dcrat | 615a21e5834804a568aa8d9a3aaaa0efb21535086a42022ab63f1d8384097a11

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

615a21e5834804a568aa8d9a3aaaa0efb21535086a42022ab63f1d8384097a11.exe
Size

1.3MB
MD5

6903dd93311a0f3743cc69fd5ad33a00
SHA1

1cd143e42cabd428522fde1ba3d61fa9b4ee349a
SHA256

615a21e5834804a568aa8d9a3aaaa0efb21535086a42022ab63f1d8384097a11
SHA512

1e87cc924f21a7c0f97067c2a383a4e250fe5ed9b648cce8c76dcc586232976b7f8a1c05c83df3a530a3dd9b0527c01548280381f7abd7efd8efe959a8f1648f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3184	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3232	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4072	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	4072	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001abdf-284.dat	dcrat
behavioral1/files/0x000900000001abdf-285.dat	dcrat
behavioral1/memory/4092-286-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat
behavioral1/files/0x000800000001abfe-515.dat	dcrat
behavioral1/files/0x000800000001abfe-514.dat	dcrat
behavioral1/files/0x000800000001abfe-549.dat	dcrat
behavioral1/files/0x000800000001abfe-556.dat	dcrat
behavioral1/files/0x000800000001abfe-561.dat	dcrat
behavioral1/files/0x000800000001abfe-567.dat	dcrat
behavioral1/files/0x000800000001abfe-572.dat	dcrat
behavioral1/files/0x000800000001abfe-578.dat	dcrat
behavioral1/files/0x000800000001abfe-583.dat	dcrat
behavioral1/files/0x000800000001abfe-588.dat	dcrat
behavioral1/files/0x000800000001abfe-594.dat	dcrat
behavioral1/files/0x000800000001abfe-600.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4092	DllCommonsvc.exe
412	spoolsv.exe
1576	spoolsv.exe
4716	spoolsv.exe
3676	spoolsv.exe
4896	spoolsv.exe
3704	spoolsv.exe
2512	spoolsv.exe
4596	spoolsv.exe
216	spoolsv.exe
3692	spoolsv.exe
3972	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\56085415360792	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\schemas\VpnProfile\dwm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4644	schtasks.exe
3116	schtasks.exe
4904	schtasks.exe
1996	schtasks.exe
1992	schtasks.exe
5032	schtasks.exe
3232	schtasks.exe
4824	schtasks.exe
4928	schtasks.exe
4472	schtasks.exe
4864	schtasks.exe
4892	schtasks.exe
4664	schtasks.exe
3152	schtasks.exe
3184	schtasks.exe
3168	schtasks.exe
4972	schtasks.exe
5004	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	615a21e5834804a568aa8d9a3aaaa0efb21535086a42022ab63f1d8384097a11.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4092	DllCommonsvc.exe
4636	powershell.exe
4680	powershell.exe
1820	powershell.exe
4636	powershell.exe
5064	powershell.exe
5068	powershell.exe
3948	powershell.exe
3524	powershell.exe
4680	powershell.exe
5064	powershell.exe
1820	powershell.exe
3948	powershell.exe
3524	powershell.exe
5068	powershell.exe
4636	powershell.exe
4680	powershell.exe
5064	powershell.exe
3948	powershell.exe
1820	powershell.exe
3524	powershell.exe
5068	powershell.exe
412	spoolsv.exe
1576	spoolsv.exe
4716	spoolsv.exe
3676	spoolsv.exe
4896	spoolsv.exe
3704	spoolsv.exe
2512	spoolsv.exe
4596	spoolsv.exe
216	spoolsv.exe
3692	spoolsv.exe
3972	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	DllCommonsvc.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeIncreaseQuotaPrivilege	4636	powershell.exe
Token: SeSecurityPrivilege	4636	powershell.exe
Token: SeTakeOwnershipPrivilege	4636	powershell.exe
Token: SeLoadDriverPrivilege	4636	powershell.exe
Token: SeSystemProfilePrivilege	4636	powershell.exe
Token: SeSystemtimePrivilege	4636	powershell.exe
Token: SeProfSingleProcessPrivilege	4636	powershell.exe
Token: SeIncBasePriorityPrivilege	4636	powershell.exe
Token: SeCreatePagefilePrivilege	4636	powershell.exe
Token: SeBackupPrivilege	4636	powershell.exe
Token: SeRestorePrivilege	4636	powershell.exe
Token: SeShutdownPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeSystemEnvironmentPrivilege	4636	powershell.exe
Token: SeRemoteShutdownPrivilege	4636	powershell.exe
Token: SeUndockPrivilege	4636	powershell.exe
Token: SeManageVolumePrivilege	4636	powershell.exe
Token: 33	4636	powershell.exe
Token: 34	4636	powershell.exe
Token: 35	4636	powershell.exe
Token: 36	4636	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	powershell.exe
Token: SeSecurityPrivilege	4680	powershell.exe
Token: SeTakeOwnershipPrivilege	4680	powershell.exe
Token: SeLoadDriverPrivilege	4680	powershell.exe
Token: SeSystemProfilePrivilege	4680	powershell.exe
Token: SeSystemtimePrivilege	4680	powershell.exe
Token: SeProfSingleProcessPrivilege	4680	powershell.exe
Token: SeIncBasePriorityPrivilege	4680	powershell.exe
Token: SeCreatePagefilePrivilege	4680	powershell.exe
Token: SeBackupPrivilege	4680	powershell.exe
Token: SeRestorePrivilege	4680	powershell.exe
Token: SeShutdownPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeSystemEnvironmentPrivilege	4680	powershell.exe
Token: SeRemoteShutdownPrivilege	4680	powershell.exe
Token: SeUndockPrivilege	4680	powershell.exe
Token: SeManageVolumePrivilege	4680	powershell.exe
Token: 33	4680	powershell.exe
Token: 34	4680	powershell.exe
Token: 35	4680	powershell.exe
Token: 36	4680	powershell.exe
Token: SeIncreaseQuotaPrivilege	5064	powershell.exe
Token: SeSecurityPrivilege	5064	powershell.exe
Token: SeTakeOwnershipPrivilege	5064	powershell.exe
Token: SeLoadDriverPrivilege	5064	powershell.exe
Token: SeSystemProfilePrivilege	5064	powershell.exe
Token: SeSystemtimePrivilege	5064	powershell.exe
Token: SeProfSingleProcessPrivilege	5064	powershell.exe
Token: SeIncBasePriorityPrivilege	5064	powershell.exe
Token: SeCreatePagefilePrivilege	5064	powershell.exe
Token: SeBackupPrivilege	5064	powershell.exe
Token: SeRestorePrivilege	5064	powershell.exe
Token: SeShutdownPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeSystemEnvironmentPrivilege	5064	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3512	1980	615a21e5834804a568aa8d9a3aaaa0efb21535086a42022ab63f1d8384097a11.exe	66
PID 1980 wrote to memory of 3512	1980	615a21e5834804a568aa8d9a3aaaa0efb21535086a42022ab63f1d8384097a11.exe	66
PID 1980 wrote to memory of 3512	1980	615a21e5834804a568aa8d9a3aaaa0efb21535086a42022ab63f1d8384097a11.exe	66
PID 3512 wrote to memory of 3572	3512	WScript.exe	67
PID 3512 wrote to memory of 3572	3512	WScript.exe	67
PID 3512 wrote to memory of 3572	3512	WScript.exe	67
PID 3572 wrote to memory of 4092	3572	cmd.exe	69
PID 3572 wrote to memory of 4092	3572	cmd.exe	69
PID 4092 wrote to memory of 4636	4092	DllCommonsvc.exe	89
PID 4092 wrote to memory of 4636	4092	DllCommonsvc.exe	89
PID 4092 wrote to memory of 4680	4092	DllCommonsvc.exe	98
PID 4092 wrote to memory of 4680	4092	DllCommonsvc.exe	98
PID 4092 wrote to memory of 3524	4092	DllCommonsvc.exe	97
PID 4092 wrote to memory of 3524	4092	DllCommonsvc.exe	97
PID 4092 wrote to memory of 1820	4092	DllCommonsvc.exe	96
PID 4092 wrote to memory of 1820	4092	DllCommonsvc.exe	96
PID 4092 wrote to memory of 5064	4092	DllCommonsvc.exe	93
PID 4092 wrote to memory of 5064	4092	DllCommonsvc.exe	93
PID 4092 wrote to memory of 5068	4092	DllCommonsvc.exe	94
PID 4092 wrote to memory of 5068	4092	DllCommonsvc.exe	94
PID 4092 wrote to memory of 3948	4092	DllCommonsvc.exe	99
PID 4092 wrote to memory of 3948	4092	DllCommonsvc.exe	99
PID 4092 wrote to memory of 656	4092	DllCommonsvc.exe	103
PID 4092 wrote to memory of 656	4092	DllCommonsvc.exe	103
PID 656 wrote to memory of 960	656	cmd.exe	105
PID 656 wrote to memory of 960	656	cmd.exe	105
PID 656 wrote to memory of 412	656	cmd.exe	107
PID 656 wrote to memory of 412	656	cmd.exe	107
PID 412 wrote to memory of 3460	412	spoolsv.exe	108
PID 412 wrote to memory of 3460	412	spoolsv.exe	108
PID 3460 wrote to memory of 1296	3460	cmd.exe	110
PID 3460 wrote to memory of 1296	3460	cmd.exe	110
PID 3460 wrote to memory of 1576	3460	cmd.exe	111
PID 3460 wrote to memory of 1576	3460	cmd.exe	111
PID 1576 wrote to memory of 5112	1576	spoolsv.exe	112
PID 1576 wrote to memory of 5112	1576	spoolsv.exe	112
PID 5112 wrote to memory of 4708	5112	cmd.exe	114
PID 5112 wrote to memory of 4708	5112	cmd.exe	114
PID 5112 wrote to memory of 4716	5112	cmd.exe	115
PID 5112 wrote to memory of 4716	5112	cmd.exe	115
PID 4716 wrote to memory of 4012	4716	spoolsv.exe	116
PID 4716 wrote to memory of 4012	4716	spoolsv.exe	116
PID 4012 wrote to memory of 4948	4012	cmd.exe	118
PID 4012 wrote to memory of 4948	4012	cmd.exe	118
PID 4012 wrote to memory of 3676	4012	cmd.exe	119
PID 4012 wrote to memory of 3676	4012	cmd.exe	119
PID 3676 wrote to memory of 3116	3676	spoolsv.exe	120
PID 3676 wrote to memory of 3116	3676	spoolsv.exe	120
PID 3116 wrote to memory of 4808	3116	cmd.exe	122
PID 3116 wrote to memory of 4808	3116	cmd.exe	122
PID 3116 wrote to memory of 4896	3116	cmd.exe	123
PID 3116 wrote to memory of 4896	3116	cmd.exe	123
PID 4896 wrote to memory of 4200	4896	spoolsv.exe	124
PID 4896 wrote to memory of 4200	4896	spoolsv.exe	124
PID 4200 wrote to memory of 1800	4200	cmd.exe	126
PID 4200 wrote to memory of 1800	4200	cmd.exe	126
PID 4200 wrote to memory of 3704	4200	cmd.exe	127
PID 4200 wrote to memory of 3704	4200	cmd.exe	127
PID 3704 wrote to memory of 3796	3704	spoolsv.exe	128
PID 3704 wrote to memory of 3796	3704	spoolsv.exe	128
PID 3796 wrote to memory of 1284	3796	cmd.exe	130
PID 3796 wrote to memory of 1284	3796	cmd.exe	130
PID 3796 wrote to memory of 2512	3796	cmd.exe	131
PID 3796 wrote to memory of 2512	3796	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\615a21e5834804a568aa8d9a3aaaa0efb21535086a42022ab63f1d8384097a11.exe
"C:\Users\Admin\AppData\Local\Temp\615a21e5834804a568aa8d9a3aaaa0efb21535086a42022ab63f1d8384097a11.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgabCJs63t.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:656
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:960
      - C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1296
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4708
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4948
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4808
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1800
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1284
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"
        19⤵
        
        PID:4680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2868
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"
        21⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:364
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        23⤵
        
        PID:3860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:928
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
        25⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3324
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
633d5cf604fc1bd5a5b07e7a209a7431

SHA1
f909a80b811b9dd3635be9a16ab72e87dac85002

SHA256
01c80b8d375d85ae2bf40a8008f69dd76f5d368fc8024dee2c11e9af8f85617c

SHA512
7c11967a2acf59c40f42d2beb8fadb28dd7de5904670e95e52e92b56a40787d1db96c6cbf75498a45e68105f74d954cfb67f36238ace796bbcbc80f957afa515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
72c08a0e32369f514358b17c4f356873

SHA1
a492f2c7f129cf44bb36880b3b38f14a0c9937c3

SHA256
ea8c6464fcc7c38f72c25b26ce892d1bc218ca38d406ca160a085e6389fe01d9

SHA512
2f06a82a92e464b3885396b565147d974dde0e142950de645286e849fd31c8eadc170391038175eedc841731fc8f6c74b439960cb439d9e518b6a4e8f6a722da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
72c08a0e32369f514358b17c4f356873

SHA1
a492f2c7f129cf44bb36880b3b38f14a0c9937c3

SHA256
ea8c6464fcc7c38f72c25b26ce892d1bc218ca38d406ca160a085e6389fe01d9

SHA512
2f06a82a92e464b3885396b565147d974dde0e142950de645286e849fd31c8eadc170391038175eedc841731fc8f6c74b439960cb439d9e518b6a4e8f6a722da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
219403c591ced3131d4d37719168165a

SHA1
49bc4ce7b0ae1dc8b167c5619bc3235b70d74a37

SHA256
905bb04aa4aa678bad9b3c1944a75f9fb07c152fd0f09cff9027f7f1ca7fde56

SHA512
353ca1c563423f8ec03e53dcea06fa52e14686578048eb0de55a45b86dc1c0c5757a2556d791830f241503b6ee08b4eec460db26b3460ef014d6435d1e88cc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
219403c591ced3131d4d37719168165a

SHA1
49bc4ce7b0ae1dc8b167c5619bc3235b70d74a37

SHA256
905bb04aa4aa678bad9b3c1944a75f9fb07c152fd0f09cff9027f7f1ca7fde56

SHA512
353ca1c563423f8ec03e53dcea06fa52e14686578048eb0de55a45b86dc1c0c5757a2556d791830f241503b6ee08b4eec460db26b3460ef014d6435d1e88cc1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3c244c846d8ce67e0177c8160fb5a169

SHA1
607f8dfb62e36543ce76692a10d9f1e767ee93f0

SHA256
57a49a67f9c279aa35c2de33a9cced41deb0f93e648b37c84814008a0f041d18

SHA512
d1e3708d299efc6d6b9e994b6bd357ddda108d383fecc776e39c999a47f78b977e9564ac0d2ba12289d7df77f43bc03023972d54b73a3298e3fbf4a5c5251f70

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat

Filesize
194B

MD5
49fc0de219784dbbabd658fc56fdb5a6

SHA1
02669deecd20b596c3194ff39e61302e9f079a4b

SHA256
71b4239f8650ed0dc18facdf52a3ddacb01eb49da47fe619af3f09f646233bb3

SHA512
18ff536b716a9d68ef2b89373331b1dc9837457102fbac1ebb226c7df96237c3405d83578b3d92a67e99d7f9e1c172070a6cf0bf3026b5603f236bdc0413342d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
194B

MD5
e1aebf92eadb9fbcf1ef2a784afa300b

SHA1
6a12b696084185489886f097ba587f3c2806bc5c

SHA256
f6d5dc532824c35a92bfec0940b7279bd448a51bbd2da68986a9b5dfe3327a6e

SHA512
e4b4196760f6ffa3c44d8c3c064285d36220a50d13c316125d4dbbdfb592578ed06eebc18e8dbec7bcff8fd18779c89618984663405d6519af9e6c5a3b813f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat

Filesize
194B

MD5
453c06a4f21ceb97151d977b313f2dff

SHA1
4dbc98db745b42428bb32e946f92be18d6c5d888

SHA256
ec71a7aadc6f4fc5e56801e2d7c56ba247dadd3e6ceffb49c7dd162dee8dee3e

SHA512
bae73cdd1c0d13cb637c0b30eadd3c3388dc11f30614c588a11227031a56d40ccba16288ee005eefa235045c7590d9b6fc5266a53bb92f28914e0acb2b7bda2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat

Filesize
194B

MD5
826193ec7a74f17dfe7e093b1def6773

SHA1
7e41093205f8ccb9d27714cdc6cad85b2d108bd7

SHA256
101c5dd944618dcc78e169e5d92cbf835d8a9003c9d6b001773a627e38c864d1

SHA512
19a01418c75ae13b4c4c12bc6a98eab9c4012bb591073b694b8f7203730a79a292e3ba5166169bff5e4e712ed6013eaf5b819b9dd61fc40a959178e2fcf935be

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

Filesize
194B

MD5
5c8a90ccdfa69d2cbc2e4d32f9665165

SHA1
50725f0650fb5a5682479efa660d949d4880a6d1

SHA256
627b84e144ac38267734d90cb4b03a321ae17576a93fea702fde93d4dfcf17f0

SHA512
ab0e01837daebea7e92aaf14dbd23644112fe94ea23814f68d22ae69ffe61e3f34c65ad01c82ccbeff79932397b77bad73405db21982af8a34e18a546f854551

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat

Filesize
194B

MD5
0dfe71245ce690d73f6a7f697b544788

SHA1
2d63c44d6c37c0e93e2366ce09d96d03af528cb5

SHA256
87aa3a1ae6699126467a701204c68f9174886a7e91692e29751a05d4549dae30

SHA512
5b02fdf1cea100a2108bafd7fdf25c6d08dd20555a4cbede72f951c4f1f49bb2e65f023a56913d9da1cd47ec7b0b35e7d402b9908fcf99a448d9d0065d579064

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgabCJs63t.bat

Filesize
194B

MD5
62a7a6a296f30ce07d61a773cb4fe2c6

SHA1
5358c4b2754a10b4459800d4b6e5ee2101074015

SHA256
299d296c45a94d7de2a03a75f6fba98779b2f3b5a0baab926a82e91043c37f4d

SHA512
ba5e3cefedf3354468b216696f1146d3223ec652aac95a2b3eba584cbfd6612b76dff281c5f7fd3c900cf04eff8c16b5f1a2d995fd470c74ecfb4a85b0d3f956

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat

Filesize
194B

MD5
5ca3017268337fd94ae76cbc08d5b49b

SHA1
7461d97b4e01d2818a4229b198b44d995c22f6ff

SHA256
0bf4bcf502912339bcb63d66c4c362a938bd8ca019e55c723d365c73fbf12528

SHA512
60e83b8aa4ff02e40a0fe2906787661d43fa2801e55e3b54a86bc4593c89e021f067b3555f16d2aea484119c8f91707edef49744e78dc5661691a2bb52021980

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

Filesize
194B

MD5
2c6dd729642027ae6b9a7b8eaa978b64

SHA1
38181cda539a36f6aa936a5545c9a80b20206fcd

SHA256
8730a6486bf1d5b23216da307fab7693d767f904c82fac270238a1689753099d

SHA512
a799ba321201db2ec0ebdfca66e49b8a971c8e836564d52036f0718f9e6f1c1ef0e40f4a74cbd5e07fe7e47861747b38bd944bec6d048c4eb7426e12caf4f312

Download Submit
C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat

Filesize
194B

MD5
8463e90b7c4599b488144454ca29d935

SHA1
39a8e3750c5e4f1474b5e098f1180403425191cf

SHA256
539edad3a8206859379df964f8de27507b65041e87439dbcc0420b517d643fb2

SHA512
5be41e09f852ebdf73d3baf56bbaac7b7c93c17a754c5e7668b4b426d1a62537528640a49e98ff82ffc826d2aed3a95a0812a5e09c3e7e94b267fd6342a69f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
194B

MD5
96698d83965f5ce10943110db4935cab

SHA1
ef5ddb0b00be7361f9258e55e8f6e2902ce49692

SHA256
7738406cb8f79e1c784876e2236801767dfba7a6b8a9b07c44fee342400892d4

SHA512
2063ded336f625b7d8f2be0c31d52e1e97686dbc822653f9d8bdc1937248a1378606f1b077bdfdd34ec06b094981b0d71f08b078595fa15053a4391d3855f696

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/216-589-0x0000000000F50000-0x0000000000F62000-memory.dmp

Filesize
72KB

Download
memory/412-516-0x0000000000EF0000-0x0000000000F02000-memory.dmp

Filesize
72KB

Download
memory/1576-551-0x0000000000E40000-0x0000000000E52000-memory.dmp

Filesize
72KB

Download
memory/1980-152-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-153-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-174-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-175-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-176-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-177-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-178-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-179-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-180-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-181-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-182-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-183-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-121-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-122-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-123-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-172-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-171-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-125-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-170-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-169-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-168-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-126-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-167-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-166-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-165-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-164-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-163-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-162-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-128-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-161-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-160-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-159-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-158-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-157-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-156-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-155-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-154-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-129-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-173-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-151-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-150-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-149-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-148-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-147-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-146-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-145-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-144-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-143-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-142-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-120-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-141-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-140-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-139-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-138-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-137-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-136-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-134-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-135-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-130-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-133-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-132-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-131-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3512-186-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3512-185-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3676-562-0x0000000000D00000-0x0000000000D12000-memory.dmp

Filesize
72KB

Download
memory/3692-595-0x0000000001020000-0x0000000001032000-memory.dmp

Filesize
72KB

Download
memory/3704-573-0x00000000021B0000-0x00000000021C2000-memory.dmp

Filesize
72KB

Download
memory/4092-287-0x00000000017A0000-0x00000000017B2000-memory.dmp

Filesize
72KB

Download
memory/4092-288-0x0000000003180000-0x000000000318C000-memory.dmp

Filesize
48KB

Download
memory/4092-289-0x00000000017B0000-0x00000000017BC000-memory.dmp

Filesize
48KB

Download
memory/4092-290-0x0000000003170000-0x000000000317C000-memory.dmp

Filesize
48KB

Download
memory/4092-286-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/4636-327-0x00000117ADC60000-0x00000117ADC82000-memory.dmp

Filesize
136KB

Download
memory/4680-340-0x000001F240290000-0x000001F240306000-memory.dmp

Filesize
472KB

Download