9c5296c9be4f176f808301456809dc9e1710e85a3d2fa594d058615

SHA512
0e609e65b5b59961a0c32dd45e2d566e0054268418957a6ebe6f216b85ecf8849d793113566547330ddd6711bcf9c41a2abc39b3c3306ff2d6e7528b9af29f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f6fc9a7097fc32a3138612155b198f07

SHA1
2efe4313ef7cb9b5a516cbba4896f2c76b5b788e

SHA256
58203a2714e7fb01e0d81b8fc561e096616c8e3457fdc442aea52adfcee05f25

SHA512
876bfbdcb4c4529107f87138ddc9ef5fb930c18a2cbe66744c3e6265c1dee8491aa9761431f0b1d2567212423fd060cc5409093372a6e3c26809684c80ffd81f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dfd2c2904e54bb7b72301b54943693f2

SHA1
d16d91424d9c66e7dcf2a9851202f03ea951004e

SHA256
d65d252194ed5b8b77ac42949ba43a2f44680e9a091b38fca5c7ceab5f4a1a8f

SHA512
9b1a3f87485381e1d73dcb51ba01e5af6e40d59167838e7c2b0ee7af7de1659c8aaff658bbbbdd538b1eb42cb8828d40ee3375289dcb0e38d23db2618e559e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

Filesize
225B

MD5
04e59128b2663677eb5f39f2f029dc79

SHA1
3fe905f095e07409c5dba15b4379b90eca35a8ab

SHA256
44d19070f618db5639e815f839061be392642bd41d4e7bfed6e9c8f7616235bf

SHA512
ac07bcb822b660c788a1d3edac1814810bd73ec4a99accd1485fec874779e21d989a29b62040eeecbf361c4c4dfb68ce68a65b16509b087ccf1a6a00b12f8637

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
225B

MD5
9cfd9de6fb744cd04576f0b76c94ede7

SHA1
5cf2729f1a2775b7ae4644d5aafb93b3c5479f22

SHA256
c6147aab63ca25fa2e62060f7033d5381bad5dae9eaeacc3ba5862ac053dd24b

SHA512
2fa9a3fed54ae8c06df597a363ecf2d76460c20a3020bd21fddcab1346ebd6de781114f8858fffb8405404549750b622f92574d8c8202ed050804727a4968148

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

Filesize
225B

MD5
f2c96be350d32a67f67ee8007ba6299e

SHA1
4b253010e61dcc9d7ca2ac68ef57630f74437426

SHA256
7390ab9f8e26a0d8e9aed2c8e4336aa1fe3de46dcd956d0140a5e10148ff3455

SHA512
0201eb14083c42616403d6cb9cc52f781d90f415983c3f6b6480942613c08812ec8551b050a7046898395d0f7a7bb64d0588a9e2aaa5d4661771fce9c27537f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
225B

MD5
ce3d2bf84fc5d409eb0a8f2e0588a02a

SHA1
961ff2d5a14c4d34ceeb89fdb6668458e023cdae

SHA256
a9589899b4712edd0685bba788afa9d756ffda70119946d5bd20b5c980747a82

SHA512
155f40e77dd3d00e4bea4d118179c56445298e10d3dda673277574fa07a6a7b4da39e3cdc9adb5be83bac092ee38372d1ebd5206fe5035f9969c350e0db9817b

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat

Filesize
225B

MD5
7f7fa89bf5896a740d54b04b0d506a80

SHA1
f7f975637a7bd478bf8c6db91a1f8df632e85269

SHA256
d865e2608c43ab91e6df2dfe1a13527619b8e9cea1f6d9ac649f0e2af7ae48fa

SHA512
c8a8ac5b9d1158a2762754b780e23d1e0ef29b2d8266bdc0213ee594e6b7c231aee0e99f2bf7456caedeea618afb4d0d1ce4021d793de6b3c4b1f7b9c2015dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

Filesize
225B

MD5
43314cfff6d539ccd8914bb23a2fc5f0

SHA1
ea135589d3aa234fb5422a0bd533d1000dac0d0d

SHA256
c90bd28e1fd56ffeb31fbec5e652be28ad3314b2e3b6b01acc2ff27f77abaf6f

SHA512
690a903c0ff905ab9a121567fc09c9d30e52ffe55192557c7a191532bf59c75bd013fe3eceaca3dd7177bbd1b59c5d81f6c86c6fa01bbc04bfd125cf43140520

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
225B

MD5
d819156224612acdd7d6949ace33a5bd

SHA1
d04624ae2aed8c7fefd3799416d747805530c2e0

SHA256
9b91bad28966e7b161b27fee3d52a45147ba74b20c8cc24e1d39479d11adff3e

SHA512
993b89bbd984589ba5d7c175c2a164f042d03105aa50e1da0346f1dbb1db54ab52edf01cb1bc3bcb9bcd64fd98d4496196bce923ed0991aed6560a626c9a4e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

Filesize
225B

MD5
d844f96115ec9bd0a4c74dbd0b2ce107

SHA1
bd7f258176be4df8d71cfd92aaa06d5aeac276ab

SHA256
472eb81322fa6ff176d70bcc99a948c6e40642b17ffb2564f28ceae5277112c5

SHA512
61e778e15bd55348be81ac446f59d32ce94734e3c139a80ad38cb922dc9bd55d90ab52711bfc6a373cfdf4ee7d658a0b92291b420632f5cec8800f16f866256a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

Filesize
225B

MD5
902a5dc6fbf663d85113848a3eda4d03

SHA1
954630101a3a09764e5168cd26a75b3baf9df346

SHA256
035c27bd9dd7e1c1f5ce8728124f8960599dbd57d51e5c432f8140983021985f

SHA512
2713cd542329914e9a3fe5aa212cc3d882c454672db65e448f0dbcf7110b0e0b07597291aef19dd61e324377cf48b4487e58e9744b73f3afb574b8490822bde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat

Filesize
225B

MD5
0a753ddfb81d8a49d6800c144914b146

SHA1
85b398934c1a0915d44ac9715ff2f4180b85623b

SHA256
c9c0f9a3543ac8c7a55c4f2dc90fad156969c5cc186943056639e4bdbbee9e0c

SHA512
cc2af5ec1ce86a79dbe5359272f370530fe8cfbb4e9a1d074c29278c4a198a995cd47e2bf10d92021c8f84a50afdedbc30ec33734634e3e7897c9de3a134ef74

Download Submit
C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat

Filesize
225B

MD5
4da73d6426fef2c044739fc888c71f05

SHA1
f24d7c9d8f5c92b9db678814ea8410614f8e445f

SHA256
1f5dffa47878ce61776cdb7891234ffbcf6740f93ab8e338f4ed124ad25e07e3

SHA512
9219a6e8b4cfcae73c6af27d3a49b32c71a459fc92772b3277397bae6940462e35a739056f880c4d118fbf977dc29212607d513003ba4041eae993cbb990e5d3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1528-820-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download
memory/2200-376-0x00000240E5D60000-0x00000240E5DD6000-memory.dmp

Filesize
472KB

Download
memory/2200-359-0x00000240E50C0000-0x00000240E50E2000-memory.dmp

Filesize
136KB

Download
memory/2220-836-0x0000000001170000-0x0000000001182000-memory.dmp

Filesize
72KB

Download
memory/2736-814-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

Filesize
72KB

Download
memory/2764-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-117-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-122-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-125-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-116-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/2764-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4564-863-0x00000000010E0000-0x00000000010F2000-memory.dmp

Filesize
72KB

Download
memory/4736-842-0x00000000012F0000-0x0000000001302000-memory.dmp

Filesize
72KB

Download
memory/4740-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4740-182-0x00000000779B0000-0x0000000077B3E000-memory.dmp

Filesize
1.6MB

Download
memory/4812-286-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/4812-285-0x000000001B790000-0x000000001B79C000-memory.dmp

Filesize
48KB

Download
memory/4812-282-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/4812-284-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/4812-283-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/4868-368-0x0000000001090000-0x00000000010A2000-memory.dmp

Filesize
72KB

Download