dcrat | f233727c1a86228d7b7fe31c727cc660985372c2296a42dd3859b22b7ee02024

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f233727c1a86228d7b7fe31c727cc660985372c2296a42dd3859b22b7ee02024.exe
Size

1.3MB
MD5

e83d06b7caa3e1402eaebea404a71dbb
SHA1

0e0b22024b6202befbe2f23c63b6aa18d47dc4fa
SHA256

f233727c1a86228d7b7fe31c727cc660985372c2296a42dd3859b22b7ee02024
SHA512

5a4c74663c53286ad02cee49b16f83fba4256c7b2eafcc246041acd67a1d815df5bfeb19e7ce3c167938f32ede98964ae6c4f3862738d6e77dc34904fe2035cb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	4020	schtasks.exe	21
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	424	4020	schtasks.exe	21
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	4020	schtasks.exe	21
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4020	schtasks.exe	21
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	4020	schtasks.exe	21
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3784	4020	schtasks.exe	21
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	4020	schtasks.exe	21
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3840	4020	schtasks.exe	21
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4020	schtasks.exe	21

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0003000000000721-141.dat	dcrat
behavioral1/files/0x0003000000000721-140.dat	dcrat
behavioral1/memory/5076-142-0x0000000000450000-0x0000000000560000-memory.dmp	dcrat
behavioral1/files/0x000300000000072f-151.dat	dcrat
behavioral1/files/0x000300000000072f-150.dat	dcrat
behavioral1/files/0x000300000000072f-171.dat	dcrat
behavioral1/files/0x000300000000072f-179.dat	dcrat
behavioral1/files/0x000300000000072f-186.dat	dcrat
behavioral1/files/0x000300000000072f-193.dat	dcrat
behavioral1/files/0x000300000000072f-200.dat	dcrat
behavioral1/files/0x000300000000072f-207.dat	dcrat
behavioral1/files/0x000300000000072f-214.dat	dcrat
behavioral1/files/0x000300000000072f-221.dat	dcrat
behavioral1/files/0x000300000000072f-228.dat	dcrat
behavioral1/files/0x000300000000072f-235.dat	dcrat
behavioral1/files/0x000300000000072f-242.dat	dcrat
behavioral1/files/0x000300000000072f-249.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
5076	DllCommonsvc.exe
4420	sppsvc.exe
4108	sppsvc.exe
4360	sppsvc.exe
4556	sppsvc.exe
4528	sppsvc.exe
2580	sppsvc.exe
2732	sppsvc.exe
5104	sppsvc.exe
4536	sppsvc.exe
4152	sppsvc.exe
4740	sppsvc.exe
3660	sppsvc.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	f233727c1a86228d7b7fe31c727cc660985372c2296a42dd3859b22b7ee02024.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\55b276f4edf653	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2096	schtasks.exe
3672	schtasks.exe
1824	schtasks.exe
424	schtasks.exe
4596	schtasks.exe
684	schtasks.exe
3784	schtasks.exe
1680	schtasks.exe
3840	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	f233727c1a86228d7b7fe31c727cc660985372c2296a42dd3859b22b7ee02024.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
5076	DllCommonsvc.exe
2832	powershell.exe
4564	powershell.exe
2088	powershell.exe
2088	powershell.exe
3680	powershell.exe
4420	sppsvc.exe
2832	powershell.exe
4564	powershell.exe
3680	powershell.exe
4108	sppsvc.exe
4360	sppsvc.exe
4556	sppsvc.exe
4528	sppsvc.exe
2580	sppsvc.exe
2732	sppsvc.exe
5104	sppsvc.exe
4536	sppsvc.exe
4152	sppsvc.exe
4740	sppsvc.exe
3660	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	DllCommonsvc.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	3680	powershell.exe
Token: SeDebugPrivilege	4420	sppsvc.exe
Token: SeDebugPrivilege	4108	sppsvc.exe
Token: SeDebugPrivilege	4360	sppsvc.exe
Token: SeDebugPrivilege	4556	sppsvc.exe
Token: SeDebugPrivilege	4528	sppsvc.exe
Token: SeDebugPrivilege	2580	sppsvc.exe
Token: SeDebugPrivilege	2732	sppsvc.exe
Token: SeDebugPrivilege	5104	sppsvc.exe
Token: SeDebugPrivilege	4536	sppsvc.exe
Token: SeDebugPrivilege	4152	sppsvc.exe
Token: SeDebugPrivilege	4740	sppsvc.exe
Token: SeDebugPrivilege	3660	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4236 wrote to memory of 1572	4236	f233727c1a86228d7b7fe31c727cc660985372c2296a42dd3859b22b7ee02024.exe	80
PID 4236 wrote to memory of 1572	4236	f233727c1a86228d7b7fe31c727cc660985372c2296a42dd3859b22b7ee02024.exe	80
PID 4236 wrote to memory of 1572	4236	f233727c1a86228d7b7fe31c727cc660985372c2296a42dd3859b22b7ee02024.exe	80
PID 1572 wrote to memory of 4668	1572	WScript.exe	82
PID 1572 wrote to memory of 4668	1572	WScript.exe	82
PID 1572 wrote to memory of 4668	1572	WScript.exe	82
PID 4668 wrote to memory of 5076	4668	cmd.exe	83
PID 4668 wrote to memory of 5076	4668	cmd.exe	83
PID 5076 wrote to memory of 3680	5076	DllCommonsvc.exe	103
PID 5076 wrote to memory of 3680	5076	DllCommonsvc.exe	103
PID 5076 wrote to memory of 2832	5076	DllCommonsvc.exe	102
PID 5076 wrote to memory of 2832	5076	DllCommonsvc.exe	102
PID 5076 wrote to memory of 2088	5076	DllCommonsvc.exe	101
PID 5076 wrote to memory of 2088	5076	DllCommonsvc.exe	101
PID 5076 wrote to memory of 4564	5076	DllCommonsvc.exe	95
PID 5076 wrote to memory of 4564	5076	DllCommonsvc.exe	95
PID 5076 wrote to memory of 4420	5076	DllCommonsvc.exe	98
PID 5076 wrote to memory of 4420	5076	DllCommonsvc.exe	98
PID 4420 wrote to memory of 3120	4420	sppsvc.exe	108
PID 4420 wrote to memory of 3120	4420	sppsvc.exe	108
PID 3120 wrote to memory of 4748	3120	cmd.exe	107
PID 3120 wrote to memory of 4748	3120	cmd.exe	107
PID 3120 wrote to memory of 4108	3120	cmd.exe	111
PID 3120 wrote to memory of 4108	3120	cmd.exe	111
PID 4108 wrote to memory of 2808	4108	sppsvc.exe	112
PID 4108 wrote to memory of 2808	4108	sppsvc.exe	112
PID 2808 wrote to memory of 4060	2808	cmd.exe	114
PID 2808 wrote to memory of 4060	2808	cmd.exe	114
PID 2808 wrote to memory of 4360	2808	cmd.exe	116
PID 2808 wrote to memory of 4360	2808	cmd.exe	116
PID 4360 wrote to memory of 3928	4360	sppsvc.exe	117
PID 4360 wrote to memory of 3928	4360	sppsvc.exe	117
PID 3928 wrote to memory of 4480	3928	cmd.exe	119
PID 3928 wrote to memory of 4480	3928	cmd.exe	119
PID 3928 wrote to memory of 4556	3928	cmd.exe	120
PID 3928 wrote to memory of 4556	3928	cmd.exe	120
PID 4556 wrote to memory of 1220	4556	sppsvc.exe	121
PID 4556 wrote to memory of 1220	4556	sppsvc.exe	121
PID 1220 wrote to memory of 2300	1220	cmd.exe	123
PID 1220 wrote to memory of 2300	1220	cmd.exe	123
PID 1220 wrote to memory of 4528	1220	cmd.exe	124
PID 1220 wrote to memory of 4528	1220	cmd.exe	124
PID 4528 wrote to memory of 4940	4528	sppsvc.exe	127
PID 4528 wrote to memory of 4940	4528	sppsvc.exe	127
PID 4940 wrote to memory of 4668	4940	cmd.exe	125
PID 4940 wrote to memory of 4668	4940	cmd.exe	125
PID 4940 wrote to memory of 2580	4940	cmd.exe	128
PID 4940 wrote to memory of 2580	4940	cmd.exe	128
PID 2580 wrote to memory of 4716	2580	sppsvc.exe	130
PID 2580 wrote to memory of 4716	2580	sppsvc.exe	130
PID 4716 wrote to memory of 1544	4716	cmd.exe	131
PID 4716 wrote to memory of 1544	4716	cmd.exe	131
PID 4716 wrote to memory of 2732	4716	cmd.exe	132
PID 4716 wrote to memory of 2732	4716	cmd.exe	132
PID 2732 wrote to memory of 2712	2732	sppsvc.exe	135
PID 2732 wrote to memory of 2712	2732	sppsvc.exe	135
PID 2712 wrote to memory of 1984	2712	cmd.exe	133
PID 2712 wrote to memory of 1984	2712	cmd.exe	133
PID 2712 wrote to memory of 5104	2712	cmd.exe	136
PID 2712 wrote to memory of 5104	2712	cmd.exe	136
PID 5104 wrote to memory of 2144	5104	sppsvc.exe	137
PID 5104 wrote to memory of 2144	5104	sppsvc.exe	137
PID 2144 wrote to memory of 1864	2144	cmd.exe	139
PID 2144 wrote to memory of 1864	2144	cmd.exe	139

C:\Users\Admin\AppData\Local\Temp\f233727c1a86228d7b7fe31c727cc660985372c2296a42dd3859b22b7ee02024.exe
"C:\Users\Admin\AppData\Local\Temp\f233727c1a86228d7b7fe31c727cc660985372c2296a42dd3859b22b7ee02024.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
    - - C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4060
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4480
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2300
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1544
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1864
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat"
        22⤵
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4904
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"
        24⤵
        
        PID:4144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1684
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        25⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"
        26⤵
        
        PID:3728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2284
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"
        28⤵
        
        PID:2372
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        29⤵
        
        PID:4840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3672

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4748

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:4668

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:1984

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat

Filesize
193B

MD5
0ba5c09ef4f081d763cd1da738817915

SHA1
7ab20fb7d0a142a2c1e86be1a65012afdbf29dc6

SHA256
b5ae125b5d9594aa6c902473a65a498334cfe3b1c86049acfacbf588cccc7f2a

SHA512
cf825a6a044718538afc7004a47dd933f2b6cfd98a5423ea79acac617e5a650bff4fd5723002af4b3ed12628cb12c96e4b725de937c012449d41c99524e679c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat

Filesize
193B

MD5
239f70d2b2d71e971b596774c02b544d

SHA1
d574e217ef73a13185ff275b24ddb685307ff0cc

SHA256
beab9750d4d85fe9be54fdc2261f4648f6ebd7096242866401f7e61e655fdae7

SHA512
55beb8e96e091f276d8ca6efe223ec14dd5a19e7f3245d878df1db1fe1f6fcdf976f202a70ae665d85046d31eb88942700fe0c55a1040c77ae6fa55fcc0645a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat

Filesize
193B

MD5
ed55ee8a71e567c6feb14db946bb67eb

SHA1
1c450fc6111e4630cfc9463e76a63c7a9132308e

SHA256
6f7decbcb3e6115378cba474d077c99ef836495c13815469d7a160ec72daabd7

SHA512
dfc6539bdf0ad882c25f521eeae501acd024f7570e4595625a6948a8bdd9031b2d4e2342ecaea0199b21de651dab13ccc97576c1b42234902319cc2a6cbf7a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat

Filesize
193B

MD5
1f0f8573bd5edcf0942c8fe506167133

SHA1
b84cfcf67c44880e076e1aad3fa3952f3a24562a

SHA256
c0ee254992992c8b65dfd3ad0bdab50d89bcd7a28d2e4a7b54ddbe6e1ab564ed

SHA512
246d7dd0cf65d0c2552f50fa1a032b29f6462c3b9f9fb1de2ea758cd0a5184870d4fcf18b420e18906e0d196d6947aa3584c92eb9fc3f39cbe8c6e1a683e599d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat

Filesize
193B

MD5
090bac7bb5e445066506c419a4b6fbdf

SHA1
097a3a9571edbad5031324559647661e926d9887

SHA256
57b965ec1d4c54c69d106b1aad59c5b112d591ebed9f21d17b7354978e0ce560

SHA512
349a912359d014120b1b2dea0dd1de708c2cec768dbe7677e05ffb922aa0e3dd34a353165f461c1b6ad07718262fed8af4d828dc2594012fd2616ac2b77af115

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat

Filesize
193B

MD5
642fd96ab635d283e1723f6b32d797b4

SHA1
6577f942104d5689869819111d4b0071883d6059

SHA256
37c155416932d10d517140183df7f3297f3f0784936f5c41cbc969590084338b

SHA512
f38f948cf7a56a1ca04673d6b72e0a5757d30a63287a9602b52faacf82516d1fad52bddeb4c8534e7ed58dda771b0810358005c404bc5702c0f464c9f8fa3114

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
193B

MD5
f731efc592abea6a9b682c588bb08745

SHA1
ad3ffdb30fe8a9dd8844ddd3ca2fe7896078c336

SHA256
101a939a01a1b5865457a1fb0c65083cdfb6666b03afb3afe5817f6090e1c081

SHA512
2bcdc19881d5031518631923157abdfd42213c6cc157ad2c7e1ddf32fea8f9e090c004b16664cbcc3b9071e08c748a47f934503a42fe9d2ff981a3c2a454be63

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat

Filesize
193B

MD5
9722136c86243bc227504d8d05b332fc

SHA1
617df5f187ad17d2652f4653c03830d62098ece3

SHA256
fe1c75b5ff075f9a7954c526a41e430b5cad8bc6605c64085329efa419c7547e

SHA512
a84d9e833a810f62cdf6c74d4ff4837fc6e14698550c7981ee5c53ad403c4f94a51fbdef6cab80ad4db68c23aeb0ab27b60a907cd79528d73b0af9193f5b95cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat

Filesize
193B

MD5
9c666c8ca3fd2f8643a4ba4e4b7b54eb

SHA1
56b8caaaad5c8b1046dafc114547635f476a7c64

SHA256
d9f2a68e5be3a4eadd6c45d75fca6b545740de64c5290bc3c3613d746d47fe46

SHA512
53e722d962a6c28021402a7a04ee05430d7632de7c25d8486a74d4daac080d996d96b6327fa069ba4c53d359515eecca197fbd07d09370bf845c638d2ef7a325

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

Filesize
193B

MD5
9f9eee2adb6eaf2f5cba927a609483cf

SHA1
0e73a3edf87c9038df44a39a54b09e560dfb63d2

SHA256
b29561eeeb789efe6aa92a9dff4fcc4c11ce0791c0f275dfe838f06f6e0fb29d

SHA512
55172678b5c65dc48e7f21549addfa7036017b8259c1e1e09841ce9aa36951beb624a262c9007bfa156731efb4a918ba3d11e5194922df0060ee353dda226fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

Filesize
193B

MD5
2fe4f12dcb0f36123c003446358c0b73

SHA1
da940052b22b0d228ee7291cf70b04a5e6c6740b

SHA256
1e782970ea22864b902e4ac518b6a89fa55ec204ce4605f26318a50e90a8a704

SHA512
a89990ca9f4655117ec6915f2b6302e04209e7182ad2d4bd52bb65c0731187587701f67d51e25b4ec10d4fe4587eeef38a0816ccdb966eea28dea7fbe8c6b4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

Filesize
193B

MD5
89d93f7af819247d963b23f805fb39aa

SHA1
effa714f9835b23eb3d3eab65e1263e020f5d553

SHA256
e6e183e3e8bc1164a892e72b07779dd3c5bfc8c4c803231f27121aae4f153097

SHA512
cb38fae61bef8f15b95c2dc6bcd8b9548319f4c0c9a897d94a4b5b9eb1d25bc2cb9a825f6d8d1eafbb9ae7e0bcb63e469b0959f0d690f7692697ec98a62e6c9b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\sppsvc.exe

Filesize
386KB

MD5
5a2f22a714a7be9bc24f6f828ec1b034

SHA1
475f8634431b96ac871fc07b6f2624e5b72ac44a

SHA256
3df84d1bac5d8561241a5f9c3e2b260ff72123edc28d273459cc7ad61ae21d8f

SHA512
f1343930b1e58960c4cbbf0b9c9dbffb4987abf6056cd6015d61fd5b74f7238de75180cf70eaea2b75fe3a2a81b7f1991df060b4c6ec26118e21fb610d9d1995

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2088-148-0x000001CAEBAF0000-0x000001CAEBB12000-memory.dmp

Filesize
136KB

Download
memory/2088-154-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2088-157-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2580-201-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2580-205-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2732-208-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2732-212-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-160-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2832-152-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/3660-243-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/3660-247-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/3680-156-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/3680-164-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4108-177-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4108-173-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-233-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4152-229-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4360-184-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4360-180-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4420-169-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4420-165-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-194-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4528-198-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4536-226-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4536-222-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-187-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-191-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-163-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4564-155-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-240-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/4740-236-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5076-143-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5076-153-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5076-142-0x0000000000450000-0x0000000000560000-memory.dmp

Filesize
1.1MB

Download
memory/5104-215-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/5104-219-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download