dcrat | c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78

Analysis

max time kernel
150s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe
Size

1.3MB
MD5

032fd8766cb2ca7853ec975b1d30fa2b
SHA1

c2c30479ca22d458a2ce282d8c106e5ab43807dd
SHA256

c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78
SHA512

72dcea535b7230310de761f8a02696ec54e2108a41d15eb5d40626c55953867171862ebec49e57abcac67d893f714468551ba7d89ec03ab439e5d8e7a51ef232
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4092	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	4092	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ac10-279.dat	dcrat
behavioral1/files/0x000900000001ac10-280.dat	dcrat
behavioral1/memory/2260-281-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac19-551.dat	dcrat
behavioral1/files/0x000600000001ac19-550.dat	dcrat
behavioral1/files/0x000600000001ac19-578.dat	dcrat
behavioral1/files/0x000600000001ac19-584.dat	dcrat
behavioral1/files/0x000600000001ac19-589.dat	dcrat
behavioral1/files/0x000600000001ac19-595.dat	dcrat
behavioral1/files/0x000600000001ac19-600.dat	dcrat
behavioral1/files/0x000600000001ac19-606.dat	dcrat
behavioral1/files/0x000600000001ac19-611.dat	dcrat
behavioral1/files/0x000600000001ac19-616.dat	dcrat
behavioral1/files/0x000600000001ac19-621.dat	dcrat
behavioral1/files/0x000600000001ac19-626.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
2260	DllCommonsvc.exe
4424	sppsvc.exe
1776	sppsvc.exe
2644	sppsvc.exe
3152	sppsvc.exe
2684	sppsvc.exe
2148	sppsvc.exe
1412	sppsvc.exe
4064	sppsvc.exe
2056	sppsvc.exe
4892	sppsvc.exe
4628	sppsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4632	schtasks.exe
2504	schtasks.exe
4556	schtasks.exe
2980	schtasks.exe
4516	schtasks.exe
4224	schtasks.exe
4580	schtasks.exe
364	schtasks.exe
4456	schtasks.exe
4432	schtasks.exe
5056	schtasks.exe
4964	schtasks.exe
5080	schtasks.exe
3220	schtasks.exe
4636	schtasks.exe
3252	schtasks.exe
856	schtasks.exe
3592	schtasks.exe
3092	schtasks.exe
4508	schtasks.exe
4504	schtasks.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2260	DllCommonsvc.exe
2260	DllCommonsvc.exe
2260	DllCommonsvc.exe
1060	powershell.exe
1048	powershell.exe
1412	powershell.exe
372	powershell.exe
1060	powershell.exe
860	powershell.exe
1412	powershell.exe
1164	powershell.exe
3276	powershell.exe
96	powershell.exe
860	powershell.exe
96	powershell.exe
3276	powershell.exe
1048	powershell.exe
372	powershell.exe
1164	powershell.exe
1412	powershell.exe
1060	powershell.exe
860	powershell.exe
96	powershell.exe
3276	powershell.exe
1048	powershell.exe
372	powershell.exe
1164	powershell.exe
4424	sppsvc.exe
1776	sppsvc.exe
2644	sppsvc.exe
3152	sppsvc.exe
2684	sppsvc.exe
2148	sppsvc.exe
1412	sppsvc.exe
4064	sppsvc.exe
2056	sppsvc.exe
4892	sppsvc.exe
4628	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	DllCommonsvc.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe
Token: SeDebugPrivilege	96	powershell.exe
Token: SeIncreaseQuotaPrivilege	1060	powershell.exe
Token: SeSecurityPrivilege	1060	powershell.exe
Token: SeTakeOwnershipPrivilege	1060	powershell.exe
Token: SeLoadDriverPrivilege	1060	powershell.exe
Token: SeSystemProfilePrivilege	1060	powershell.exe
Token: SeSystemtimePrivilege	1060	powershell.exe
Token: SeProfSingleProcessPrivilege	1060	powershell.exe
Token: SeIncBasePriorityPrivilege	1060	powershell.exe
Token: SeCreatePagefilePrivilege	1060	powershell.exe
Token: SeBackupPrivilege	1060	powershell.exe
Token: SeRestorePrivilege	1060	powershell.exe
Token: SeShutdownPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeSystemEnvironmentPrivilege	1060	powershell.exe
Token: SeRemoteShutdownPrivilege	1060	powershell.exe
Token: SeUndockPrivilege	1060	powershell.exe
Token: SeManageVolumePrivilege	1060	powershell.exe
Token: 33	1060	powershell.exe
Token: 34	1060	powershell.exe
Token: 35	1060	powershell.exe
Token: 36	1060	powershell.exe
Token: SeIncreaseQuotaPrivilege	1412	powershell.exe
Token: SeSecurityPrivilege	1412	powershell.exe
Token: SeTakeOwnershipPrivilege	1412	powershell.exe
Token: SeLoadDriverPrivilege	1412	powershell.exe
Token: SeSystemProfilePrivilege	1412	powershell.exe
Token: SeSystemtimePrivilege	1412	powershell.exe
Token: SeProfSingleProcessPrivilege	1412	powershell.exe
Token: SeIncBasePriorityPrivilege	1412	powershell.exe
Token: SeCreatePagefilePrivilege	1412	powershell.exe
Token: SeBackupPrivilege	1412	powershell.exe
Token: SeRestorePrivilege	1412	powershell.exe
Token: SeShutdownPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeSystemEnvironmentPrivilege	1412	powershell.exe
Token: SeRemoteShutdownPrivilege	1412	powershell.exe
Token: SeUndockPrivilege	1412	powershell.exe
Token: SeManageVolumePrivilege	1412	powershell.exe
Token: 33	1412	powershell.exe
Token: 34	1412	powershell.exe
Token: 35	1412	powershell.exe
Token: 36	1412	powershell.exe
Token: SeIncreaseQuotaPrivilege	860	powershell.exe
Token: SeSecurityPrivilege	860	powershell.exe
Token: SeTakeOwnershipPrivilege	860	powershell.exe
Token: SeLoadDriverPrivilege	860	powershell.exe
Token: SeSystemProfilePrivilege	860	powershell.exe
Token: SeSystemtimePrivilege	860	powershell.exe
Token: SeProfSingleProcessPrivilege	860	powershell.exe
Token: SeIncBasePriorityPrivilege	860	powershell.exe
Token: SeCreatePagefilePrivilege	860	powershell.exe
Token: SeBackupPrivilege	860	powershell.exe
Token: SeRestorePrivilege	860	powershell.exe
Token: SeShutdownPrivilege	860	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2344	3004	c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe	66
PID 3004 wrote to memory of 2344	3004	c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe	66
PID 3004 wrote to memory of 2344	3004	c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe	66
PID 2344 wrote to memory of 3976	2344	WScript.exe	67
PID 2344 wrote to memory of 3976	2344	WScript.exe	67
PID 2344 wrote to memory of 3976	2344	WScript.exe	67
PID 3976 wrote to memory of 2260	3976	cmd.exe	69
PID 3976 wrote to memory of 2260	3976	cmd.exe	69
PID 2260 wrote to memory of 1060	2260	DllCommonsvc.exe	92
PID 2260 wrote to memory of 1060	2260	DllCommonsvc.exe	92
PID 2260 wrote to memory of 1048	2260	DllCommonsvc.exe	96
PID 2260 wrote to memory of 1048	2260	DllCommonsvc.exe	96
PID 2260 wrote to memory of 1412	2260	DllCommonsvc.exe	95
PID 2260 wrote to memory of 1412	2260	DllCommonsvc.exe	95
PID 2260 wrote to memory of 372	2260	DllCommonsvc.exe	107
PID 2260 wrote to memory of 372	2260	DllCommonsvc.exe	107
PID 2260 wrote to memory of 860	2260	DllCommonsvc.exe	98
PID 2260 wrote to memory of 860	2260	DllCommonsvc.exe	98
PID 2260 wrote to memory of 1164	2260	DllCommonsvc.exe	99
PID 2260 wrote to memory of 1164	2260	DllCommonsvc.exe	99
PID 2260 wrote to memory of 3276	2260	DllCommonsvc.exe	100
PID 2260 wrote to memory of 3276	2260	DllCommonsvc.exe	100
PID 2260 wrote to memory of 96	2260	DllCommonsvc.exe	105
PID 2260 wrote to memory of 96	2260	DllCommonsvc.exe	105
PID 2260 wrote to memory of 2708	2260	DllCommonsvc.exe	108
PID 2260 wrote to memory of 2708	2260	DllCommonsvc.exe	108
PID 2708 wrote to memory of 4924	2708	cmd.exe	110
PID 2708 wrote to memory of 4924	2708	cmd.exe	110
PID 2708 wrote to memory of 4424	2708	cmd.exe	112
PID 2708 wrote to memory of 4424	2708	cmd.exe	112
PID 4424 wrote to memory of 1716	4424	sppsvc.exe	113
PID 4424 wrote to memory of 1716	4424	sppsvc.exe	113
PID 1716 wrote to memory of 1472	1716	cmd.exe	115
PID 1716 wrote to memory of 1472	1716	cmd.exe	115
PID 1716 wrote to memory of 1776	1716	cmd.exe	116
PID 1716 wrote to memory of 1776	1716	cmd.exe	116
PID 1776 wrote to memory of 4528	1776	sppsvc.exe	117
PID 1776 wrote to memory of 4528	1776	sppsvc.exe	117
PID 4528 wrote to memory of 5076	4528	cmd.exe	119
PID 4528 wrote to memory of 5076	4528	cmd.exe	119
PID 4528 wrote to memory of 2644	4528	cmd.exe	120
PID 4528 wrote to memory of 2644	4528	cmd.exe	120
PID 2644 wrote to memory of 2444	2644	sppsvc.exe	121
PID 2644 wrote to memory of 2444	2644	sppsvc.exe	121
PID 2444 wrote to memory of 3424	2444	cmd.exe	123
PID 2444 wrote to memory of 3424	2444	cmd.exe	123
PID 2444 wrote to memory of 3152	2444	cmd.exe	124
PID 2444 wrote to memory of 3152	2444	cmd.exe	124
PID 3152 wrote to memory of 4132	3152	sppsvc.exe	125
PID 3152 wrote to memory of 4132	3152	sppsvc.exe	125
PID 4132 wrote to memory of 1268	4132	cmd.exe	127
PID 4132 wrote to memory of 1268	4132	cmd.exe	127
PID 4132 wrote to memory of 2684	4132	cmd.exe	128
PID 4132 wrote to memory of 2684	4132	cmd.exe	128
PID 2684 wrote to memory of 4736	2684	sppsvc.exe	129
PID 2684 wrote to memory of 4736	2684	sppsvc.exe	129
PID 4736 wrote to memory of 1480	4736	cmd.exe	131
PID 4736 wrote to memory of 1480	4736	cmd.exe	131
PID 4736 wrote to memory of 2148	4736	cmd.exe	132
PID 4736 wrote to memory of 2148	4736	cmd.exe	132
PID 2148 wrote to memory of 2776	2148	sppsvc.exe	133
PID 2148 wrote to memory of 2776	2148	sppsvc.exe	133
PID 2776 wrote to memory of 1400	2776	cmd.exe	135
PID 2776 wrote to memory of 1400	2776	cmd.exe	135

C:\Users\Admin\AppData\Local\Temp\c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe
"C:\Users\Admin\AppData\Local\Temp\c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:96
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qXdQPOamaa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4924
      - C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1472
        
        C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:5076
        
        C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3424
        
        C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1268
        
        C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1480
        
        C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1400
        
        C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
        19⤵
        
        PID:3528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4800
        
        C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"
        21⤵
        
        PID:4780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4392
        
        C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"
        23⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2704
        
        C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
        25⤵
        
        PID:5116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3540
        
        C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe"
        26⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"
        27⤵
        
        PID:4920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\odt\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\odt\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67cba64917f3240dbbc65d26cf5e69eb

SHA1
e942b2cca0158d06b12a9360cef6edef515daace

SHA256
c78c1bb5d581ed352319a4c6070084a4392d330752738640801daf45bf70bb9c

SHA512
02a46ee4d9c1101aac4b0286da59e6f156acff0b377777c657d88de57acb9224e0db02a4e8628f431aeec212bc8aa2917ec7a78fb5bc064a4387f0a73f882280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
67cba64917f3240dbbc65d26cf5e69eb

SHA1
e942b2cca0158d06b12a9360cef6edef515daace

SHA256
c78c1bb5d581ed352319a4c6070084a4392d330752738640801daf45bf70bb9c

SHA512
02a46ee4d9c1101aac4b0286da59e6f156acff0b377777c657d88de57acb9224e0db02a4e8628f431aeec212bc8aa2917ec7a78fb5bc064a4387f0a73f882280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77d06ca3da59453df9f8eb47f3c659c2

SHA1
cdd231c97cb1b11c54d464858c770342e27f3946

SHA256
cbe6279933f94f6a79bedcfc989e1c4d06ea048920fb063a19abe6ac51cbb7b4

SHA512
5a8e7107498c937aa1470d19ea5ba47766e695e437d189e56d3c66592a9bd2b6866583714a9764110399d059106d3cd77136a65e93d2a2bcc2c13ebbd4744e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77d06ca3da59453df9f8eb47f3c659c2

SHA1
cdd231c97cb1b11c54d464858c770342e27f3946

SHA256
cbe6279933f94f6a79bedcfc989e1c4d06ea048920fb063a19abe6ac51cbb7b4

SHA512
5a8e7107498c937aa1470d19ea5ba47766e695e437d189e56d3c66592a9bd2b6866583714a9764110399d059106d3cd77136a65e93d2a2bcc2c13ebbd4744e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eabf03301ff7ed776ba66376c7d876a6

SHA1
c8fa2aa7d75bbc60dc8546656318ed1be1b077be

SHA256
54d22502659916153ef2a571ae0032440bca25689fa245ef32efbd6683a48efa

SHA512
7f50ad6338ebaeacb177f883db1b64bbd4772d89fd8ae0b9fcb74bbca9bdf3f956f16f9453e27869665296472bbbe9e76d074c68f2f2821f61ca4aa99e1f4c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eabf03301ff7ed776ba66376c7d876a6

SHA1
c8fa2aa7d75bbc60dc8546656318ed1be1b077be

SHA256
54d22502659916153ef2a571ae0032440bca25689fa245ef32efbd6683a48efa

SHA512
7f50ad6338ebaeacb177f883db1b64bbd4772d89fd8ae0b9fcb74bbca9bdf3f956f16f9453e27869665296472bbbe9e76d074c68f2f2821f61ca4aa99e1f4c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
54a8987bfd1d28b7dcaf19ec0551056d

SHA1
6b742b2e7daf641627eb6186d333ff766a440d2f

SHA256
29ecebec41261413117cdd9a76f7c7cbccb994029505e474b7bd52e056e5dc82

SHA512
b0e12ae76ebab809fcea6f10336a8cf7ee8a8873d92953535d430cfcc2a01817225e047fdceed99b66200fc246e03e2ddf634e0d270f3eb9575b3f92fab96fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat

Filesize
222B

MD5
92c8339feb18ef272f748e6db4554103

SHA1
74511407e4622d2629c090ea5ddec6d10988ce41

SHA256
ffcfaec2bc81bcdec60eab0c096c9f15c11530e91e70f26a822f891bdc684da7

SHA512
b8746eadf8c2864bd2d61d9bb0c65c906154fdbe54518c8ac3fd0789581880ef295d162c29a9f0c28d01e7a237ef80606d1a03ce5b3a0402c1b23645dfc074c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat

Filesize
222B

MD5
9e7dd54039799047c58e10adc76af68e

SHA1
6bdf481b92f84fc197c130d10990fd1581cf7301

SHA256
576c16711ec3f77eade8450b2bb5e2a208ccdf0409ec0cc7063f525a1ade5374

SHA512
6a02d7f281685844e77924e70831770e359050d816b23fbc984a8ecaf9dbdfec0d209b02198cd91225d691826d755f3cb50fdaa9c47ed23f91604042e1076d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

Filesize
222B

MD5
823d87f49c334beb9f12ce99347ba9fc

SHA1
784295a23f655bdd8df4fb3d0142f18e77932156

SHA256
d7a63fb4101892f8c24825ab03a2caa21ccf0179c5ba0a053bce5474d266d1fc

SHA512
03a7ef70f4affab58ec1fd2fa18bcd1309e66b1733fcfb111a20033033f6a5c0692ec9e644cb148cbf356d871f1a5cb28ebbd4b073973ba1e2a4cf72c5086ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\K3fI8Bd254.bat

Filesize
222B

MD5
480d79685252775c5cca266ff0eae7e7

SHA1
0ab596e9f3713f8f6f5b8bf6a2b19afd59fa8bae

SHA256
57b9bca0b6bcc43afe5d2c34d3bd670579fa73d47c5e450575d38571d514d1d6

SHA512
d7859dd744b72dca0820dba40a7e6a5e89e434ee73a6170fba061414191458ed80f1931d78d9cf8e795b2f11134510d1160695b8a1530d0a7f64005419d04a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

Filesize
222B

MD5
1d3fd17096a4766b6957e4a22c566d92

SHA1
8e13993c6ced163991e86f84f20c813b72a033d7

SHA256
a4eb420d1136add75f1946b09c16f9dda8c0e5d7243ac61c067ae859f90700f7

SHA512
cbbc9fd54232929618476b3f3685457642a23a1800fd19c5bf31d03d3f5d612cc8ae34383dd772940ee3e17ff570cceac0d5967627fb6a2ed53c755e83d24019

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat

Filesize
222B

MD5
0aea9d3b65c711f280a4d9d70fa097d7

SHA1
6fbd93ad7ef3e7e0d3fffcac75f21a154a831b90

SHA256
bf8071675d0245fc14692465fd58eb56a8cff3e03512b628a914dddac5421c3f

SHA512
ad0a8b56d22419ae132a17e4a7f41f78715fe1b40d0825146db0f531232221d710328a6542154aa75b39acb5f7887452f1affffe3b75b796d0a2a68c98bd8fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
222B

MD5
6ef96beaa84f8e468a721defb46bab67

SHA1
48a097410d81e1796bf536a9f4cde254471ede1f

SHA256
3160132249e6c26a034d78b6bec8ee77fa03fe85f9e36d56a6723ec52766495b

SHA512
9874c6b1306417b6eff444882de29af2bed634e283251735af58a19c1920aa58ddce9b02b86517620bda4476418b9c70019e252b0196266d5335f87f273821c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\auWhjrprfd.bat

Filesize
222B

MD5
f20897b206bf75b0d642892e5f5e3cfb

SHA1
c0ae2d8b4035d74cf8cad38d41517d82cfa59477

SHA256
c05e61e7929a1f6e718a22f38ecfb548944747860eea8ac179e78c5104d85f85

SHA512
dfc926b1e992adbcd35c643442542b8dfe310f1d303ef3006daa4d8419a0e1bbeef9d0c2f854b71e35787aa57e7be54499643d16b247c9cb29e2ffacda6d9a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat

Filesize
222B

MD5
6c954dcaec9aa6837528c082710b62c5

SHA1
899f07b289cc9a9f1b928acfbc56ecae270f218b

SHA256
4da3f64fd142a99e0967343731ca6aa9048aef5f302b5aa505ce20f8602d9a5a

SHA512
a5c77ee7535ef40f23d54f632c335efefc0f6fa7aec1fec6a3bb1cd3065d269064d727b60396c5a418cb541e0398f9dbb212aedfd98ea85a3f49c8e808afca65

Download Submit
C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

Filesize
222B

MD5
aefc9086cf412d2ca3f9d0bbef11c16e

SHA1
13f6bae35a1084ae1d2eade31c7f7a5f811c72e5

SHA256
872d3d8715731ba572b2bf1afafea070ecc968483b3bb9265d81831f4a8d0aae

SHA512
355a353d13e3e195600dce1e21011a8b076a40cb1394fda7ee1d6a7bfcff8ff746822dc6da19c9665ec328fc6a5d35c16e16137368e1e5a7dbe407dea167d88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qXdQPOamaa.bat

Filesize
222B

MD5
00d8201ad82ef99961bcbe4030a3e3d4

SHA1
8dd42772553eebfed45afd9bb7b441923ca72292

SHA256
820811b7601c4efae759054761ee2f114a38972d9346694a4cfdb43d193e722c

SHA512
79146cf4697c882c0dc702f4f0fd86f3dd09f0beb45dc25872c574bc3c416db7360c649ef6b6263a24369856f6fc28d0fd22590eef5b13121dead9ecd1a6bf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

Filesize
222B

MD5
37d35029aca207d442ccff7eb3376170

SHA1
eab91447ed9e6f1f751fefc0f38c0e69f7766cb0

SHA256
0438511d8d717d2ef899f08a47efd460fed738a03d9689708d600ea865885d8f

SHA512
d3cfc1c9fbe8fa02fc29216f9a94fe54976e4069560dd722270b3fc3303bde3607b43096e2f5241abe0f2444f49f501866980ff78ae42978f2f20958dba1c1ce

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1060-327-0x0000026BFDD70000-0x0000026BFDD92000-memory.dmp

Filesize
136KB

Download
memory/1412-338-0x0000022DB7DB0000-0x0000022DB7E26000-memory.dmp

Filesize
472KB

Download
memory/2148-601-0x0000000002FB0000-0x0000000002FC2000-memory.dmp

Filesize
72KB

Download
memory/2260-281-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/2260-282-0x0000000001850000-0x0000000001862000-memory.dmp

Filesize
72KB

Download
memory/2260-284-0x0000000001860000-0x000000000186C000-memory.dmp

Filesize
48KB

Download
memory/2260-285-0x0000000001870000-0x000000000187C000-memory.dmp

Filesize
48KB

Download
memory/2260-283-0x0000000001880000-0x000000000188C000-memory.dmp

Filesize
48KB

Download
memory/2344-180-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/2344-181-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-156-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-152-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-178-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-177-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-176-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-175-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-174-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-173-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-116-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-172-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-171-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-170-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-169-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-168-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-167-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-117-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-118-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-166-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-165-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-164-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-163-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-162-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-161-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-160-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-159-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-158-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-157-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-115-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-154-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-155-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-153-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-131-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-151-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-120-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-150-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-121-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-149-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-148-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-147-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-146-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-123-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-124-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-145-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-125-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-126-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-144-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-143-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-142-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-141-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-127-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-140-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-139-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-138-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-137-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-134-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-136-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-135-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-132-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-133-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-129-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-128-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3004-130-0x0000000077D30000-0x0000000077EBE000-memory.dmp

Filesize
1.6MB

Download
memory/3152-590-0x0000000002ED0000-0x0000000002EE2000-memory.dmp

Filesize
72KB

Download
memory/4628-627-0x00000000008E0000-0x00000000008F2000-memory.dmp

Filesize
72KB

Download