dcrat | e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804.exe
Size

1.3MB
MD5

446cac721e72e0dea4b35c54bb8300ed
SHA1

c8a770346c7ac83b5622914d4c71f70fd08f27d9
SHA256

e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804
SHA512

046f6f965563d7c195185579c038cc1dc376787d36e581ae53c550f1135e230c210029e36b333dc477aab907bb8fbc0f042b312833acccf645d7bd15ad20f3fb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	4468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	4468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	4468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	4468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	4468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	4468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	4468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	4468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	4468	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	4468	schtasks.exe

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4272-139-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
C:\providercommon\spoolsv.exe	dcrat
C:\providercommon\spoolsv.exe	dcrat
C:\providercommon\spoolsv.exe	dcrat
C:\providercommon\spoolsv.exe	dcrat
C:\providercommon\spoolsv.exe	dcrat
C:\providercommon\spoolsv.exe	dcrat
C:\providercommon\spoolsv.exe	dcrat
C:\providercommon\spoolsv.exe	dcrat
C:\providercommon\spoolsv.exe	dcrat
C:\providercommon\spoolsv.exe	dcrat
C:\providercommon\spoolsv.exe	dcrat
C:\providercommon\spoolsv.exe	dcrat

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

spoolsv.exespoolsv.exespoolsv.exeDllCommonsvc.exespoolsv.exespoolsv.exespoolsv.exee588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804.exespoolsv.exespoolsv.exeWScript.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4272	DllCommonsvc.exe
804	spoolsv.exe
2444	spoolsv.exe
4764	spoolsv.exe
1944	spoolsv.exe
1064	spoolsv.exe
1628	spoolsv.exe
3136	spoolsv.exe
2176	spoolsv.exe
2016	spoolsv.exe
2628	spoolsv.exe
3784	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5080	schtasks.exe
744	schtasks.exe
636	schtasks.exe
664	schtasks.exe
4964	schtasks.exe
2652	schtasks.exe
2600	schtasks.exe
768	schtasks.exe
800	schtasks.exe
3988	schtasks.exe
1336	schtasks.exe
2988	schtasks.exe

Modifies registry class 13 IoCs

Processes:

e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804.exespoolsv.exespoolsv.exespoolsv.exeDllCommonsvc.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4272	DllCommonsvc.exe
4620	powershell.exe
2596	powershell.exe
4756	powershell.exe
3524	powershell.exe
364	powershell.exe
4620	powershell.exe
4756	powershell.exe
364	powershell.exe
2596	powershell.exe
3524	powershell.exe
804	spoolsv.exe
2444	spoolsv.exe
4764	spoolsv.exe
1944	spoolsv.exe
1064	spoolsv.exe
1628	spoolsv.exe
3136	spoolsv.exe
2176	spoolsv.exe
2016	spoolsv.exe
2628	spoolsv.exe
3784	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4272	DllCommonsvc.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	804	spoolsv.exe
Token: SeDebugPrivilege	2444	spoolsv.exe
Token: SeDebugPrivilege	4764	spoolsv.exe
Token: SeDebugPrivilege	1944	spoolsv.exe
Token: SeDebugPrivilege	1064	spoolsv.exe
Token: SeDebugPrivilege	1628	spoolsv.exe
Token: SeDebugPrivilege	3136	spoolsv.exe
Token: SeDebugPrivilege	2176	spoolsv.exe
Token: SeDebugPrivilege	2016	spoolsv.exe
Token: SeDebugPrivilege	2628	spoolsv.exe
Token: SeDebugPrivilege	3784	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804.exeWScript.execmd.exeDllCommonsvc.execmd.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.execmd.exespoolsv.execmd.exe

description	pid	process	target process
PID 5084 wrote to memory of 4240	5084	e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804.exe	WScript.exe
PID 5084 wrote to memory of 4240	5084	e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804.exe	WScript.exe
PID 5084 wrote to memory of 4240	5084	e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804.exe	WScript.exe
PID 4240 wrote to memory of 4084	4240	WScript.exe	cmd.exe
PID 4240 wrote to memory of 4084	4240	WScript.exe	cmd.exe
PID 4240 wrote to memory of 4084	4240	WScript.exe	cmd.exe
PID 4084 wrote to memory of 4272	4084	cmd.exe	DllCommonsvc.exe
PID 4084 wrote to memory of 4272	4084	cmd.exe	DllCommonsvc.exe
PID 4272 wrote to memory of 4620	4272	DllCommonsvc.exe	powershell.exe
PID 4272 wrote to memory of 4620	4272	DllCommonsvc.exe	powershell.exe
PID 4272 wrote to memory of 364	4272	DllCommonsvc.exe	powershell.exe
PID 4272 wrote to memory of 364	4272	DllCommonsvc.exe	powershell.exe
PID 4272 wrote to memory of 2596	4272	DllCommonsvc.exe	powershell.exe
PID 4272 wrote to memory of 2596	4272	DllCommonsvc.exe	powershell.exe
PID 4272 wrote to memory of 3524	4272	DllCommonsvc.exe	powershell.exe
PID 4272 wrote to memory of 3524	4272	DllCommonsvc.exe	powershell.exe
PID 4272 wrote to memory of 4756	4272	DllCommonsvc.exe	powershell.exe
PID 4272 wrote to memory of 4756	4272	DllCommonsvc.exe	powershell.exe
PID 4272 wrote to memory of 2828	4272	DllCommonsvc.exe	cmd.exe
PID 4272 wrote to memory of 2828	4272	DllCommonsvc.exe	cmd.exe
PID 2828 wrote to memory of 4436	2828	cmd.exe	w32tm.exe
PID 2828 wrote to memory of 4436	2828	cmd.exe	w32tm.exe
PID 2828 wrote to memory of 804	2828	cmd.exe	spoolsv.exe
PID 2828 wrote to memory of 804	2828	cmd.exe	spoolsv.exe
PID 804 wrote to memory of 2016	804	spoolsv.exe	cmd.exe
PID 804 wrote to memory of 2016	804	spoolsv.exe	cmd.exe
PID 2016 wrote to memory of 4388	2016	cmd.exe	w32tm.exe
PID 2016 wrote to memory of 4388	2016	cmd.exe	w32tm.exe
PID 2016 wrote to memory of 2444	2016	cmd.exe	spoolsv.exe
PID 2016 wrote to memory of 2444	2016	cmd.exe	spoolsv.exe
PID 2444 wrote to memory of 4984	2444	spoolsv.exe	cmd.exe
PID 2444 wrote to memory of 4984	2444	spoolsv.exe	cmd.exe
PID 4984 wrote to memory of 2304	4984	cmd.exe	w32tm.exe
PID 4984 wrote to memory of 2304	4984	cmd.exe	w32tm.exe
PID 4984 wrote to memory of 4764	4984	cmd.exe	spoolsv.exe
PID 4984 wrote to memory of 4764	4984	cmd.exe	spoolsv.exe
PID 4764 wrote to memory of 2600	4764	spoolsv.exe	cmd.exe
PID 4764 wrote to memory of 2600	4764	spoolsv.exe	cmd.exe
PID 2600 wrote to memory of 2468	2600	cmd.exe	w32tm.exe
PID 2600 wrote to memory of 2468	2600	cmd.exe	w32tm.exe
PID 2600 wrote to memory of 1944	2600	cmd.exe	spoolsv.exe
PID 2600 wrote to memory of 1944	2600	cmd.exe	spoolsv.exe
PID 1944 wrote to memory of 3640	1944	spoolsv.exe	cmd.exe
PID 1944 wrote to memory of 3640	1944	spoolsv.exe	cmd.exe
PID 3640 wrote to memory of 2688	3640	cmd.exe	w32tm.exe
PID 3640 wrote to memory of 2688	3640	cmd.exe	w32tm.exe
PID 3640 wrote to memory of 1064	3640	cmd.exe	spoolsv.exe
PID 3640 wrote to memory of 1064	3640	cmd.exe	spoolsv.exe
PID 1064 wrote to memory of 2324	1064	spoolsv.exe	cmd.exe
PID 1064 wrote to memory of 2324	1064	spoolsv.exe	cmd.exe
PID 2324 wrote to memory of 3556	2324	cmd.exe	w32tm.exe
PID 2324 wrote to memory of 3556	2324	cmd.exe	w32tm.exe
PID 2324 wrote to memory of 1628	2324	cmd.exe	spoolsv.exe
PID 2324 wrote to memory of 1628	2324	cmd.exe	spoolsv.exe
PID 1628 wrote to memory of 4756	1628	spoolsv.exe	cmd.exe
PID 1628 wrote to memory of 4756	1628	spoolsv.exe	cmd.exe
PID 4756 wrote to memory of 1836	4756	cmd.exe	w32tm.exe
PID 4756 wrote to memory of 1836	4756	cmd.exe	w32tm.exe
PID 4756 wrote to memory of 3136	4756	cmd.exe	spoolsv.exe
PID 4756 wrote to memory of 3136	4756	cmd.exe	spoolsv.exe
PID 3136 wrote to memory of 4872	3136	spoolsv.exe	cmd.exe
PID 3136 wrote to memory of 4872	3136	spoolsv.exe	cmd.exe
PID 4872 wrote to memory of 3736	4872	cmd.exe	w32tm.exe
PID 4872 wrote to memory of 3736	4872	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804.exe
"C:\Users\Admin\AppData\Local\Temp\e588a518fdb3b52492271e640b298f468a1f419cbf5566323e9f9e150f0c9804.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchApp.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pNyO1ywJfX.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:4436

C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:4388

C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:2304

C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:2468

C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:2688

C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
15⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:3556

C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
17⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:1836

C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat"
19⤵
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:3736

C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"
21⤵
PID:2592

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:4752

C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
22⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
23⤵
PID:4028

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:4880

C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
24⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"
25⤵
PID:4588

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:4348

C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat"
27⤵
PID:3772

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
28⤵
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\providercommon\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\odt\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
194B

MD5
61c474ec6e93b4c14198aabd915bd133

SHA1
2609fe203a256c1da840091db09054094b19b98f

SHA256
32cd4f16fbadbf488668b646a2877ed26bbb7b4a78511ae3d4437e4bd5ad92f1

SHA512
ab0c4f6ae2e43714f83020816f27994734ee7325ef8ef83fd1c98dbe61c6e00800bce7636ed925b1520c72a497e2ea425a7c9e0bfc45cb7f7102e4d3a0c26fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat

Filesize
194B

MD5
860570f28d0d2ec2da202192f35dfb85

SHA1
870771f0cbdfdbc3b4f0ac965606f275e9f12642

SHA256
817b606fb2a4a52e9c2f27b162719376b5b85a9cf2aa2d551a074c422609edb4

SHA512
7bb62c74613e03a6df22af1c4047ee9ecdfaa67086b23126519a11a71b1d26b7c91ad377888dd2d430d0dc0e84b5b3386db126d352c76db63c70e542057ecbd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

Filesize
194B

MD5
1584b1c2ef32a0777c281b9638ee3488

SHA1
d008140514508f3a6f1731ae2e152334a47d79c6

SHA256
c0561e6c3336a9061973db68c445bd2847fe111504b06f3c023b2f4a83a787f2

SHA512
69e404c798a7e8d7b71015fbb2d42db013c39e4fd3dec158d2734044b1365e9d1fbbb5d06e221403d8efe7f9fd56999fe26996f199aeb6c55314a3cda3363894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat

Filesize
194B

MD5
cd259752eee6a6706ed0a339c14709ee

SHA1
b53c847c18c439cc1a29ebe1dd58e89ca1855c32

SHA256
f4e804406e36586ea50ec0541f37febe4713d79abbb35fbd86ec54dee8bec644

SHA512
9dee119fbf425827cbd4d6da3725facc99d1d80d625f21f037d6593442f9be2219a3bab25100976e498d9c885bab37170c90ac001cd62c24afc230c21aef55af

Download Submit
C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat

Filesize
194B

MD5
283cc4f5c6f1e8d99f3de4fb969ca371

SHA1
47533085053b2e479b4ccef333687c1ef24e2162

SHA256
4929183e74769499e9da8d3b7d094d9a5fb08e0fe78a2b9bd88b13bb8b46b181

SHA512
ff26f5979287949c832633a78d0da4933d56e6a06b3a56cbb3d5a2c55121e3b3784d310b9ffb872b07e4e1698a03b88af5a8be913fb17d6330212020e7c91c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

Filesize
194B

MD5
eb9f336b3d4cf897e803a46bce02041c

SHA1
dc3624d72cf890b14442ef28f57dde0c8b3c2cb9

SHA256
53e36455e2f073c03e71d9a7d746a7b355599fe0937bec8a497807f053609742

SHA512
d56e3f3b7938de3172984a54a6f9241d8eb7246dae353de1914f3c6c0d6db035fdcc6714d676899de8ec3be879acfa0c3d5c5be8a984603e775f57295cf09406

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

Filesize
194B

MD5
0459c8c589c33396b45579e409be3087

SHA1
fbff609974eeaadca3501435af69e2b08a17ff8d

SHA256
0b2c1f1601ee482e382a1cd31baf378ac31e485bbe91014c6db39028c9302cb0

SHA512
9f8b6a1bc8a294136016bb56fd66c2aa2e490cf06ca4705d58b7665cf5e2d77ffe2ad6d806ab184bbf348826416d904f6ad3aa4af34dbfdea09bd75e26b37107

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

Filesize
194B

MD5
780d8403fff604e64f3a6e768af4fdab

SHA1
d58923a0c405edab31db37f1eed79f2fdd46b932

SHA256
22f551e2dd5ca2b4532b8620641e53e326d5f175d4a42d56e361277cbca79495

SHA512
9aee7e4fc09ba896e688de6498b800e1f18eeb1ef8613603f9ae6b0cf917550ca71572dff8a6f2284eb7e121d379724cff987e591bee89b426761a71adc605b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat

Filesize
194B

MD5
cf83e7dd8455048bc516dbda5bc0867f

SHA1
94f2fd8c5098e14bc2fc53b5d5eae73e50cd704f

SHA256
ccf8b1f0d001a7fe421be006b5308b33a8bf656491c61dc4a9d047716935344a

SHA512
57c1c0cb92456eaafc71a0ac1fac556f4ec2c13c6a304efe392e6dd714ccdc05ed80577af1a99961f762037f93946ae3add22955682ddc2d0cd701d761948cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\pNyO1ywJfX.bat

Filesize
194B

MD5
3f0deabd1179e66845a99c8e43a6572f

SHA1
dc39f462df9c586b87a1efd66c2c10812f9361bc

SHA256
9550ccd423843fe884f38a3bc139aba05961ce5e22c95ec6414cdf4b9b2e4088

SHA512
1177379cc571a0dd17a114f124e2076670f0f9db2254c56e318919a76de2e70575ff635c4e8b2f9c54f2373ca918a871634816ce98ff96d3af9aa2987129bafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

Filesize
194B

MD5
0da0566e6ef9d7c19391035c504d59a7

SHA1
d70546f624856c125c6f9533401d3ac2c8d0af9d

SHA256
1ed7c9da97045180fcbc837444e878cf649c02e5db221289e2fb132d44d70aff

SHA512
755286f655fae1134fdfcd9fcda19d011f5336ab004d1bd76dff2089bdc1848ec7abdd6a7520712e7446eb953cc2d8148c7b5547842b7b2f762ccb4482f32d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

Filesize
194B

MD5
0da0566e6ef9d7c19391035c504d59a7

SHA1
d70546f624856c125c6f9533401d3ac2c8d0af9d

SHA256
1ed7c9da97045180fcbc837444e878cf649c02e5db221289e2fb132d44d70aff

SHA512
755286f655fae1134fdfcd9fcda19d011f5336ab004d1bd76dff2089bdc1848ec7abdd6a7520712e7446eb953cc2d8148c7b5547842b7b2f762ccb4482f32d8b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/364-160-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/364-142-0x0000000000000000-mapping.dmp

Download
memory/804-172-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/804-168-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/804-165-0x0000000000000000-mapping.dmp

Download
memory/804-173-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/1064-196-0x0000000000000000-mapping.dmp

Download
memory/1064-200-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/1064-198-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/1628-203-0x0000000000000000-mapping.dmp

Download
memory/1628-205-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/1628-209-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/1836-208-0x0000000000000000-mapping.dmp

Download
memory/1944-195-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/1944-191-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/1944-189-0x0000000000000000-mapping.dmp

Download
memory/2016-169-0x0000000000000000-mapping.dmp

Download
memory/2016-224-0x0000000000000000-mapping.dmp

Download
memory/2016-226-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/2016-230-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/2176-217-0x0000000000000000-mapping.dmp

Download
memory/2176-219-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/2176-223-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/2304-180-0x0000000000000000-mapping.dmp

Download
memory/2324-199-0x0000000000000000-mapping.dmp

Download
memory/2444-181-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/2444-177-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/2444-174-0x0000000000000000-mapping.dmp

Download
memory/2468-187-0x0000000000000000-mapping.dmp

Download
memory/2592-220-0x0000000000000000-mapping.dmp

Download
memory/2596-147-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/2596-143-0x0000000000000000-mapping.dmp

Download
memory/2596-159-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/2600-185-0x0000000000000000-mapping.dmp

Download
memory/2628-237-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/2628-233-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/2628-231-0x0000000000000000-mapping.dmp

Download
memory/2688-194-0x0000000000000000-mapping.dmp

Download
memory/2828-150-0x0000000000000000-mapping.dmp

Download
memory/3136-216-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/3136-212-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/3136-210-0x0000000000000000-mapping.dmp

Download
memory/3524-164-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/3524-144-0x0000000000000000-mapping.dmp

Download
memory/3524-148-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/3556-202-0x0000000000000000-mapping.dmp

Download
memory/3640-192-0x0000000000000000-mapping.dmp

Download
memory/3736-215-0x0000000000000000-mapping.dmp

Download
memory/3772-241-0x0000000000000000-mapping.dmp

Download
memory/3784-238-0x0000000000000000-mapping.dmp

Download
memory/3784-244-0x00007FF9CDF60000-0x00007FF9CEA21000-memory.dmp

Filesize
10.8MB

Download
memory/3784-240-0x00007FF9CDF60000-0x00007FF9CEA21000-memory.dmp

Filesize
10.8MB

Download
memory/3848-243-0x0000000000000000-mapping.dmp

Download
memory/4028-227-0x0000000000000000-mapping.dmp

Download
memory/4084-135-0x0000000000000000-mapping.dmp

Download
memory/4240-132-0x0000000000000000-mapping.dmp

Download
memory/4272-136-0x0000000000000000-mapping.dmp

Download
memory/4272-140-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/4272-139-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/4272-152-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/4348-236-0x0000000000000000-mapping.dmp

Download
memory/4388-171-0x0000000000000000-mapping.dmp

Download
memory/4436-154-0x0000000000000000-mapping.dmp

Download
memory/4588-234-0x0000000000000000-mapping.dmp

Download
memory/4620-161-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/4620-141-0x0000000000000000-mapping.dmp

Download
memory/4620-149-0x000001EFC9C60000-0x000001EFC9C82000-memory.dmp

Filesize
136KB

Download
memory/4620-146-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/4752-222-0x0000000000000000-mapping.dmp

Download
memory/4756-206-0x0000000000000000-mapping.dmp

Download
memory/4756-145-0x0000000000000000-mapping.dmp

Download
memory/4756-151-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/4756-162-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/4764-188-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/4764-182-0x0000000000000000-mapping.dmp

Download
memory/4764-184-0x00007FF9CD6C0000-0x00007FF9CE181000-memory.dmp

Filesize
10.8MB

Download
memory/4872-213-0x0000000000000000-mapping.dmp

Download
memory/4880-229-0x0000000000000000-mapping.dmp

Download
memory/4984-178-0x0000000000000000-mapping.dmp

Download