dcrat | 5710c81f46196bc58638f4ae9791cfe3003ccfe74a93882fa0a4f1906b1df23e

Analysis

max time kernel
141s
max time network
138s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
04/11/2022, 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5710c81f46196bc58638f4ae9791cfe3003ccfe74a93882fa0a4f1906b1df23e.exe
Size

1.3MB
MD5

4d5f2ddb9e3995b4580a5ad8cfa5e62a
SHA1

76dd9a9ef02b0fba13aa958277a05a3ef7b3f151
SHA256

5710c81f46196bc58638f4ae9791cfe3003ccfe74a93882fa0a4f1906b1df23e
SHA512

db4027e7aa0954935958fa51ffc19aa646a309eeb4626ebe14f202800326e05e2a918c45e09e66b98a0de72c8a1955395c72b1492b3ee118605b93edc18fd07e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	3020	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3020	schtasks.exe	70

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac1e-282.dat	dcrat
behavioral1/files/0x000800000001ac1e-283.dat	dcrat
behavioral1/memory/1836-284-0x0000000000400000-0x0000000000510000-memory.dmp	dcrat
behavioral1/files/0x000700000001ac2e-317.dat	dcrat
behavioral1/files/0x000700000001ac2e-316.dat	dcrat
behavioral1/files/0x000700000001ac2e-544.dat	dcrat
behavioral1/files/0x000700000001ac2e-550.dat	dcrat
behavioral1/files/0x000700000001ac2e-556.dat	dcrat
behavioral1/files/0x000700000001ac2e-561.dat	dcrat
behavioral1/files/0x000700000001ac2e-566.dat	dcrat
behavioral1/files/0x000700000001ac2e-572.dat	dcrat
behavioral1/files/0x000700000001ac2e-577.dat	dcrat
behavioral1/files/0x000700000001ac2e-582.dat	dcrat
behavioral1/files/0x000700000001ac2e-587.dat	dcrat
behavioral1/files/0x000700000001ac2e-592.dat	dcrat
behavioral1/files/0x000700000001ac2e-598.dat	dcrat
behavioral1/files/0x000700000001ac2e-604.dat	dcrat

Executes dropped EXE 14 IoCs

pid	Process
1836	DllCommonsvc.exe
2084	Idle.exe
3388	Idle.exe
4936	Idle.exe
5104	Idle.exe
212	Idle.exe
2236	Idle.exe
2820	Idle.exe
4888	Idle.exe
3352	Idle.exe
3896	Idle.exe
1144	Idle.exe
3580	Idle.exe
4900	Idle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Icons\spoolsv.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4344	schtasks.exe
4412	schtasks.exe
2796	schtasks.exe
4584	schtasks.exe
4504	schtasks.exe
5096	schtasks.exe
4544	schtasks.exe
4572	schtasks.exe
3180	schtasks.exe
3172	schtasks.exe
4680	schtasks.exe
4972	schtasks.exe
4244	schtasks.exe
3248	schtasks.exe
5100	schtasks.exe
4392	schtasks.exe
4596	schtasks.exe
4520	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	5710c81f46196bc58638f4ae9791cfe3003ccfe74a93882fa0a4f1906b1df23e.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	Idle.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1836	DllCommonsvc.exe
1836	DllCommonsvc.exe
1836	DllCommonsvc.exe
1836	DllCommonsvc.exe
1836	DllCommonsvc.exe
3956	powershell.exe
856	powershell.exe
3200	powershell.exe
492	powershell.exe
1144	powershell.exe
1056	powershell.exe
3956	powershell.exe
1360	powershell.exe
1360	powershell.exe
492	powershell.exe
1056	powershell.exe
2084	Idle.exe
492	powershell.exe
1360	powershell.exe
856	powershell.exe
3956	powershell.exe
3200	powershell.exe
1056	powershell.exe
1144	powershell.exe
856	powershell.exe
3200	powershell.exe
1144	powershell.exe
3388	Idle.exe
4936	Idle.exe
5104	Idle.exe
212	Idle.exe
2236	Idle.exe
2820	Idle.exe
4888	Idle.exe
3352	Idle.exe
3896	Idle.exe
1144	Idle.exe
3580	Idle.exe
4900	Idle.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	DllCommonsvc.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2084	Idle.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeIncreaseQuotaPrivilege	1360	powershell.exe
Token: SeSecurityPrivilege	1360	powershell.exe
Token: SeTakeOwnershipPrivilege	1360	powershell.exe
Token: SeLoadDriverPrivilege	1360	powershell.exe
Token: SeSystemProfilePrivilege	1360	powershell.exe
Token: SeSystemtimePrivilege	1360	powershell.exe
Token: SeProfSingleProcessPrivilege	1360	powershell.exe
Token: SeIncBasePriorityPrivilege	1360	powershell.exe
Token: SeCreatePagefilePrivilege	1360	powershell.exe
Token: SeBackupPrivilege	1360	powershell.exe
Token: SeRestorePrivilege	1360	powershell.exe
Token: SeShutdownPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeSystemEnvironmentPrivilege	1360	powershell.exe
Token: SeRemoteShutdownPrivilege	1360	powershell.exe
Token: SeUndockPrivilege	1360	powershell.exe
Token: SeManageVolumePrivilege	1360	powershell.exe
Token: 33	1360	powershell.exe
Token: 34	1360	powershell.exe
Token: 35	1360	powershell.exe
Token: 36	1360	powershell.exe
Token: SeIncreaseQuotaPrivilege	492	powershell.exe
Token: SeSecurityPrivilege	492	powershell.exe
Token: SeTakeOwnershipPrivilege	492	powershell.exe
Token: SeLoadDriverPrivilege	492	powershell.exe
Token: SeSystemProfilePrivilege	492	powershell.exe
Token: SeSystemtimePrivilege	492	powershell.exe
Token: SeProfSingleProcessPrivilege	492	powershell.exe
Token: SeIncBasePriorityPrivilege	492	powershell.exe
Token: SeCreatePagefilePrivilege	492	powershell.exe
Token: SeBackupPrivilege	492	powershell.exe
Token: SeRestorePrivilege	492	powershell.exe
Token: SeShutdownPrivilege	492	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeSystemEnvironmentPrivilege	492	powershell.exe
Token: SeRemoteShutdownPrivilege	492	powershell.exe
Token: SeUndockPrivilege	492	powershell.exe
Token: SeManageVolumePrivilege	492	powershell.exe
Token: 33	492	powershell.exe
Token: 34	492	powershell.exe
Token: 35	492	powershell.exe
Token: 36	492	powershell.exe
Token: SeIncreaseQuotaPrivilege	3956	powershell.exe
Token: SeSecurityPrivilege	3956	powershell.exe
Token: SeTakeOwnershipPrivilege	3956	powershell.exe
Token: SeLoadDriverPrivilege	3956	powershell.exe
Token: SeSystemProfilePrivilege	3956	powershell.exe
Token: SeSystemtimePrivilege	3956	powershell.exe
Token: SeProfSingleProcessPrivilege	3956	powershell.exe
Token: SeIncBasePriorityPrivilege	3956	powershell.exe
Token: SeCreatePagefilePrivilege	3956	powershell.exe
Token: SeBackupPrivilege	3956	powershell.exe
Token: SeRestorePrivilege	3956	powershell.exe
Token: SeShutdownPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 4900	3540	5710c81f46196bc58638f4ae9791cfe3003ccfe74a93882fa0a4f1906b1df23e.exe	66
PID 3540 wrote to memory of 4900	3540	5710c81f46196bc58638f4ae9791cfe3003ccfe74a93882fa0a4f1906b1df23e.exe	66
PID 3540 wrote to memory of 4900	3540	5710c81f46196bc58638f4ae9791cfe3003ccfe74a93882fa0a4f1906b1df23e.exe	66
PID 4900 wrote to memory of 3964	4900	WScript.exe	67
PID 4900 wrote to memory of 3964	4900	WScript.exe	67
PID 4900 wrote to memory of 3964	4900	WScript.exe	67
PID 3964 wrote to memory of 1836	3964	cmd.exe	69
PID 3964 wrote to memory of 1836	3964	cmd.exe	69
PID 1836 wrote to memory of 856	1836	DllCommonsvc.exe	89
PID 1836 wrote to memory of 856	1836	DllCommonsvc.exe	89
PID 1836 wrote to memory of 492	1836	DllCommonsvc.exe	93
PID 1836 wrote to memory of 492	1836	DllCommonsvc.exe	93
PID 1836 wrote to memory of 3956	1836	DllCommonsvc.exe	91
PID 1836 wrote to memory of 3956	1836	DllCommonsvc.exe	91
PID 1836 wrote to memory of 3200	1836	DllCommonsvc.exe	94
PID 1836 wrote to memory of 3200	1836	DllCommonsvc.exe	94
PID 1836 wrote to memory of 1144	1836	DllCommonsvc.exe	95
PID 1836 wrote to memory of 1144	1836	DllCommonsvc.exe	95
PID 1836 wrote to memory of 1360	1836	DllCommonsvc.exe	96
PID 1836 wrote to memory of 1360	1836	DllCommonsvc.exe	96
PID 1836 wrote to memory of 1056	1836	DllCommonsvc.exe	97
PID 1836 wrote to memory of 1056	1836	DllCommonsvc.exe	97
PID 1836 wrote to memory of 2084	1836	DllCommonsvc.exe	101
PID 1836 wrote to memory of 2084	1836	DllCommonsvc.exe	101
PID 2084 wrote to memory of 1596	2084	Idle.exe	104
PID 2084 wrote to memory of 1596	2084	Idle.exe	104
PID 1596 wrote to memory of 2688	1596	cmd.exe	107
PID 1596 wrote to memory of 2688	1596	cmd.exe	107
PID 1596 wrote to memory of 3388	1596	cmd.exe	108
PID 1596 wrote to memory of 3388	1596	cmd.exe	108
PID 3388 wrote to memory of 3624	3388	Idle.exe	109
PID 3388 wrote to memory of 3624	3388	Idle.exe	109
PID 3624 wrote to memory of 3500	3624	cmd.exe	111
PID 3624 wrote to memory of 3500	3624	cmd.exe	111
PID 3624 wrote to memory of 4936	3624	cmd.exe	112
PID 3624 wrote to memory of 4936	3624	cmd.exe	112
PID 4936 wrote to memory of 4856	4936	Idle.exe	113
PID 4936 wrote to memory of 4856	4936	Idle.exe	113
PID 4856 wrote to memory of 3244	4856	cmd.exe	115
PID 4856 wrote to memory of 3244	4856	cmd.exe	115
PID 4856 wrote to memory of 5104	4856	cmd.exe	116
PID 4856 wrote to memory of 5104	4856	cmd.exe	116
PID 5104 wrote to memory of 4628	5104	Idle.exe	117
PID 5104 wrote to memory of 4628	5104	Idle.exe	117
PID 4628 wrote to memory of 4688	4628	cmd.exe	119
PID 4628 wrote to memory of 4688	4628	cmd.exe	119
PID 4628 wrote to memory of 212	4628	cmd.exe	120
PID 4628 wrote to memory of 212	4628	cmd.exe	120
PID 212 wrote to memory of 2724	212	Idle.exe	121
PID 212 wrote to memory of 2724	212	Idle.exe	121
PID 2724 wrote to memory of 2476	2724	cmd.exe	123
PID 2724 wrote to memory of 2476	2724	cmd.exe	123
PID 2724 wrote to memory of 2236	2724	cmd.exe	124
PID 2724 wrote to memory of 2236	2724	cmd.exe	124
PID 2236 wrote to memory of 2736	2236	Idle.exe	125
PID 2236 wrote to memory of 2736	2236	Idle.exe	125
PID 2736 wrote to memory of 1432	2736	cmd.exe	127
PID 2736 wrote to memory of 1432	2736	cmd.exe	127
PID 2736 wrote to memory of 2820	2736	cmd.exe	128
PID 2736 wrote to memory of 2820	2736	cmd.exe	128
PID 2820 wrote to memory of 1192	2820	Idle.exe	129
PID 2820 wrote to memory of 1192	2820	Idle.exe	129
PID 1192 wrote to memory of 1612	1192	cmd.exe	131
PID 1192 wrote to memory of 1612	1192	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\5710c81f46196bc58638f4ae9791cfe3003ccfe74a93882fa0a4f1906b1df23e.exe
"C:\Users\Admin\AppData\Local\Temp\5710c81f46196bc58638f4ae9791cfe3003ccfe74a93882fa0a4f1906b1df23e.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2688
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3500
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3244
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4688
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2476
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1432
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1612
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"
        20⤵
        
        PID:492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2860
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        22⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1360
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        24⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1428
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        26⤵
        
        PID:1564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4284
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
        28⤵
        
        PID:4296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2312
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
246694a613262d9e401f6be4615dff88

SHA1
40c86e65658237804991ec9c493649313a959656

SHA256
0d8527acc24a3fd358d629c9108f4863efb773b299a67f265b0075b394bd60d0

SHA512
0135b3e9ef9f1085a518c076abaaa5e12bcebbbd2ab7ebd8948c894ceac59e763e6d4c0ceb089011197523c492286cb0ae04a5a2d38bb2cdf2b16f79d4d611b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d72db63dec8b8e84e8a1155e8e0ca96

SHA1
b4728a0fc4a47592806b3da1d30eb0291c4d05d1

SHA256
a1e91ce3b1f6b419c88a0b371225a6fac03881b39c8184bf2ff65129a00ed6d2

SHA512
5aef675942f6157ab2d678c7ce800360488c0948be42577574afec0486c5ce903802e4971b80ede2fddb131b8ac8c81b022233f88b0210cdc7835739465f1c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
adafd9839e3eb46afcc50871094f0847

SHA1
da156dc3bc57450a385e168019fb1c972d9dc89e

SHA256
4e1101e4e48deb3e5023ab8a1756ef14fbd3501a9cee599a404a73b4b94c1c19

SHA512
b84e5ba93552439979df604f7f6bed3847ab0371aee67b18e39e00b74a2ba815a4b39906d7f99711f766a22b5c76d83c1d4f3611e95051ea4c53862bf0c59079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
adafd9839e3eb46afcc50871094f0847

SHA1
da156dc3bc57450a385e168019fb1c972d9dc89e

SHA256
4e1101e4e48deb3e5023ab8a1756ef14fbd3501a9cee599a404a73b4b94c1c19

SHA512
b84e5ba93552439979df604f7f6bed3847ab0371aee67b18e39e00b74a2ba815a4b39906d7f99711f766a22b5c76d83c1d4f3611e95051ea4c53862bf0c59079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
adafd9839e3eb46afcc50871094f0847

SHA1
da156dc3bc57450a385e168019fb1c972d9dc89e

SHA256
4e1101e4e48deb3e5023ab8a1756ef14fbd3501a9cee599a404a73b4b94c1c19

SHA512
b84e5ba93552439979df604f7f6bed3847ab0371aee67b18e39e00b74a2ba815a4b39906d7f99711f766a22b5c76d83c1d4f3611e95051ea4c53862bf0c59079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aa9142eac61aeb9c23f78d6d0f9f99f7

SHA1
196dea5e18f1d1f77a732e150930c41d2ab3b251

SHA256
41ade7e849cbfe46f7d3bab040af267455b9fbf928d7fc65daf2a19d5f7b2296

SHA512
f4a94ec5377f979a95cef44b038624c521318c960cb6c8e549bcff646b832b1cdae44f2645becf6d407593d51307ea5c421d3b2ad580ce5df577d3f126c7e204

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
191B

MD5
007f03eda2803047a9438c4aa343482e

SHA1
4ebea0719caa7a74669c5e6d94705327fab14cf5

SHA256
d5a6920af1c12857f4a7784c506670f5eaa59732f55497500976ee49cfce7806

SHA512
b8e1b80d741aaaaa84985da480a2df6b541a3d28d46f522949125cb37c4fbceefd43cf384401f960bd732e4061cc4eeb405f03611564262c25122f04e811c838

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
191B

MD5
007f03eda2803047a9438c4aa343482e

SHA1
4ebea0719caa7a74669c5e6d94705327fab14cf5

SHA256
d5a6920af1c12857f4a7784c506670f5eaa59732f55497500976ee49cfce7806

SHA512
b8e1b80d741aaaaa84985da480a2df6b541a3d28d46f522949125cb37c4fbceefd43cf384401f960bd732e4061cc4eeb405f03611564262c25122f04e811c838

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
191B

MD5
007f03eda2803047a9438c4aa343482e

SHA1
4ebea0719caa7a74669c5e6d94705327fab14cf5

SHA256
d5a6920af1c12857f4a7784c506670f5eaa59732f55497500976ee49cfce7806

SHA512
b8e1b80d741aaaaa84985da480a2df6b541a3d28d46f522949125cb37c4fbceefd43cf384401f960bd732e4061cc4eeb405f03611564262c25122f04e811c838

Download Submit
C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

Filesize
191B

MD5
257acd3547896c3819749061e9584c1d

SHA1
5475b90f94996d0d5a8d322c1d6790faa272c67b

SHA256
f6c631f624b9137ec048000eaa588a26c7a4df80987805a76b6fcaa8c8b937a7

SHA512
0a3d46a91dab08744d2e30be25f5c96ed07582e4f2961741bd01632cc9d00bd8d5f28e7244d7a35192ef3e06c677443fe8347e3f3218e04cbd52d5ab171bf1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

Filesize
191B

MD5
ff35cb428c231d99d4e3d32394b2f4a5

SHA1
3beae0b59b5b152db0d184600bb5b7fe6ac958b7

SHA256
7bd05c1658bbc38e13795e7e3c76aa45522e1eafa267676e6b0a5b92177655bd

SHA512
a8434146c557d50dbaf50936d8dc02af67c359a89308fe030740d9f18aebd9d2c17281b6681c0b703ba2d6be4e3c1fe2aa8d3e2c26ff977fd594510f0c860315

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

Filesize
191B

MD5
176555f49c13e7db98140d0ec9441be3

SHA1
eb329bef27b333be1dbd8ea0a6085a17f4256f78

SHA256
e479bdb52e6a8b5c61e15937e72c5ab2a83da5ea99a1fd243384ba25d2d53d00

SHA512
ec5afb9ff17877d896c33d32b989bfc9d6e4c23a97b8de157de4750fba046f6b14ac92e9d56e8c4f289b574b789c067dbeba15e8c59893e272cec426b60350c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

Filesize
191B

MD5
a35db4458c4f3c10ed949697ea5cd0f5

SHA1
153c490b5d5764ccded0da43944412acd497bdf9

SHA256
490c8fb99ad61e342cbf3021f13648f64b66ba51d3884e0b4112f173af68a715

SHA512
9631bd331c7c85472df2a82e2606c45bdf8a176b480d1a4c94083501cc348fd5846b0d601c7caf5667ba0209c2962e9426a9cdec47a4da7991be1b94153f6570

Download Submit
C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

Filesize
191B

MD5
a35db4458c4f3c10ed949697ea5cd0f5

SHA1
153c490b5d5764ccded0da43944412acd497bdf9

SHA256
490c8fb99ad61e342cbf3021f13648f64b66ba51d3884e0b4112f173af68a715

SHA512
9631bd331c7c85472df2a82e2606c45bdf8a176b480d1a4c94083501cc348fd5846b0d601c7caf5667ba0209c2962e9426a9cdec47a4da7991be1b94153f6570

Download Submit
C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

Filesize
191B

MD5
e6675b322a0b144036d9161fd17772f2

SHA1
5acc620ef9ea7ae8b4353028767ea40e773166e8

SHA256
9c6db568fb272a4ebb3351a9b211408a735c6259ec258a0265e88b243723d273

SHA512
c920108628680c4277c9655732b21b9768d8ea14f9fda4134acdbbdcba5a0a3a1fad7df2f2af731e3c3fa657639820ff4499c0af4bb3f9481b2fd7cac9d9d5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat

Filesize
191B

MD5
87f7b1ff48d8532c710c91dec653da42

SHA1
8f34ebd898c18a349439b8aa1304c941dc5145ec

SHA256
2a60b995a22b5cb9eb7772772c578c33b5c495cd2d64fc631118d8a468840b53

SHA512
2f8e5cd0490eec5e0fad9b13238f967ddf2afe9edda6518ba1ea7417b344a123f44f0c2b0e6fb81cff51a716efe65bea2fce46c5c2f69c5b9e9407c249416607

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

Filesize
191B

MD5
7f1711869d87d99132db9f7f84c22e07

SHA1
5d276b2c24b5d442d77f4435a22f938724744924

SHA256
b036a03f4bddbf868b5e2d052a044239377da9e855ff3ece9be9b51665d72cd5

SHA512
5354d487ee35646b553206dbdfb7e8830b025a7353fb14030708cf11faa3d68059b6207b3636a7794d3e24cc9e8ca1608e604dab6fe36fe4026a6bef7e99122c

Download Submit
C:\Users\Admin\AppData\Local\Temp\lcLsEvVTrf.bat

Filesize
191B

MD5
ec740ef0fa5a5378471778f207baa922

SHA1
dbcf0209ff0a033dbb64862321e586d7611cc4d9

SHA256
60fe93694c57b2ffacd1afc4c65da4b13e5f3486767679785ca89850e00d9215

SHA512
a97212ccabdc613982a93d7b4a4df7e41f6ddd440f357c8307ccf8b8c781ac72a0eee54a6776c6ef382d9c0f28fe7ec62c2faa0c606a06800e228b16bd0f7473

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\Idle.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/856-327-0x000001E86C090000-0x000001E86C0B2000-memory.dmp

Filesize
136KB

Download
memory/1144-593-0x0000000000C30000-0x0000000000C42000-memory.dmp

Filesize
72KB

Download
memory/1360-334-0x000001FC7A530000-0x000001FC7A5A6000-memory.dmp

Filesize
472KB

Download
memory/1836-285-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/1836-287-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/1836-286-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/1836-288-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

Filesize
48KB

Download
memory/1836-284-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2084-328-0x0000000001570000-0x0000000001582000-memory.dmp

Filesize
72KB

Download
memory/2236-567-0x0000000000D30000-0x0000000000D42000-memory.dmp

Filesize
72KB

Download
memory/3540-164-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-118-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-170-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-168-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-169-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-172-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-167-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-166-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-165-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-119-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-163-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-173-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-162-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-161-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-160-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-159-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-158-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-157-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-156-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-120-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-155-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-154-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-121-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-153-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-174-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-123-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-152-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-124-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-126-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-151-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-175-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-127-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-150-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-128-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-149-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-129-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-148-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-147-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-176-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-146-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-177-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-171-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-145-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-178-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-179-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-144-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-143-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-180-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-142-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-141-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-140-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-139-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-130-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-138-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-137-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-136-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-181-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-131-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-135-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-132-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-134-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3540-133-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/3580-599-0x0000000000BB0000-0x0000000000BC2000-memory.dmp

Filesize
72KB

Download
memory/4900-183-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4900-184-0x0000000077550000-0x00000000776DE000-memory.dmp

Filesize
1.6MB

Download
memory/4900-605-0x0000000001490000-0x00000000014A2000-memory.dmp

Filesize
72KB

Download
memory/4936-551-0x00000000021B0000-0x00000000021C2000-memory.dmp

Filesize
72KB

Download