dcrat | 950692092fbe9533fbaa8efa361a2d3f69b0cbf5ba919cf124eec089e36587e0

Analysis

max time kernel
146s
max time network
142s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

950692092fbe9533fbaa8efa361a2d3f69b0cbf5ba919cf124eec089e36587e0.exe
Size

1.3MB
MD5

7f397d0b3842f1b99f104d6f8e50df6a
SHA1

49d6b35fdc8c22fe36b6a1c5b7946bcc88d9f063
SHA256

950692092fbe9533fbaa8efa361a2d3f69b0cbf5ba919cf124eec089e36587e0
SHA512

01803593037ddae77fc084cda04af2993bac8e79b92a13c428de055ff4f62d57637f30fe54e11e2b97997f84ebf1a5849c8093270bd6c12f357a253c1159f03a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3944	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3300	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	764	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	764	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ac39-284.dat	dcrat
behavioral1/files/0x000900000001ac39-285.dat	dcrat
behavioral1/memory/3332-286-0x0000000000590000-0x00000000006A0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac54-347.dat	dcrat
behavioral1/files/0x000600000001ac54-345.dat	dcrat
behavioral1/files/0x000600000001ac54-825.dat	dcrat
behavioral1/files/0x000600000001ac54-831.dat	dcrat
behavioral1/files/0x000600000001ac54-836.dat	dcrat
behavioral1/files/0x000600000001ac54-842.dat	dcrat
behavioral1/files/0x000600000001ac54-847.dat	dcrat
behavioral1/files/0x000600000001ac54-853.dat	dcrat
behavioral1/files/0x000600000001ac54-858.dat	dcrat
behavioral1/files/0x000600000001ac54-864.dat	dcrat
behavioral1/files/0x000600000001ac54-870.dat	dcrat
behavioral1/files/0x000600000001ac54-875.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3332	DllCommonsvc.exe
4176	ShellExperienceHost.exe
416	ShellExperienceHost.exe
3812	ShellExperienceHost.exe
5112	ShellExperienceHost.exe
188	ShellExperienceHost.exe
2704	ShellExperienceHost.exe
1800	ShellExperienceHost.exe
1708	ShellExperienceHost.exe
4540	ShellExperienceHost.exe
2200	ShellExperienceHost.exe
5088	ShellExperienceHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\56085415360792	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4608	schtasks.exe
1800	schtasks.exe
4644	schtasks.exe
4640	schtasks.exe
232	schtasks.exe
216	schtasks.exe
4944	schtasks.exe
4560	schtasks.exe
324	schtasks.exe
3288	schtasks.exe
4480	schtasks.exe
4428	schtasks.exe
4540	schtasks.exe
2300	schtasks.exe
3924	schtasks.exe
4404	schtasks.exe
4620	schtasks.exe
416	schtasks.exe
3944	schtasks.exe
3984	schtasks.exe
2224	schtasks.exe
868	schtasks.exe
4516	schtasks.exe
4456	schtasks.exe
3900	schtasks.exe
4528	schtasks.exe
4436	schtasks.exe
660	schtasks.exe
1916	schtasks.exe
3976	schtasks.exe
2052	schtasks.exe
3692	schtasks.exe
4424	schtasks.exe
4976	schtasks.exe
3992	schtasks.exe
4896	schtasks.exe
4064	schtasks.exe
2516	schtasks.exe
3752	schtasks.exe
3300	schtasks.exe
3144	schtasks.exe
4988	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	950692092fbe9533fbaa8efa361a2d3f69b0cbf5ba919cf124eec089e36587e0.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	ShellExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3332	DllCommonsvc.exe
3332	DllCommonsvc.exe
3332	DllCommonsvc.exe
3332	DllCommonsvc.exe
3332	DllCommonsvc.exe
3332	DllCommonsvc.exe
3332	DllCommonsvc.exe
2188	powershell.exe
2188	powershell.exe
2216	powershell.exe
2216	powershell.exe
656	powershell.exe
656	powershell.exe
1240	powershell.exe
1240	powershell.exe
912	powershell.exe
912	powershell.exe
1240	powershell.exe
912	powershell.exe
2188	powershell.exe
656	powershell.exe
2216	powershell.exe
912	powershell.exe
1240	powershell.exe
2188	powershell.exe
1456	powershell.exe
1456	powershell.exe
1588	powershell.exe
1588	powershell.exe
656	powershell.exe
2216	powershell.exe
1636	powershell.exe
1636	powershell.exe
1588	powershell.exe
1440	powershell.exe
1440	powershell.exe
2168	powershell.exe
2168	powershell.exe
1900	powershell.exe
1900	powershell.exe
4472	powershell.exe
4472	powershell.exe
1884	powershell.exe
1884	powershell.exe
2688	powershell.exe
2688	powershell.exe
4468	powershell.exe
4468	powershell.exe
1456	powershell.exe
4176	ShellExperienceHost.exe
4176	ShellExperienceHost.exe
1588	powershell.exe
1636	powershell.exe
1440	powershell.exe
1456	powershell.exe
1900	powershell.exe
2168	powershell.exe
4472	powershell.exe
1884	powershell.exe
2688	powershell.exe
4468	powershell.exe
1636	powershell.exe
1440	powershell.exe
1900	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	DllCommonsvc.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	4176	ShellExperienceHost.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeIncreaseQuotaPrivilege	912	powershell.exe
Token: SeSecurityPrivilege	912	powershell.exe
Token: SeTakeOwnershipPrivilege	912	powershell.exe
Token: SeLoadDriverPrivilege	912	powershell.exe
Token: SeSystemProfilePrivilege	912	powershell.exe
Token: SeSystemtimePrivilege	912	powershell.exe
Token: SeProfSingleProcessPrivilege	912	powershell.exe
Token: SeIncBasePriorityPrivilege	912	powershell.exe
Token: SeCreatePagefilePrivilege	912	powershell.exe
Token: SeBackupPrivilege	912	powershell.exe
Token: SeRestorePrivilege	912	powershell.exe
Token: SeShutdownPrivilege	912	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeSystemEnvironmentPrivilege	912	powershell.exe
Token: SeRemoteShutdownPrivilege	912	powershell.exe
Token: SeUndockPrivilege	912	powershell.exe
Token: SeManageVolumePrivilege	912	powershell.exe
Token: 33	912	powershell.exe
Token: 34	912	powershell.exe
Token: 35	912	powershell.exe
Token: 36	912	powershell.exe
Token: SeIncreaseQuotaPrivilege	1240	powershell.exe
Token: SeSecurityPrivilege	1240	powershell.exe
Token: SeTakeOwnershipPrivilege	1240	powershell.exe
Token: SeLoadDriverPrivilege	1240	powershell.exe
Token: SeSystemProfilePrivilege	1240	powershell.exe
Token: SeSystemtimePrivilege	1240	powershell.exe
Token: SeProfSingleProcessPrivilege	1240	powershell.exe
Token: SeIncBasePriorityPrivilege	1240	powershell.exe
Token: SeCreatePagefilePrivilege	1240	powershell.exe
Token: SeBackupPrivilege	1240	powershell.exe
Token: SeRestorePrivilege	1240	powershell.exe
Token: SeShutdownPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeSystemEnvironmentPrivilege	1240	powershell.exe
Token: SeRemoteShutdownPrivilege	1240	powershell.exe
Token: SeUndockPrivilege	1240	powershell.exe
Token: SeManageVolumePrivilege	1240	powershell.exe
Token: 33	1240	powershell.exe
Token: 34	1240	powershell.exe
Token: 35	1240	powershell.exe
Token: 36	1240	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	powershell.exe
Token: SeSecurityPrivilege	2188	powershell.exe
Token: SeTakeOwnershipPrivilege	2188	powershell.exe
Token: SeLoadDriverPrivilege	2188	powershell.exe
Token: SeSystemProfilePrivilege	2188	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 4704	1788	950692092fbe9533fbaa8efa361a2d3f69b0cbf5ba919cf124eec089e36587e0.exe	66
PID 1788 wrote to memory of 4704	1788	950692092fbe9533fbaa8efa361a2d3f69b0cbf5ba919cf124eec089e36587e0.exe	66
PID 1788 wrote to memory of 4704	1788	950692092fbe9533fbaa8efa361a2d3f69b0cbf5ba919cf124eec089e36587e0.exe	66
PID 4704 wrote to memory of 5108	4704	WScript.exe	67
PID 4704 wrote to memory of 5108	4704	WScript.exe	67
PID 4704 wrote to memory of 5108	4704	WScript.exe	67
PID 5108 wrote to memory of 3332	5108	cmd.exe	69
PID 5108 wrote to memory of 3332	5108	cmd.exe	69
PID 3332 wrote to memory of 2216	3332	DllCommonsvc.exe	113
PID 3332 wrote to memory of 2216	3332	DllCommonsvc.exe	113
PID 3332 wrote to memory of 2188	3332	DllCommonsvc.exe	130
PID 3332 wrote to memory of 2188	3332	DllCommonsvc.exe	130
PID 3332 wrote to memory of 656	3332	DllCommonsvc.exe	114
PID 3332 wrote to memory of 656	3332	DllCommonsvc.exe	114
PID 3332 wrote to memory of 912	3332	DllCommonsvc.exe	115
PID 3332 wrote to memory of 912	3332	DllCommonsvc.exe	115
PID 3332 wrote to memory of 1456	3332	DllCommonsvc.exe	126
PID 3332 wrote to memory of 1456	3332	DllCommonsvc.exe	126
PID 3332 wrote to memory of 1240	3332	DllCommonsvc.exe	117
PID 3332 wrote to memory of 1240	3332	DllCommonsvc.exe	117
PID 3332 wrote to memory of 1588	3332	DllCommonsvc.exe	118
PID 3332 wrote to memory of 1588	3332	DllCommonsvc.exe	118
PID 3332 wrote to memory of 1636	3332	DllCommonsvc.exe	119
PID 3332 wrote to memory of 1636	3332	DllCommonsvc.exe	119
PID 3332 wrote to memory of 1440	3332	DllCommonsvc.exe	120
PID 3332 wrote to memory of 1440	3332	DllCommonsvc.exe	120
PID 3332 wrote to memory of 1900	3332	DllCommonsvc.exe	122
PID 3332 wrote to memory of 1900	3332	DllCommonsvc.exe	122
PID 3332 wrote to memory of 2168	3332	DllCommonsvc.exe	131
PID 3332 wrote to memory of 2168	3332	DllCommonsvc.exe	131
PID 3332 wrote to memory of 2688	3332	DllCommonsvc.exe	132
PID 3332 wrote to memory of 2688	3332	DllCommonsvc.exe	132
PID 3332 wrote to memory of 1884	3332	DllCommonsvc.exe	134
PID 3332 wrote to memory of 1884	3332	DllCommonsvc.exe	134
PID 3332 wrote to memory of 4472	3332	DllCommonsvc.exe	135
PID 3332 wrote to memory of 4472	3332	DllCommonsvc.exe	135
PID 3332 wrote to memory of 4468	3332	DllCommonsvc.exe	139
PID 3332 wrote to memory of 4468	3332	DllCommonsvc.exe	139
PID 3332 wrote to memory of 4176	3332	DllCommonsvc.exe	143
PID 3332 wrote to memory of 4176	3332	DllCommonsvc.exe	143
PID 4176 wrote to memory of 3648	4176	ShellExperienceHost.exe	145
PID 4176 wrote to memory of 3648	4176	ShellExperienceHost.exe	145
PID 3648 wrote to memory of 2648	3648	cmd.exe	147
PID 3648 wrote to memory of 2648	3648	cmd.exe	147
PID 3648 wrote to memory of 416	3648	cmd.exe	148
PID 3648 wrote to memory of 416	3648	cmd.exe	148
PID 416 wrote to memory of 3408	416	ShellExperienceHost.exe	149
PID 416 wrote to memory of 3408	416	ShellExperienceHost.exe	149
PID 3408 wrote to memory of 4632	3408	cmd.exe	151
PID 3408 wrote to memory of 4632	3408	cmd.exe	151
PID 3408 wrote to memory of 3812	3408	cmd.exe	152
PID 3408 wrote to memory of 3812	3408	cmd.exe	152
PID 3812 wrote to memory of 68	3812	ShellExperienceHost.exe	153
PID 3812 wrote to memory of 68	3812	ShellExperienceHost.exe	153
PID 68 wrote to memory of 2880	68	cmd.exe	155
PID 68 wrote to memory of 2880	68	cmd.exe	155
PID 68 wrote to memory of 5112	68	cmd.exe	156
PID 68 wrote to memory of 5112	68	cmd.exe	156
PID 5112 wrote to memory of 4624	5112	ShellExperienceHost.exe	157
PID 5112 wrote to memory of 4624	5112	ShellExperienceHost.exe	157
PID 4624 wrote to memory of 3344	4624	cmd.exe	159
PID 4624 wrote to memory of 3344	4624	cmd.exe	159
PID 4624 wrote to memory of 188	4624	cmd.exe	160
PID 4624 wrote to memory of 188	4624	cmd.exe	160

C:\Users\Admin\AppData\Local\Temp\950692092fbe9533fbaa8efa361a2d3f69b0cbf5ba919cf124eec089e36587e0.exe
"C:\Users\Admin\AppData\Local\Temp\950692092fbe9533fbaa8efa361a2d3f69b0cbf5ba919cf124eec089e36587e0.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
    - - C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4176
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2648
        
        C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4632
        
        C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:68
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2880
        
        C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3344
        
        C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
        14⤵
        
        PID:4740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4612
        
        C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"
        16⤵
        
        PID:4712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1116
        
        C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
        18⤵
        
        PID:4032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4552
        
        C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
        20⤵
        
        PID:3136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3172
        
        C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
        22⤵
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1900
        
        C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
        24⤵
        
        PID:3948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2112
        
        C:\odt\ShellExperienceHost.exe
        
        "C:\odt\ShellExperienceHost.exe"
        25⤵
        Executes dropped EXE
        
        PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\odt\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ShellExperienceHost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b2c28a1108a1d1a1f5360d87692b14a

SHA1
4d5363851c7fd0461e37f26a9cd8be6d8a91ccaf

SHA256
17be9d6bfd0a1495bb98abb0608c19429dba02b46a90ab512607edf1e29e62ca

SHA512
fab202411098234497b344631ab45c1ffe3f9606251911a942cc81757ee2e443fc38c155f77205fcbc3f54d2446884eb76a7d411cdee2974d4e086f1df03f028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b2c28a1108a1d1a1f5360d87692b14a

SHA1
4d5363851c7fd0461e37f26a9cd8be6d8a91ccaf

SHA256
17be9d6bfd0a1495bb98abb0608c19429dba02b46a90ab512607edf1e29e62ca

SHA512
fab202411098234497b344631ab45c1ffe3f9606251911a942cc81757ee2e443fc38c155f77205fcbc3f54d2446884eb76a7d411cdee2974d4e086f1df03f028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c7006658df834c6b211640947fa8c5a

SHA1
1e98a697474b8b0826a890f13d614193938aeac6

SHA256
ffa443c447a93ee451d47c388bc0d5bfd60f46068d594c91fe23ed083b107e5d

SHA512
a0a699f61fcb2268e0601009577072243ba1377efdd5cf5d0f1320d2115ae3e6de98e64ee140abb160366ca1b865a81bc79a05964114ff21418d9881f335d57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f06392420aa9a2479d3aeb6ee3656cef

SHA1
3cb4c5568b09bfc43604ce9cbd5e4fd5e1116c86

SHA256
d6c55211ecdb771468c91f5155ea55dea488f1b64b4d23675a48875c0449ed20

SHA512
2453e1b7ce1dc10093688b6481cfe14241aa4378b569e15bf986300da8c29126a06f0ac391ade5cf2f0ec7b9b3f20d2df38ee7df571f7af37e457101843687dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e8f2561b101156b967130c83a7ea51f

SHA1
9fc9ab02b14fcdfe3203f6e80de0d90114d87767

SHA256
6d5b7243f52e41b4e0bc317ec125ff73ddbc293aed8040cabc2083b6acfbcf04

SHA512
1b1ebee4e4b61e6295e17ff6991f8fd064d1e780763b503ff4b2de0a897368648b7c02c743cac8f45842b8567fddddecb83521be59a1d606ba113d951625b9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e8f2561b101156b967130c83a7ea51f

SHA1
9fc9ab02b14fcdfe3203f6e80de0d90114d87767

SHA256
6d5b7243f52e41b4e0bc317ec125ff73ddbc293aed8040cabc2083b6acfbcf04

SHA512
1b1ebee4e4b61e6295e17ff6991f8fd064d1e780763b503ff4b2de0a897368648b7c02c743cac8f45842b8567fddddecb83521be59a1d606ba113d951625b9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ee5f4f130d196b114aadab6f6616592

SHA1
c600a4dffab3f62a5bc3502a6141ad79e1b7ff84

SHA256
309e5b657dff4021be983e7bb2759cd942b5fdfc1651d04b67fb96c8d4d0a447

SHA512
8404f8069db2ad967729b1bb6f6a383897f175889f27f4712b05e9217ea5d1767a99a8553e9fa044c4f5ba66be15b6abf9834d899aa891f6a3b79ed14e05fcfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2e8f2561b101156b967130c83a7ea51f

SHA1
9fc9ab02b14fcdfe3203f6e80de0d90114d87767

SHA256
6d5b7243f52e41b4e0bc317ec125ff73ddbc293aed8040cabc2083b6acfbcf04

SHA512
1b1ebee4e4b61e6295e17ff6991f8fd064d1e780763b503ff4b2de0a897368648b7c02c743cac8f45842b8567fddddecb83521be59a1d606ba113d951625b9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
81cabd8f3d4314a3845b469c34e3470d

SHA1
dba95d59050661ba208a5100207e32498e07954b

SHA256
9b1757f539bbbe0f66070b6302a018c79e8c572dfe35c51743a40d3da6bd790e

SHA512
3e2d3b35908fff4ace2e050290913e5eacd6985ced7c4cfa4565d946ab3aa48f6b65dcef59a7558d9939601bc38cbc988a58f9987a22ff48974b0591985fcfdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
81cabd8f3d4314a3845b469c34e3470d

SHA1
dba95d59050661ba208a5100207e32498e07954b

SHA256
9b1757f539bbbe0f66070b6302a018c79e8c572dfe35c51743a40d3da6bd790e

SHA512
3e2d3b35908fff4ace2e050290913e5eacd6985ced7c4cfa4565d946ab3aa48f6b65dcef59a7558d9939601bc38cbc988a58f9987a22ff48974b0591985fcfdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87d90c83121fc3408a7253eb5841399f

SHA1
8367fd2c75daf1b6dbf4501c2b068d7892962a0c

SHA256
c2dc34a546619ff3b34fcaca5e06bc3485661ce49acd3d219fa42f875bc2beb6

SHA512
7e96bb5f09338a34d9d1e773307979cb28ab10c7a6c1d585efe62d96352a1b7f5c39fc62b6e6d99fc689ffcd4a5af46da137f2730b4c6fd82d7043baeb026477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87d90c83121fc3408a7253eb5841399f

SHA1
8367fd2c75daf1b6dbf4501c2b068d7892962a0c

SHA256
c2dc34a546619ff3b34fcaca5e06bc3485661ce49acd3d219fa42f875bc2beb6

SHA512
7e96bb5f09338a34d9d1e773307979cb28ab10c7a6c1d585efe62d96352a1b7f5c39fc62b6e6d99fc689ffcd4a5af46da137f2730b4c6fd82d7043baeb026477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0b0914593b1f77fba94e5b5ab8d666b3

SHA1
31910e8e5005ab23a885f18f90903bd9abe4ec46

SHA256
7fa05b31d31d44163c5ffedec8e1ac308e906bc82b8ccf5a8e3ba8f0fc29400e

SHA512
27f51994ec5d23ddbec76443d0415d12cb00145b45bdde11a6d1c3b726021f3faec8a7bb1dcc2c9f49326e1a46357c279decfc8731eaf14dc8db0996059bc407

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

Filesize
195B

MD5
b78583722535c74fc4bdede3761c8ce4

SHA1
392a93ba4eae2cb0e362a74313620c9219f3fb3a

SHA256
0e9acabbb858f76f8740967da0a9d4325f99af6ab22fbe5e3d975b9bed8d3ecf

SHA512
bf31b71c912a3bc43e5b35530353276a0403ba536fd02550c17edc3fc0ef0ecf424427db6c87faaaeadfacf83fa414c73e19d15db5e74dee5042bf920af5aa11

Download Submit
C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat

Filesize
195B

MD5
758ac3b622041d7414245b906cf38d42

SHA1
dc1c721ce0ce3d38c84ffc9142c90574f07ee86c

SHA256
892bb767faa10715eabffce74282031d31c0fa92079460897eb3de3c7fe8c95a

SHA512
47a4aa4593d5ffb7fd39b2f087053d96ddd8e37db440fd46734ccf6fdd8fc118cd0a8db126e24813d3d109532673e7543108baed755139c73090f31a6162a2a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

Filesize
195B

MD5
b74871f70d60157a8b9c30227d1df9e6

SHA1
ef8ec03cd0964ff08ce6c7c2cf5f19b753493b66

SHA256
7ddd01a404241c0a3a4b258024241076e2fc4f2affa0ac794a70a4c080d16a9d

SHA512
725f5ca9e3c42b913a0acbc4390131b7c67305c6a87e4452b5a29364ab51bb87829768c324dbe51c9c43b0cbf71670c45ef0424a9b1b973b20df5433ba1895f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
195B

MD5
3897f16c11671248b89ce1f4a6a5f1f9

SHA1
fd6eda98b82ac0d04bb19e3d029b360882663faa

SHA256
c5076a4a42c2c045e7bce73f43248435e2d747923e179b8788253246c8f38b39

SHA512
89f913ce112d1703038ecb01f3ba9c47aecbfd8a068c512a2824e569ada0c1407e79144637ee4e547634956b615e02102f44112820bd442a0561d06fe190d40a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

Filesize
195B

MD5
1a769d7a55cafa1f97ddc75b061a58ec

SHA1
d37b8f513fecbc95e146db7f773576a03bc4ce83

SHA256
b45e79ab4ad6b5b6e403189ee70a49ad23e65eba7297e1fa2b612a7cc714b6b9

SHA512
fdaac5541c5ec4c88221e971f8146344540329cab8ce06c8c0b9dc87c7107bc4b4e6364987978119385bfe961462cecb43683bf3fa60d4767817af402e2c56a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat

Filesize
195B

MD5
9689d4d911de4d2c196b685d7c644442

SHA1
bd6d30bde06ab8f5366ad0c248892d8f11ffa35d

SHA256
40a57f8a03f1076abf94a72e9ceff13abf3ab0ceae68c90dd3f0629978c7d432

SHA512
3fdd9b97c3a94c82cd23cdd32b7659ff0a5a0a10ce4da265dcac586daa8b786958b0ee4e1064c0e05a7bff21b19b6373740a900a89f22d969916e45d81fd555d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

Filesize
195B

MD5
1b8113f047124ed8f72e51b309d7fad2

SHA1
97de6691fd0c8de16d4b5ab010ba3efd2b9340fa

SHA256
08ca95c19efa39a103f0012bec6c8dda8c2bbacb03668d666664f826736dc100

SHA512
e81d7539cad75583c1b285dfda462a501a384008752e370e704907952b0d52fe714eda0bb73385cc03fa4658f131b6aef14761ea56a9d4914318aa5a8dfed646

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat

Filesize
195B

MD5
8ccb1cc3d9d8824ca2ff8cde314af4b5

SHA1
0df261527748d17d0f230ded4ac37ac60ae4cd19

SHA256
8069cc4b3335bc3cf39ae79ec3b2f193ebda0bd3798c0c3a9c0627595ae0def1

SHA512
97e9b28bfaa69310d5d17385d6a2a29c215c8a50592546f7f7510c116b5d5bcfbb3c1729dd17438ccdb5bed043cdec2274610244acec5705c86286e5d5c91eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

Filesize
195B

MD5
7770d415aaa1f4c3574087fd59b57235

SHA1
d955cc0bf1399c5fbd0c29fcb7a4cedbc3865b83

SHA256
fb11bb62da8c3b03fadd32f020e18005501a01973c131da759560e7b4386be25

SHA512
bd238c0928f505c9ba60de52fbbe81ac8df7f298f2fb71025f987fc8028b7fa1a4d9f4d31b80042dc01c9debb37f486df7047c543d1304943dc7a562d751ef04

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat

Filesize
195B

MD5
b04f0db73ab2093eb302f7efc7049cf5

SHA1
b98f5f3e74c502890958719d0226eaf25253a08c

SHA256
57e33512a818373fe74b3fbef42a3287aeabd3ed90ce65a999f3b634f0a17be3

SHA512
f8d4ada35cdd95e80fe533d3b94f5f49465ce8dbc6faa2ff0b03847105b4e99a43d89d471d9330992bbdf9e9ecdc50f0f50b634e6d39fe299ae757fdc15568e9

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\ShellExperienceHost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1240-375-0x000001F2F21B0000-0x000001F2F2226000-memory.dmp

Filesize
472KB

Download
memory/1708-859-0x0000000001050000-0x0000000001062000-memory.dmp

Filesize
72KB

Download
memory/1788-152-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-131-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-180-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-181-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-182-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-183-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-121-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-138-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-122-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-173-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-172-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-123-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-140-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-171-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-170-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-125-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-141-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-126-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-128-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-175-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-176-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-169-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-168-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-167-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-178-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-177-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-166-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-120-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-150-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-129-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-142-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-148-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-137-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-149-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-130-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-139-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-165-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-164-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-136-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-163-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-132-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-162-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-133-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-161-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-160-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-159-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-158-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-157-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-156-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-155-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-154-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-153-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-174-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-151-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-179-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-134-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-143-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-147-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-146-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-145-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-144-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/1788-135-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/2188-365-0x000001BDA7E70000-0x000001BDA7E92000-memory.dmp

Filesize
136KB

Download
memory/2704-848-0x0000000001570000-0x0000000001582000-memory.dmp

Filesize
72KB

Download
memory/3332-287-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/3332-286-0x0000000000590000-0x00000000006A0000-memory.dmp

Filesize
1.1MB

Download
memory/3332-288-0x0000000002800000-0x000000000280C000-memory.dmp

Filesize
48KB

Download
memory/3332-289-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

Filesize
48KB

Download
memory/3332-290-0x0000000002810000-0x000000000281C000-memory.dmp

Filesize
48KB

Download
memory/4540-865-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/4704-185-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/4704-186-0x0000000077CB0000-0x0000000077E3E000-memory.dmp

Filesize
1.6MB

Download
memory/5088-876-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

Filesize
72KB

Download
memory/5112-837-0x0000000001570000-0x0000000001582000-memory.dmp

Filesize
72KB

Download