dcrat | 8beebff0c896bca3753f207338bd093b3edd6a2c6f77bfb6ef7ddfb0f8f87540

Analysis

max time kernel
145s
max time network
143s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8beebff0c896bca3753f207338bd093b3edd6a2c6f77bfb6ef7ddfb0f8f87540.exe
Size

1.3MB
MD5

9e3d19ebba6356efb4c1858a8a86090d
SHA1

b4082ef25a68a18b814d62ec81f0d431158c8611
SHA256

8beebff0c896bca3753f207338bd093b3edd6a2c6f77bfb6ef7ddfb0f8f87540
SHA512

055e144103b7205821e4a4763a29628f9517ff9010e7c492ec2cf4bf81658ddf1d53f03a4ed97803c02c4a783f3f24e62353f891b949401257d532909e863f56
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3976	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	5068	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	5068	schtasks.exe

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4012-286-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat
C:\providercommon\cmd.exe	dcrat

Executes dropped EXE 14 IoCs

Processes:

DllCommonsvc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
4012	DllCommonsvc.exe
1016	cmd.exe
872	cmd.exe
4860	cmd.exe
96	cmd.exe
956	cmd.exe
4220	cmd.exe
3308	cmd.exe
4536	cmd.exe
1468	cmd.exe
668	cmd.exe
2176	cmd.exe
4436	cmd.exe
2080	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\System\en-US\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\f8c8f1285d826b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\en-US\sppsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\RemotePackages\RemoteApps\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3628	schtasks.exe
4720	schtasks.exe
4568	schtasks.exe
5084	schtasks.exe
4648	schtasks.exe
4564	schtasks.exe
4584	schtasks.exe
3976	schtasks.exe
4596	schtasks.exe
4672	schtasks.exe
4424	schtasks.exe
3276	schtasks.exe
4556	schtasks.exe
3080	schtasks.exe
3224	schtasks.exe

Modifies registry class 13 IoCs

Processes:

cmd.exe8beebff0c896bca3753f207338bd093b3edd6a2c6f77bfb6ef7ddfb0f8f87540.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	8beebff0c896bca3753f207338bd093b3edd6a2c6f77bfb6ef7ddfb0f8f87540.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	process
4012	DllCommonsvc.exe
4012	DllCommonsvc.exe
4012	DllCommonsvc.exe
4012	DllCommonsvc.exe
4012	DllCommonsvc.exe
4012	DllCommonsvc.exe
4012	DllCommonsvc.exe
4012	DllCommonsvc.exe
4012	DllCommonsvc.exe
2264	powershell.exe
2624	powershell.exe
3212	powershell.exe
4732	powershell.exe
4708	powershell.exe
2624	powershell.exe
3228	powershell.exe
1016	cmd.exe
2624	powershell.exe
3212	powershell.exe
2264	powershell.exe
3228	powershell.exe
4732	powershell.exe
4708	powershell.exe
2264	powershell.exe
3212	powershell.exe
3228	powershell.exe
4732	powershell.exe
4708	powershell.exe
872	cmd.exe
4860	cmd.exe
96	cmd.exe
956	cmd.exe
4220	cmd.exe
3308	cmd.exe
4536	cmd.exe
1468	cmd.exe
668	cmd.exe
2176	cmd.exe
4436	cmd.exe
2080	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4012	DllCommonsvc.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	1016	cmd.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeIncreaseQuotaPrivilege	2624	powershell.exe
Token: SeSecurityPrivilege	2624	powershell.exe
Token: SeTakeOwnershipPrivilege	2624	powershell.exe
Token: SeLoadDriverPrivilege	2624	powershell.exe
Token: SeSystemProfilePrivilege	2624	powershell.exe
Token: SeSystemtimePrivilege	2624	powershell.exe
Token: SeProfSingleProcessPrivilege	2624	powershell.exe
Token: SeIncBasePriorityPrivilege	2624	powershell.exe
Token: SeCreatePagefilePrivilege	2624	powershell.exe
Token: SeBackupPrivilege	2624	powershell.exe
Token: SeRestorePrivilege	2624	powershell.exe
Token: SeShutdownPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeSystemEnvironmentPrivilege	2624	powershell.exe
Token: SeRemoteShutdownPrivilege	2624	powershell.exe
Token: SeUndockPrivilege	2624	powershell.exe
Token: SeManageVolumePrivilege	2624	powershell.exe
Token: 33	2624	powershell.exe
Token: 34	2624	powershell.exe
Token: 35	2624	powershell.exe
Token: 36	2624	powershell.exe
Token: SeIncreaseQuotaPrivilege	2264	powershell.exe
Token: SeSecurityPrivilege	2264	powershell.exe
Token: SeTakeOwnershipPrivilege	2264	powershell.exe
Token: SeLoadDriverPrivilege	2264	powershell.exe
Token: SeSystemProfilePrivilege	2264	powershell.exe
Token: SeSystemtimePrivilege	2264	powershell.exe
Token: SeProfSingleProcessPrivilege	2264	powershell.exe
Token: SeIncBasePriorityPrivilege	2264	powershell.exe
Token: SeCreatePagefilePrivilege	2264	powershell.exe
Token: SeBackupPrivilege	2264	powershell.exe
Token: SeRestorePrivilege	2264	powershell.exe
Token: SeShutdownPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeSystemEnvironmentPrivilege	2264	powershell.exe
Token: SeRemoteShutdownPrivilege	2264	powershell.exe
Token: SeUndockPrivilege	2264	powershell.exe
Token: SeManageVolumePrivilege	2264	powershell.exe
Token: 33	2264	powershell.exe
Token: 34	2264	powershell.exe
Token: 35	2264	powershell.exe
Token: 36	2264	powershell.exe
Token: SeIncreaseQuotaPrivilege	3212	powershell.exe
Token: SeSecurityPrivilege	3212	powershell.exe
Token: SeTakeOwnershipPrivilege	3212	powershell.exe
Token: SeLoadDriverPrivilege	3212	powershell.exe
Token: SeSystemProfilePrivilege	3212	powershell.exe
Token: SeSystemtimePrivilege	3212	powershell.exe
Token: SeProfSingleProcessPrivilege	3212	powershell.exe
Token: SeIncBasePriorityPrivilege	3212	powershell.exe
Token: SeCreatePagefilePrivilege	3212	powershell.exe
Token: SeBackupPrivilege	3212	powershell.exe
Token: SeRestorePrivilege	3212	powershell.exe
Token: SeShutdownPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeSystemEnvironmentPrivilege	3212	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8beebff0c896bca3753f207338bd093b3edd6a2c6f77bfb6ef7ddfb0f8f87540.exeWScript.execmd.exeDllCommonsvc.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2412 wrote to memory of 1884	2412	8beebff0c896bca3753f207338bd093b3edd6a2c6f77bfb6ef7ddfb0f8f87540.exe	WScript.exe
PID 2412 wrote to memory of 1884	2412	8beebff0c896bca3753f207338bd093b3edd6a2c6f77bfb6ef7ddfb0f8f87540.exe	WScript.exe
PID 2412 wrote to memory of 1884	2412	8beebff0c896bca3753f207338bd093b3edd6a2c6f77bfb6ef7ddfb0f8f87540.exe	WScript.exe
PID 1884 wrote to memory of 4344	1884	WScript.exe	cmd.exe
PID 1884 wrote to memory of 4344	1884	WScript.exe	cmd.exe
PID 1884 wrote to memory of 4344	1884	WScript.exe	cmd.exe
PID 4344 wrote to memory of 4012	4344	cmd.exe	DllCommonsvc.exe
PID 4344 wrote to memory of 4012	4344	cmd.exe	DllCommonsvc.exe
PID 4012 wrote to memory of 2624	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 2624	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 2264	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 2264	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 3212	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 3212	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 4708	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 4708	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 4732	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 4732	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 3228	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 3228	4012	DllCommonsvc.exe	powershell.exe
PID 4012 wrote to memory of 1016	4012	DllCommonsvc.exe	cmd.exe
PID 4012 wrote to memory of 1016	4012	DllCommonsvc.exe	cmd.exe
PID 1016 wrote to memory of 1620	1016	cmd.exe	cmd.exe
PID 1016 wrote to memory of 1620	1016	cmd.exe	cmd.exe
PID 1620 wrote to memory of 3248	1620	cmd.exe	w32tm.exe
PID 1620 wrote to memory of 3248	1620	cmd.exe	w32tm.exe
PID 1620 wrote to memory of 872	1620	cmd.exe	cmd.exe
PID 1620 wrote to memory of 872	1620	cmd.exe	cmd.exe
PID 872 wrote to memory of 208	872	cmd.exe	cmd.exe
PID 872 wrote to memory of 208	872	cmd.exe	cmd.exe
PID 208 wrote to memory of 4456	208	cmd.exe	w32tm.exe
PID 208 wrote to memory of 4456	208	cmd.exe	w32tm.exe
PID 208 wrote to memory of 4860	208	cmd.exe	cmd.exe
PID 208 wrote to memory of 4860	208	cmd.exe	cmd.exe
PID 4860 wrote to memory of 2648	4860	cmd.exe	cmd.exe
PID 4860 wrote to memory of 2648	4860	cmd.exe	cmd.exe
PID 2648 wrote to memory of 3396	2648	cmd.exe	w32tm.exe
PID 2648 wrote to memory of 3396	2648	cmd.exe	w32tm.exe
PID 2648 wrote to memory of 96	2648	cmd.exe	cmd.exe
PID 2648 wrote to memory of 96	2648	cmd.exe	cmd.exe
PID 96 wrote to memory of 4908	96	cmd.exe	cmd.exe
PID 96 wrote to memory of 4908	96	cmd.exe	cmd.exe
PID 4908 wrote to memory of 1660	4908	cmd.exe	w32tm.exe
PID 4908 wrote to memory of 1660	4908	cmd.exe	w32tm.exe
PID 4908 wrote to memory of 956	4908	cmd.exe	cmd.exe
PID 4908 wrote to memory of 956	4908	cmd.exe	cmd.exe
PID 956 wrote to memory of 2636	956	cmd.exe	cmd.exe
PID 956 wrote to memory of 2636	956	cmd.exe	cmd.exe
PID 2636 wrote to memory of 4956	2636	cmd.exe	w32tm.exe
PID 2636 wrote to memory of 4956	2636	cmd.exe	w32tm.exe
PID 2636 wrote to memory of 4220	2636	cmd.exe	cmd.exe
PID 2636 wrote to memory of 4220	2636	cmd.exe	cmd.exe
PID 4220 wrote to memory of 736	4220	cmd.exe	cmd.exe
PID 4220 wrote to memory of 736	4220	cmd.exe	cmd.exe
PID 736 wrote to memory of 5088	736	cmd.exe	w32tm.exe
PID 736 wrote to memory of 5088	736	cmd.exe	w32tm.exe
PID 736 wrote to memory of 3308	736	cmd.exe	cmd.exe
PID 736 wrote to memory of 3308	736	cmd.exe	cmd.exe
PID 3308 wrote to memory of 4616	3308	cmd.exe	cmd.exe
PID 3308 wrote to memory of 4616	3308	cmd.exe	cmd.exe
PID 4616 wrote to memory of 4808	4616	cmd.exe	w32tm.exe
PID 4616 wrote to memory of 4808	4616	cmd.exe	w32tm.exe
PID 4616 wrote to memory of 4536	4616	cmd.exe	cmd.exe
PID 4616 wrote to memory of 4536	4616	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8beebff0c896bca3753f207338bd093b3edd6a2c6f77bfb6ef7ddfb0f8f87540.exe
"C:\Users\Admin\AppData\Local\Temp\8beebff0c896bca3753f207338bd093b3edd6a2c6f77bfb6ef7ddfb0f8f87540.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\en-US\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:3248

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:4456

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:3396

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:96

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:1660

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:4956

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
16⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:5088

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"
18⤵
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:4808

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
20⤵
PID:4760

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:1372

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
22⤵
PID:4768

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:2124

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
23⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
24⤵
PID:3080

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:4748

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
25⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
26⤵
PID:2016

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
27⤵
PID:4912

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
27⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"
28⤵
PID:3372

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
29⤵
PID:4076

C:\providercommon\cmd.exe
"C:\providercommon\cmd.exe"
29⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\System\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
82bff92d443b1ba612bbdd5fc3bba58f

SHA1
784dd12771a5bb87571c5c93f98a9a884b44bd73

SHA256
ccd899d1ace726ca571539ea97b1324a32859257eba762cbd7084b0706ee091b

SHA512
2422ef8d879907b78824dde7c9875366a1763bf0b59704e5526339e7783e91d3f1f457ac9f31a48cee6edda15adf56340f6ed2582af7d3a5d6bf934ea4b37426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
82bff92d443b1ba612bbdd5fc3bba58f

SHA1
784dd12771a5bb87571c5c93f98a9a884b44bd73

SHA256
ccd899d1ace726ca571539ea97b1324a32859257eba762cbd7084b0706ee091b

SHA512
2422ef8d879907b78824dde7c9875366a1763bf0b59704e5526339e7783e91d3f1f457ac9f31a48cee6edda15adf56340f6ed2582af7d3a5d6bf934ea4b37426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7f9009b3c8456155366c4a64cc17f70a

SHA1
18ebe2aa4b1aa13e1705ae9bb6708c4908d9e508

SHA256
8f9344b743336c0c0aedd6aeee27281d155fb2b57f2bfb7818dd79e55c5ac41d

SHA512
3ac0c1dc6e1cefdb1dd60651a1911e0a5b51a3aac0dd6fe39ff58aa0ce2240aa55555f988dc276c717e304b1e17b6e05009196b89c7a568852cd2968f39c97c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7f9009b3c8456155366c4a64cc17f70a

SHA1
18ebe2aa4b1aa13e1705ae9bb6708c4908d9e508

SHA256
8f9344b743336c0c0aedd6aeee27281d155fb2b57f2bfb7818dd79e55c5ac41d

SHA512
3ac0c1dc6e1cefdb1dd60651a1911e0a5b51a3aac0dd6fe39ff58aa0ce2240aa55555f988dc276c717e304b1e17b6e05009196b89c7a568852cd2968f39c97c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
99d77dab0d05f6a2f4db3fcc85ca9a7a

SHA1
cf79cbcb0180659eb179ee8fe15da2348b32b700

SHA256
58695cee4364918bdc363a273e580e14c3dafaf250700b0e2b7d3c8f71c3cb8d

SHA512
d2c0f56eb5447cabaf85c2b32720f75884607fb63791ae019028190b7376da190e62e06927f59fe0c5474f170d25409aaaa874983f3c9b85ffea71839db147ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

Filesize
190B

MD5
a080d7ee07739986c795ab9efc12cbdf

SHA1
2f3a58dafff8e41e42fde9cd4c519359378df38a

SHA256
0a8d8440f18683da0be46b4329ac3d5497e92f969d6d464389590565de145177

SHA512
ddf85f0621a2737a42c58b9eae3ee3a171389349071e4414300d1f151847e3420c7c69675b3ca7bb4b6383491abc693a51390546a956dbbd9069d68a28d715e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

Filesize
190B

MD5
d43b24076a05c3ecac8e1c65ad0a7826

SHA1
6c8fb07a39657f4cc8d528164c5753d2f4ffa51f

SHA256
ceca90b12fc58884f4793573e7ab5bd781ef88be06536b793a8988bdc6b33843

SHA512
35c470ca08056506cf797841aa4195e1be6822191d1759ee7b7f4e27d1d60136d311ea1f0a2544633589a76f8923398fcd75c2570c1eca8161dd02ccc2e71be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
190B

MD5
756557e4e561a046a0f032379357bd64

SHA1
b88257043cc5bb837f07e40614f5c887e88151c3

SHA256
835c0d418bb8f964f3ce892741029a1f9a75c236ef38bbfaeb7d685137a84ff1

SHA512
63bddaef0b8e044f0de9bbf858d157720fc2647889ded977c03a00ba7e6a889286cb612342350f661d87d263e14a9b7b53fdf627a1587073c993724d4e5d81e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat

Filesize
190B

MD5
9d33e906e2506af3be6b5b8e9399dec3

SHA1
21746089ea5de5ff7aa176c50aaf3306e121d02d

SHA256
e48e63fea027dfdc3956e928e11a46c4fcd49a3d1c027a6a8ce24201e452d001

SHA512
a9d8a32d98e0a1c7812605d2572c30f60c01142b8f6d61f36625063c9baed9ca7ccde9742b72fdc08e5265a4b6a752c51ed76e2d7b849aaf76c5fbd79a13d93a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

Filesize
190B

MD5
149ee34573efbd00643a0c949bbe8e8c

SHA1
88b82e7105453fa94757f8af7d458265922cb88d

SHA256
69882f5cfa93f5b85f27900c5de8074448adcfcebc7d7c88bb604e035e56554a

SHA512
af97f9822483947c388dfc750576f53ef18d6f91914827cbe4863d87acdecd338c3db42ae420f1b7a48fe45ea840ba2dd12d45163eafce7312cab19d4c79a9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

Filesize
190B

MD5
9aa9cc2604f7ac8c621ab452c39c0d4d

SHA1
6cd03f27cfa4de01db645df100c7604f89dd747c

SHA256
e9cfd45c9f01edb42a97ed3f93a52da7d6d680c7500136df0cebe5226ab251ab

SHA512
723582565114c7649e1f6c4665e788249a82f891a401f4d7f3bf8b2416d2f562eac9c8ea25d7d309a9371b017cd99f647b2494737c2b05269e8bbc610bd585c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat

Filesize
190B

MD5
54892e7f4ad76252838a1fdefd7b854a

SHA1
9df29463945b6404919df85e7ca437365a60c910

SHA256
b1955cd0790ff2923bb3a7e18fbde3eb53ff84d493c9ff3ccc0eba3ec8543611

SHA512
c3e337f297f64963f21203b9a8458a792e791e8b3e023e0ba134644149f996a6fc5c7c31ad9afd200d66d728298def02c6185e8c90691eded7f08fa02679af8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

Filesize
190B

MD5
ca7be4aadaa44ca80a68d1bb74fb3be2

SHA1
f090269d255cf7cb3fdae9d42c3543baae0c8159

SHA256
8feabe6eea0cea48a773093b38f45e7e29baa78860b4dc1e5eb6ea4ec088e536

SHA512
a6bbd9b89585e7e0ab37350fbaaf6f33bcb63bda17fce3cdb49b8e899b17807e9e1e9589016e1c401a878b0c813963e72a7df9d681b2ccea610fd2f7fbcd4673

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
190B

MD5
0e0a8347bfab7216a5d030074fcabb7a

SHA1
9db386f98f49caaaf67f00072577c414ed99a7e4

SHA256
07037b5f5c0e066ecd3a9abd61ef00e42aacdd01189c03e86579f9cc7d7e2082

SHA512
f5894a6bf55cb97a704a0bfb8fb645bcceb36a7756319d243f8113867173c74635757c6c7cd0693dff7232f6f3f7b10d3ed9e1a585ec71ca48706aa744c94fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat

Filesize
190B

MD5
d59c4d503f50cea6067fd57d39288e14

SHA1
9bcd5f0db9006d74ea1b8e72751faf79b2c801b3

SHA256
8dccce9b0867efa20c09114dbb7f3333530c5f101893950e55ed317076f3b143

SHA512
c41d0e98bbb2d38740cbf6c672071ae95161edf306ddac1db8cc1871b4c1309fffd082f62ba44ccc92bb07ddefbdec40d3eeb99e26f2d567563030adb6b9533b

Download Submit
C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat

Filesize
190B

MD5
a23c041d59d46b1fb73d54f8643d9b62

SHA1
2b600bdfc7b20f06cd4065bfd17aa1896662e7d2

SHA256
c26f3a2f691365e47bbc6699c9c575f5a40fd5de34b09c17c37185b3c0c60ce2

SHA512
c5bf13458634f79052570c03a7d81c1d16ef539137a9022e33cd690291e3a4a1d189a6e44a32d28fd66eea3ccaf84a4ff0505bb1207f080e95d2888a52d8be22

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

Filesize
190B

MD5
03bf6f0011a846df48374fabe0a81cd2

SHA1
025120e1c33d39a7f448cf59efe2eee7314472bd

SHA256
b3d6afeca4aa7e9439aae2600ef45b9041cb6aa5c69407120849030298e2bfcf

SHA512
7b1ba6df67214bae268342b40ec4c8206675e2e165ab86f7d002aae282e8aabc00851dcff774631ca22950c2819fde881d4b6e4151ef6256ab387e9d8a996e91

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\cmd.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/96-520-0x0000000000000000-mapping.dmp

Download
memory/96-522-0x0000000001730000-0x0000000001742000-memory.dmp

Filesize
72KB

Download
memory/208-512-0x0000000000000000-mapping.dmp

Download
memory/668-552-0x0000000000000000-mapping.dmp

Download
memory/736-534-0x0000000000000000-mapping.dmp

Download
memory/872-509-0x0000000000000000-mapping.dmp

Download
memory/956-528-0x0000000000E60000-0x0000000000E72000-memory.dmp

Filesize
72KB

Download
memory/956-526-0x0000000000000000-mapping.dmp

Download
memory/1016-305-0x0000000000000000-mapping.dmp

Download
memory/1372-546-0x0000000000000000-mapping.dmp

Download
memory/1468-547-0x0000000000000000-mapping.dmp

Download
memory/1620-355-0x0000000000000000-mapping.dmp

Download
memory/1660-525-0x0000000000000000-mapping.dmp

Download
memory/1884-185-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/1884-186-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/1884-184-0x0000000000000000-mapping.dmp

Download
memory/2016-560-0x0000000000000000-mapping.dmp

Download
memory/2080-568-0x0000000000000000-mapping.dmp

Download
memory/2124-551-0x0000000000000000-mapping.dmp

Download
memory/2176-559-0x0000000001120000-0x0000000001132000-memory.dmp

Filesize
72KB

Download
memory/2176-557-0x0000000000000000-mapping.dmp

Download
memory/2264-324-0x0000014E6A1B0000-0x0000014E6A1D2000-memory.dmp

Filesize
136KB

Download
memory/2264-292-0x0000000000000000-mapping.dmp

Download
memory/2412-153-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-154-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-181-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-179-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-182-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-180-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-178-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-177-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-176-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-175-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-172-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-173-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-174-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-171-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-170-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-169-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-168-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-167-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-120-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-166-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-165-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-164-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-161-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-163-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-162-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-160-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-158-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-159-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-157-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-156-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-155-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-183-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-152-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-151-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-150-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-149-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-148-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-147-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-146-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-145-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-144-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-143-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-142-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-141-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-140-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-139-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-138-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-137-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-136-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-135-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-134-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-133-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-132-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-131-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-130-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-129-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-128-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-126-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-125-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-123-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-122-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2412-121-0x00000000774F0000-0x000000007767E000-memory.dmp

Filesize
1.6MB

Download
memory/2624-291-0x0000000000000000-mapping.dmp

Download
memory/2624-327-0x000001BD79510000-0x000001BD79586000-memory.dmp

Filesize
472KB

Download
memory/2636-529-0x0000000000000000-mapping.dmp

Download
memory/2648-517-0x0000000000000000-mapping.dmp

Download
memory/3080-554-0x0000000000000000-mapping.dmp

Download
memory/3212-293-0x0000000000000000-mapping.dmp

Download
memory/3228-296-0x0000000000000000-mapping.dmp

Download
memory/3248-473-0x0000000000000000-mapping.dmp

Download
memory/3308-537-0x0000000000000000-mapping.dmp

Download
memory/3372-565-0x0000000000000000-mapping.dmp

Download
memory/3396-519-0x0000000000000000-mapping.dmp

Download
memory/4012-289-0x0000000001480000-0x000000000148C000-memory.dmp

Filesize
48KB

Download
memory/4012-287-0x00000000011E0000-0x00000000011F2000-memory.dmp

Filesize
72KB

Download
memory/4012-283-0x0000000000000000-mapping.dmp

Download
memory/4012-288-0x00000000011F0000-0x00000000011FC000-memory.dmp

Filesize
48KB

Download
memory/4012-290-0x0000000001490000-0x000000000149C000-memory.dmp

Filesize
48KB

Download
memory/4012-286-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/4076-567-0x0000000000000000-mapping.dmp

Download
memory/4220-532-0x0000000000000000-mapping.dmp

Download
memory/4344-260-0x0000000000000000-mapping.dmp

Download
memory/4436-563-0x0000000000000000-mapping.dmp

Download
memory/4456-514-0x0000000000000000-mapping.dmp

Download
memory/4536-542-0x0000000000000000-mapping.dmp

Download
memory/4616-539-0x0000000000000000-mapping.dmp

Download
memory/4708-294-0x0000000000000000-mapping.dmp

Download
memory/4732-295-0x0000000000000000-mapping.dmp

Download
memory/4748-556-0x0000000000000000-mapping.dmp

Download
memory/4760-544-0x0000000000000000-mapping.dmp

Download
memory/4768-549-0x0000000000000000-mapping.dmp

Download
memory/4808-541-0x0000000000000000-mapping.dmp

Download
memory/4860-515-0x0000000000000000-mapping.dmp

Download
memory/4908-523-0x0000000000000000-mapping.dmp

Download
memory/4912-562-0x0000000000000000-mapping.dmp

Download
memory/4956-531-0x0000000000000000-mapping.dmp

Download
memory/5088-536-0x0000000000000000-mapping.dmp

Download