dcrat | dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2.exe
Size

1.3MB
MD5

c24f6bf7111ccd2e1830bbec62add37d
SHA1

70bf7b894fd4117d5d937503f26c2d162e6931db
SHA256

dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2
SHA512

4ddd86a490cdb03dbd9a9e4d612e1ada63bff5743fe2424bc7091cfbbb7fb5f93fe68a6487b341479d24bcf69f8c5b3744704de134b504d19d997eecaec80eb5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	260	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	2336	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	2336	schtasks.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/1460-139-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
C:\providercommon\upfc.exe	dcrat
C:\providercommon\upfc.exe	dcrat
C:\providercommon\upfc.exe	dcrat
C:\providercommon\upfc.exe	dcrat
C:\providercommon\upfc.exe	dcrat
C:\providercommon\upfc.exe	dcrat
C:\providercommon\upfc.exe	dcrat
C:\providercommon\upfc.exe	dcrat
C:\providercommon\upfc.exe	dcrat
C:\providercommon\upfc.exe	dcrat
C:\providercommon\upfc.exe	dcrat

Executes dropped EXE 11 IoCs

Processes:

DllCommonsvc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

pid	process
1460	DllCommonsvc.exe
3948	upfc.exe
4356	upfc.exe
4024	upfc.exe
2620	upfc.exe
2540	upfc.exe
2556	upfc.exe
4892	upfc.exe
3932	upfc.exe
2136	upfc.exe
4852	upfc.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

upfc.exeupfc.exeupfc.exeupfc.exeupfc.exedcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2.exeWScript.exeupfc.exeupfc.exeupfc.exeupfc.exeDllCommonsvc.exeupfc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	upfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\ebf1f9fa8afd6d	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\appcompat\encapsulation\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\appcompat\encapsulation\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3764	schtasks.exe
3640	schtasks.exe
732	schtasks.exe
4260	schtasks.exe
4664	schtasks.exe
260	schtasks.exe
216	schtasks.exe
3468	schtasks.exe
2504	schtasks.exe
4600	schtasks.exe
3416	schtasks.exe
3252	schtasks.exe
2412	schtasks.exe
5028	schtasks.exe
4400	schtasks.exe
3360	schtasks.exe
3440	schtasks.exe
3720	schtasks.exe

Modifies registry class 12 IoCs

Processes:

dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2.exeDllCommonsvc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	upfc.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

pid	process
1460	DllCommonsvc.exe
1832	powershell.exe
1832	powershell.exe
3812	powershell.exe
3812	powershell.exe
3708	powershell.exe
3708	powershell.exe
4968	powershell.exe
4968	powershell.exe
4000	powershell.exe
4000	powershell.exe
2684	powershell.exe
2684	powershell.exe
2540	powershell.exe
2540	powershell.exe
2684	powershell.exe
3812	powershell.exe
3708	powershell.exe
1832	powershell.exe
4968	powershell.exe
4000	powershell.exe
2540	powershell.exe
3948	upfc.exe
4356	upfc.exe
4024	upfc.exe
2620	upfc.exe
2540	upfc.exe
2556	upfc.exe
4892	upfc.exe
3932	upfc.exe
2136	upfc.exe
4852	upfc.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exeupfc.exe

description	pid	process
Token: SeDebugPrivilege	1460	DllCommonsvc.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	3948	upfc.exe
Token: SeDebugPrivilege	4356	upfc.exe
Token: SeDebugPrivilege	4024	upfc.exe
Token: SeDebugPrivilege	2620	upfc.exe
Token: SeDebugPrivilege	2540	upfc.exe
Token: SeDebugPrivilege	2556	upfc.exe
Token: SeDebugPrivilege	4892	upfc.exe
Token: SeDebugPrivilege	3932	upfc.exe
Token: SeDebugPrivilege	2136	upfc.exe
Token: SeDebugPrivilege	4852	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2.exeWScript.execmd.exeDllCommonsvc.execmd.exeupfc.execmd.exeupfc.execmd.exeupfc.execmd.exeupfc.execmd.exeupfc.execmd.exeupfc.exeupfc.execmd.exe

description	pid	process	target process
PID 1536 wrote to memory of 4372	1536	dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2.exe	WScript.exe
PID 1536 wrote to memory of 4372	1536	dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2.exe	WScript.exe
PID 1536 wrote to memory of 4372	1536	dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2.exe	WScript.exe
PID 4372 wrote to memory of 1464	4372	WScript.exe	cmd.exe
PID 4372 wrote to memory of 1464	4372	WScript.exe	cmd.exe
PID 4372 wrote to memory of 1464	4372	WScript.exe	cmd.exe
PID 1464 wrote to memory of 1460	1464	cmd.exe	DllCommonsvc.exe
PID 1464 wrote to memory of 1460	1464	cmd.exe	DllCommonsvc.exe
PID 1460 wrote to memory of 3708	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 3708	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1832	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 1832	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 3812	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 3812	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 4968	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 4968	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 4000	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 4000	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 2684	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 2684	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 2540	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 2540	1460	DllCommonsvc.exe	powershell.exe
PID 1460 wrote to memory of 4836	1460	DllCommonsvc.exe	cmd.exe
PID 1460 wrote to memory of 4836	1460	DllCommonsvc.exe	cmd.exe
PID 4836 wrote to memory of 4652	4836	cmd.exe	w32tm.exe
PID 4836 wrote to memory of 4652	4836	cmd.exe	w32tm.exe
PID 4836 wrote to memory of 3948	4836	cmd.exe	upfc.exe
PID 4836 wrote to memory of 3948	4836	cmd.exe	upfc.exe
PID 3948 wrote to memory of 2412	3948	upfc.exe	cmd.exe
PID 3948 wrote to memory of 2412	3948	upfc.exe	cmd.exe
PID 2412 wrote to memory of 3440	2412	cmd.exe	w32tm.exe
PID 2412 wrote to memory of 3440	2412	cmd.exe	w32tm.exe
PID 2412 wrote to memory of 4356	2412	cmd.exe	upfc.exe
PID 2412 wrote to memory of 4356	2412	cmd.exe	upfc.exe
PID 4356 wrote to memory of 3904	4356	upfc.exe	cmd.exe
PID 4356 wrote to memory of 3904	4356	upfc.exe	cmd.exe
PID 3904 wrote to memory of 4452	3904	cmd.exe	w32tm.exe
PID 3904 wrote to memory of 4452	3904	cmd.exe	w32tm.exe
PID 3904 wrote to memory of 4024	3904	cmd.exe	upfc.exe
PID 3904 wrote to memory of 4024	3904	cmd.exe	upfc.exe
PID 4024 wrote to memory of 1312	4024	upfc.exe	cmd.exe
PID 4024 wrote to memory of 1312	4024	upfc.exe	cmd.exe
PID 1312 wrote to memory of 3152	1312	cmd.exe	w32tm.exe
PID 1312 wrote to memory of 3152	1312	cmd.exe	w32tm.exe
PID 1312 wrote to memory of 2620	1312	cmd.exe	upfc.exe
PID 1312 wrote to memory of 2620	1312	cmd.exe	upfc.exe
PID 2620 wrote to memory of 2164	2620	upfc.exe	cmd.exe
PID 2620 wrote to memory of 2164	2620	upfc.exe	cmd.exe
PID 2164 wrote to memory of 3008	2164	cmd.exe	w32tm.exe
PID 2164 wrote to memory of 3008	2164	cmd.exe	w32tm.exe
PID 2164 wrote to memory of 2540	2164	cmd.exe	upfc.exe
PID 2164 wrote to memory of 2540	2164	cmd.exe	upfc.exe
PID 2540 wrote to memory of 4876	2540	upfc.exe	cmd.exe
PID 2540 wrote to memory of 4876	2540	upfc.exe	cmd.exe
PID 4876 wrote to memory of 1316	4876	cmd.exe	w32tm.exe
PID 4876 wrote to memory of 1316	4876	cmd.exe	w32tm.exe
PID 4876 wrote to memory of 2556	4876	cmd.exe	upfc.exe
PID 4876 wrote to memory of 2556	4876	cmd.exe	upfc.exe
PID 2556 wrote to memory of 2752	2556	upfc.exe	cmd.exe
PID 2556 wrote to memory of 2752	2556	upfc.exe	cmd.exe
PID 4892 wrote to memory of 316	4892	upfc.exe	cmd.exe
PID 4892 wrote to memory of 316	4892	upfc.exe	cmd.exe
PID 316 wrote to memory of 4544	316	cmd.exe	w32tm.exe
PID 316 wrote to memory of 4544	316	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2.exe
"C:\Users\Admin\AppData\Local\Temp\dcb42a08958dc9c0ac691ddc9b1d73450fc81bcb0ab8d62dce71b18ca88779e2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\encapsulation\dwm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqr1ixJVDD.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4652

C:\providercommon\upfc.exe
"C:\providercommon\upfc.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:3440

C:\providercommon\upfc.exe
"C:\providercommon\upfc.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:4452

C:\providercommon\upfc.exe
"C:\providercommon\upfc.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:3152

C:\providercommon\upfc.exe
"C:\providercommon\upfc.exe"
12⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:3008

C:\providercommon\upfc.exe
"C:\providercommon\upfc.exe"
14⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
15⤵
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:1316

C:\providercommon\upfc.exe
"C:\providercommon\upfc.exe"
16⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
17⤵
PID:2752

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:676

C:\providercommon\upfc.exe
"C:\providercommon\upfc.exe"
18⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
19⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:4544

C:\providercommon\upfc.exe
"C:\providercommon\upfc.exe"
20⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"
21⤵
PID:3036

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:4708

C:\providercommon\upfc.exe
"C:\providercommon\upfc.exe"
22⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
23⤵
PID:3164

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:4144

C:\providercommon\upfc.exe
"C:\providercommon\upfc.exe"
24⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
25⤵
PID:3608

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\appcompat\encapsulation\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\appcompat\encapsulation\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\appcompat\encapsulation\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\providercommon\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
191B

MD5
cf18c3dc61a5bdb8b5dc79311cba396e

SHA1
95adf53fccbfd0e2cd601f06b528e784ab7c7ef2

SHA256
7e052ee86310e1ef2ea7073920f49830649609a11dc703ffd23086ed00dcd850

SHA512
e191c2306df2d609a2c295fffd81e837f1247e776c8910e4454868442f3c33c13c57941dca4c8b32ea21c36889d626b1a4b1354c32ff552852631916fbc5cfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat

Filesize
191B

MD5
ea7976b2a9a1dd570d8f617efa22eeca

SHA1
95b89f00cc156bd1f34876d2770eab60160baa40

SHA256
6543fd432c59b0f3473bd0ed8db8610a831d76572fc8ee4469ae13fc79b82c2e

SHA512
e0f78a90e72f688bf3af83cf3ce2a3762f1366624cab09e2f92f8658dbafa4630b7632195513807c4c173f30db645c901db74280ba1e53164996f5ad652d347e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat

Filesize
191B

MD5
f4c2009f8384804a7eacfbe7a9c4fc8e

SHA1
136a02ad0af54b106d0b7d3fc751791425f3b5f6

SHA256
77208b9aef991477068735f605381e5aff6151f9ac104e2558729ffb4f2d4f64

SHA512
20a5149c8b6dfbbcdc6374099ee620d9cdfbf206c34a042f9ac8c0dce22b9b300de51dec270446aa19afea485714c22d297808ef79793bd09cafa4d6aa7fb0ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat

Filesize
191B

MD5
0460a276cec7574ef923c945f76c17e2

SHA1
925b3134544c7e05bddbfab88dd03087cefe9f51

SHA256
771772695d58a7b7083b2b102f623ec336c7616d6d9965dd444e8059ff68fb23

SHA512
27f9bc845cc326d5088e48e71d3d386556d354820106b200e3dfc5726aeccf0b219a3b1eaf4bc2fa23bd9239685debc81b878fd36da515541cfef6ccf140bb2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

Filesize
191B

MD5
ee3e821db1933bb937026a057c64d5f3

SHA1
f8590f2a03224742e9958e24d9537c4505eabec4

SHA256
af5ba50b1a5c11858257fd11f2621cfaca68cc0ce22797b7a518c188cf476f9f

SHA512
71fda16f3cd198075252ef4b9b490705eb8e545afbe8e66b1648293b5639f3ef64ff3bcea6077890fcbcc62d5757c94cdbdc5c9fbe1bb546fbdcbbcdf92c2a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat

Filesize
191B

MD5
b5195eee189f256c05dd9d74ae46acb5

SHA1
6ee2dc3ebae69d2e00c818f08865565ab28a6aca

SHA256
4cedd83433ed4a42024ea5afd6b24a3e5e632f4ff99027fb61f3ea40b75072cc

SHA512
95a194e4db40409cdd3420337891dcc4a3896e20751d9ce93cfdd991d406437969c7ec9ce6ddb0e3ceb6c39749b74f179e7f8252e756f38a7fd80c07c606048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

Filesize
191B

MD5
a3233f55c7fb7af688a404c23aad6ef6

SHA1
e9b1fa35c6fdb9b3567f0a48c1b650d4350eca15

SHA256
7ce6e4e8473cce5da913c68374f19904dcb7e607d7629b7a8635ead799d3bc00

SHA512
deb93c20ca02d73fb655cb26f5914d9ea2effcf9517da2b62763a46ee5f285cd1270735fb8ea61733290ab1a4bfde8e48607f7af45d95a1c741b6800a7c1ae32

Download Submit
C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

Filesize
191B

MD5
db2bfc1184c8aef462dc9641585c28e7

SHA1
353d9f857310baf84f4a83c63b6c235ba13a9827

SHA256
a9352b17254f2e11d1fc4cf977ba10aeeab45b8eb052598fefa9d28610eaef96

SHA512
7f083799d853f9ec7ec2461da1872ce6e8bb11ccadcefeeac43f5bc2d9986a5847eda5dd3e43e5ea83d95859bae6f4debd28ce39bb2d604be5688b5b5bdedc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqr1ixJVDD.bat

Filesize
191B

MD5
861e01d4302688dfe80c6c1521a5145d

SHA1
e2dcd6d0b6227a3cafb40eee98bdae8891b2dbac

SHA256
e5dbbcef9916c31d2fd96b647931626b608dcea9f3747a43ff6fcf6ef7dbb971

SHA512
bb0e5aad720b0bbe51d7c33aada0e1becde23abe24536cb0e68a8ceb95afc3263333bf2c01c4c8ee99433bb53186b52ea3a6aa8b7ca7b9858f257c52bb1eaf72

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
191B

MD5
77873cd330d35b64ca65bf6e686f0ee3

SHA1
618eaea503b81487d164eae66d74a4a1a92cf49b

SHA256
ddaeb9eb2d8c63c229636417cb4d767a6e833cf090beae07de31e01c718478c4

SHA512
e6c67a22ec00764859653f1a37da46a56c51450c39e93ee234b36f6bcffd0a31333045bd12590c2bafddcc3d81dc79ff3c8235ff494c18c7fa5517823b49921d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\upfc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/316-215-0x0000000000000000-mapping.dmp

Download
memory/1312-190-0x0000000000000000-mapping.dmp

Download
memory/1316-206-0x0000000000000000-mapping.dmp

Download
memory/1460-150-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1460-136-0x0000000000000000-mapping.dmp

Download
memory/1460-139-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/1460-140-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1464-135-0x0000000000000000-mapping.dmp

Download
memory/1832-160-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1832-154-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/1832-149-0x000001E3F4C20000-0x000001E3F4C42000-memory.dmp

Filesize
136KB

Download
memory/1832-142-0x0000000000000000-mapping.dmp

Download
memory/2136-232-0x00007FFED9450000-0x00007FFED9F11000-memory.dmp

Filesize
10.8MB

Download
memory/2136-226-0x0000000000000000-mapping.dmp

Download
memory/2136-228-0x00007FFED9450000-0x00007FFED9F11000-memory.dmp

Filesize
10.8MB

Download
memory/2164-197-0x0000000000000000-mapping.dmp

Download
memory/2264-239-0x0000000000000000-mapping.dmp

Download
memory/2412-175-0x0000000000000000-mapping.dmp

Download
memory/2540-201-0x0000000000000000-mapping.dmp

Download
memory/2540-168-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2540-147-0x0000000000000000-mapping.dmp

Download
memory/2540-203-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2540-207-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2556-212-0x00007FFED9450000-0x00007FFED9F11000-memory.dmp

Filesize
10.8MB

Download
memory/2556-210-0x00007FFED9450000-0x00007FFED9F11000-memory.dmp

Filesize
10.8MB

Download
memory/2556-208-0x0000000000000000-mapping.dmp

Download
memory/2620-200-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2620-194-0x0000000000000000-mapping.dmp

Download
memory/2620-196-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2684-162-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/2684-146-0x0000000000000000-mapping.dmp

Download
memory/2752-211-0x0000000000000000-mapping.dmp

Download
memory/3008-199-0x0000000000000000-mapping.dmp

Download
memory/3036-222-0x0000000000000000-mapping.dmp

Download
memory/3152-192-0x0000000000000000-mapping.dmp

Download
memory/3164-229-0x0000000000000000-mapping.dmp

Download
memory/3440-177-0x0000000000000000-mapping.dmp

Download
memory/3608-236-0x0000000000000000-mapping.dmp

Download
memory/3708-153-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/3708-164-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/3708-141-0x0000000000000000-mapping.dmp

Download
memory/3812-173-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/3812-143-0x0000000000000000-mapping.dmp

Download
memory/3812-161-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/3904-183-0x0000000000000000-mapping.dmp

Download
memory/3932-225-0x00007FFED9450000-0x00007FFED9F11000-memory.dmp

Filesize
10.8MB

Download
memory/3932-221-0x00007FFED9450000-0x00007FFED9F11000-memory.dmp

Filesize
10.8MB

Download
memory/3932-219-0x0000000000000000-mapping.dmp

Download
memory/3948-178-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/3948-169-0x0000000000000000-mapping.dmp

Download
memory/3948-172-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4000-167-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4000-174-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4000-145-0x0000000000000000-mapping.dmp

Download
memory/4024-189-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4024-187-0x0000000000000000-mapping.dmp

Download
memory/4024-193-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4144-231-0x0000000000000000-mapping.dmp

Download
memory/4356-179-0x0000000000000000-mapping.dmp

Download
memory/4356-182-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4356-186-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download
memory/4372-132-0x0000000000000000-mapping.dmp

Download
memory/4452-185-0x0000000000000000-mapping.dmp

Download
memory/4544-217-0x0000000000000000-mapping.dmp

Download
memory/4652-152-0x0000000000000000-mapping.dmp

Download
memory/4708-224-0x0000000000000000-mapping.dmp

Download
memory/4836-148-0x0000000000000000-mapping.dmp

Download
memory/4852-233-0x0000000000000000-mapping.dmp

Download
memory/4852-235-0x00007FFED9450000-0x00007FFED9F11000-memory.dmp

Filesize
10.8MB

Download
memory/4852-237-0x00007FFED9450000-0x00007FFED9F11000-memory.dmp

Filesize
10.8MB

Download
memory/4876-204-0x0000000000000000-mapping.dmp

Download
memory/4892-218-0x00007FFED9450000-0x00007FFED9F11000-memory.dmp

Filesize
10.8MB

Download
memory/4892-214-0x00007FFED9450000-0x00007FFED9F11000-memory.dmp

Filesize
10.8MB

Download
memory/4968-144-0x0000000000000000-mapping.dmp

Download
memory/4968-163-0x00007FFED9270000-0x00007FFED9D31000-memory.dmp

Filesize
10.8MB

Download