dcrat | be53996826854c341bfa752344c4e16d89a93729227a4c65dc6ad5eef736dd59

Analysis

max time kernel
147s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be53996826854c341bfa752344c4e16d89a93729227a4c65dc6ad5eef736dd59.exe
Size

1.3MB
MD5

353b6753934137fc2ba445a4f5325e34
SHA1

6157d9a347f83c4e38cb9aa473037320dab79ae0
SHA256

be53996826854c341bfa752344c4e16d89a93729227a4c65dc6ad5eef736dd59
SHA512

1bcd0dfdfbf9dab9272dc0bd502a3efbe0f137dd5c616652a955d394cafb1de8d12f43c0bbed6a6c9ec0f681b1dbaeb6ed717a817e0b9a93c4ba2a4567eee628
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3848	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	3848	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac5a-283.dat	dcrat
behavioral1/files/0x000800000001ac5a-284.dat	dcrat
behavioral1/memory/4132-285-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac71-313.dat	dcrat
behavioral1/files/0x000600000001ac71-312.dat	dcrat
behavioral1/files/0x000600000001ac71-555.dat	dcrat
behavioral1/files/0x000600000001ac71-561.dat	dcrat
behavioral1/files/0x000600000001ac71-567.dat	dcrat
behavioral1/files/0x000600000001ac71-572.dat	dcrat
behavioral1/files/0x000600000001ac71-578.dat	dcrat
behavioral1/files/0x000600000001ac71-583.dat	dcrat
behavioral1/files/0x000600000001ac71-589.dat	dcrat
behavioral1/files/0x000600000001ac71-595.dat	dcrat
behavioral1/files/0x000600000001ac71-600.dat	dcrat
behavioral1/files/0x000600000001ac71-605.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4132	DllCommonsvc.exe
996	sppsvc.exe
1656	sppsvc.exe
4204	sppsvc.exe
4832	sppsvc.exe
4060	sppsvc.exe
5000	sppsvc.exe
820	sppsvc.exe
1596	sppsvc.exe
5076	sppsvc.exe
3128	sppsvc.exe
1484	sppsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4780	schtasks.exe
4816	schtasks.exe
5000	schtasks.exe
4060	schtasks.exe
4540	schtasks.exe
4440	schtasks.exe
1820	schtasks.exe
4964	schtasks.exe
3272	schtasks.exe
3248	schtasks.exe
4796	schtasks.exe
4708	schtasks.exe
3144	schtasks.exe
4876	schtasks.exe
4900	schtasks.exe
1808	schtasks.exe
4508	schtasks.exe
4968	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	be53996826854c341bfa752344c4e16d89a93729227a4c65dc6ad5eef736dd59.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4132	DllCommonsvc.exe
4132	DllCommonsvc.exe
4132	DllCommonsvc.exe
4132	DllCommonsvc.exe
4132	DllCommonsvc.exe
4132	DllCommonsvc.exe
4132	DllCommonsvc.exe
648	powershell.exe
640	powershell.exe
776	powershell.exe
1588	powershell.exe
1424	powershell.exe
1648	powershell.exe
1124	powershell.exe
640	powershell.exe
996	sppsvc.exe
640	powershell.exe
648	powershell.exe
776	powershell.exe
1424	powershell.exe
1648	powershell.exe
1588	powershell.exe
1124	powershell.exe
648	powershell.exe
776	powershell.exe
1424	powershell.exe
1648	powershell.exe
1588	powershell.exe
1124	powershell.exe
1656	sppsvc.exe
4204	sppsvc.exe
4832	sppsvc.exe
4060	sppsvc.exe
5000	sppsvc.exe
820	sppsvc.exe
1596	sppsvc.exe
5076	sppsvc.exe
3128	sppsvc.exe
1484	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4132	DllCommonsvc.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	996	sppsvc.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeIncreaseQuotaPrivilege	640	powershell.exe
Token: SeSecurityPrivilege	640	powershell.exe
Token: SeTakeOwnershipPrivilege	640	powershell.exe
Token: SeLoadDriverPrivilege	640	powershell.exe
Token: SeSystemProfilePrivilege	640	powershell.exe
Token: SeSystemtimePrivilege	640	powershell.exe
Token: SeProfSingleProcessPrivilege	640	powershell.exe
Token: SeIncBasePriorityPrivilege	640	powershell.exe
Token: SeCreatePagefilePrivilege	640	powershell.exe
Token: SeBackupPrivilege	640	powershell.exe
Token: SeRestorePrivilege	640	powershell.exe
Token: SeShutdownPrivilege	640	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeSystemEnvironmentPrivilege	640	powershell.exe
Token: SeRemoteShutdownPrivilege	640	powershell.exe
Token: SeUndockPrivilege	640	powershell.exe
Token: SeManageVolumePrivilege	640	powershell.exe
Token: 33	640	powershell.exe
Token: 34	640	powershell.exe
Token: 35	640	powershell.exe
Token: 36	640	powershell.exe
Token: SeIncreaseQuotaPrivilege	648	powershell.exe
Token: SeSecurityPrivilege	648	powershell.exe
Token: SeTakeOwnershipPrivilege	648	powershell.exe
Token: SeLoadDriverPrivilege	648	powershell.exe
Token: SeSystemProfilePrivilege	648	powershell.exe
Token: SeSystemtimePrivilege	648	powershell.exe
Token: SeProfSingleProcessPrivilege	648	powershell.exe
Token: SeIncBasePriorityPrivilege	648	powershell.exe
Token: SeCreatePagefilePrivilege	648	powershell.exe
Token: SeBackupPrivilege	648	powershell.exe
Token: SeRestorePrivilege	648	powershell.exe
Token: SeShutdownPrivilege	648	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeSystemEnvironmentPrivilege	648	powershell.exe
Token: SeRemoteShutdownPrivilege	648	powershell.exe
Token: SeUndockPrivilege	648	powershell.exe
Token: SeManageVolumePrivilege	648	powershell.exe
Token: 33	648	powershell.exe
Token: 34	648	powershell.exe
Token: 35	648	powershell.exe
Token: 36	648	powershell.exe
Token: SeIncreaseQuotaPrivilege	776	powershell.exe
Token: SeSecurityPrivilege	776	powershell.exe
Token: SeTakeOwnershipPrivilege	776	powershell.exe
Token: SeLoadDriverPrivilege	776	powershell.exe
Token: SeSystemProfilePrivilege	776	powershell.exe
Token: SeSystemtimePrivilege	776	powershell.exe
Token: SeProfSingleProcessPrivilege	776	powershell.exe
Token: SeIncBasePriorityPrivilege	776	powershell.exe
Token: SeCreatePagefilePrivilege	776	powershell.exe
Token: SeBackupPrivilege	776	powershell.exe
Token: SeRestorePrivilege	776	powershell.exe
Token: SeShutdownPrivilege	776	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 5060	1656	be53996826854c341bfa752344c4e16d89a93729227a4c65dc6ad5eef736dd59.exe	66
PID 1656 wrote to memory of 5060	1656	be53996826854c341bfa752344c4e16d89a93729227a4c65dc6ad5eef736dd59.exe	66
PID 1656 wrote to memory of 5060	1656	be53996826854c341bfa752344c4e16d89a93729227a4c65dc6ad5eef736dd59.exe	66
PID 5060 wrote to memory of 4124	5060	WScript.exe	67
PID 5060 wrote to memory of 4124	5060	WScript.exe	67
PID 5060 wrote to memory of 4124	5060	WScript.exe	67
PID 4124 wrote to memory of 4132	4124	cmd.exe	69
PID 4124 wrote to memory of 4132	4124	cmd.exe	69
PID 4132 wrote to memory of 776	4132	DllCommonsvc.exe	89
PID 4132 wrote to memory of 776	4132	DllCommonsvc.exe	89
PID 4132 wrote to memory of 640	4132	DllCommonsvc.exe	91
PID 4132 wrote to memory of 640	4132	DllCommonsvc.exe	91
PID 4132 wrote to memory of 648	4132	DllCommonsvc.exe	95
PID 4132 wrote to memory of 648	4132	DllCommonsvc.exe	95
PID 4132 wrote to memory of 1648	4132	DllCommonsvc.exe	94
PID 4132 wrote to memory of 1648	4132	DllCommonsvc.exe	94
PID 4132 wrote to memory of 1424	4132	DllCommonsvc.exe	102
PID 4132 wrote to memory of 1424	4132	DllCommonsvc.exe	102
PID 4132 wrote to memory of 1588	4132	DllCommonsvc.exe	101
PID 4132 wrote to memory of 1588	4132	DllCommonsvc.exe	101
PID 4132 wrote to memory of 1124	4132	DllCommonsvc.exe	100
PID 4132 wrote to memory of 1124	4132	DllCommonsvc.exe	100
PID 4132 wrote to memory of 996	4132	DllCommonsvc.exe	103
PID 4132 wrote to memory of 996	4132	DllCommonsvc.exe	103
PID 996 wrote to memory of 4308	996	sppsvc.exe	105
PID 996 wrote to memory of 4308	996	sppsvc.exe	105
PID 4308 wrote to memory of 5044	4308	cmd.exe	107
PID 4308 wrote to memory of 5044	4308	cmd.exe	107
PID 4308 wrote to memory of 1656	4308	cmd.exe	108
PID 4308 wrote to memory of 1656	4308	cmd.exe	108
PID 1656 wrote to memory of 3508	1656	sppsvc.exe	109
PID 1656 wrote to memory of 3508	1656	sppsvc.exe	109
PID 3508 wrote to memory of 1620	3508	cmd.exe	111
PID 3508 wrote to memory of 1620	3508	cmd.exe	111
PID 3508 wrote to memory of 4204	3508	cmd.exe	112
PID 3508 wrote to memory of 4204	3508	cmd.exe	112
PID 4204 wrote to memory of 4300	4204	sppsvc.exe	113
PID 4204 wrote to memory of 4300	4204	sppsvc.exe	113
PID 4300 wrote to memory of 2528	4300	cmd.exe	115
PID 4300 wrote to memory of 2528	4300	cmd.exe	115
PID 4300 wrote to memory of 4832	4300	cmd.exe	116
PID 4300 wrote to memory of 4832	4300	cmd.exe	116
PID 4832 wrote to memory of 3908	4832	sppsvc.exe	117
PID 4832 wrote to memory of 3908	4832	sppsvc.exe	117
PID 3908 wrote to memory of 4968	3908	cmd.exe	119
PID 3908 wrote to memory of 4968	3908	cmd.exe	119
PID 3908 wrote to memory of 4060	3908	cmd.exe	120
PID 3908 wrote to memory of 4060	3908	cmd.exe	120
PID 4060 wrote to memory of 3428	4060	sppsvc.exe	121
PID 4060 wrote to memory of 3428	4060	sppsvc.exe	121
PID 3428 wrote to memory of 4772	3428	cmd.exe	123
PID 3428 wrote to memory of 4772	3428	cmd.exe	123
PID 3428 wrote to memory of 5000	3428	cmd.exe	124
PID 3428 wrote to memory of 5000	3428	cmd.exe	124
PID 5000 wrote to memory of 2592	5000	sppsvc.exe	126
PID 5000 wrote to memory of 2592	5000	sppsvc.exe	126
PID 2592 wrote to memory of 4636	2592	cmd.exe	127
PID 2592 wrote to memory of 4636	2592	cmd.exe	127
PID 2592 wrote to memory of 820	2592	cmd.exe	128
PID 2592 wrote to memory of 820	2592	cmd.exe	128
PID 820 wrote to memory of 656	820	sppsvc.exe	129
PID 820 wrote to memory of 656	820	sppsvc.exe	129
PID 656 wrote to memory of 980	656	cmd.exe	131
PID 656 wrote to memory of 980	656	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\be53996826854c341bfa752344c4e16d89a93729227a4c65dc6ad5eef736dd59.exe
"C:\Users\Admin\AppData\Local\Temp\be53996826854c341bfa752344c4e16d89a93729227a4c65dc6ad5eef736dd59.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Users\Admin\Music\sppsvc.exe
        
        "C:\Users\Admin\Music\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:996
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5044
        
        C:\Users\Admin\Music\sppsvc.exe
        
        "C:\Users\Admin\Music\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1620
        
        C:\Users\Admin\Music\sppsvc.exe
        
        "C:\Users\Admin\Music\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2528
        
        C:\Users\Admin\Music\sppsvc.exe
        
        "C:\Users\Admin\Music\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4968
        
        C:\Users\Admin\Music\sppsvc.exe
        
        "C:\Users\Admin\Music\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4772
        
        C:\Users\Admin\Music\sppsvc.exe
        
        "C:\Users\Admin\Music\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4636
        
        C:\Users\Admin\Music\sppsvc.exe
        
        "C:\Users\Admin\Music\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:980
        
        C:\Users\Admin\Music\sppsvc.exe
        
        "C:\Users\Admin\Music\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        20⤵
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:208
        
        C:\Users\Admin\Music\sppsvc.exe
        
        "C:\Users\Admin\Music\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        22⤵
        
        PID:4972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:5036
        
        C:\Users\Admin\Music\sppsvc.exe
        
        "C:\Users\Admin\Music\sppsvc.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"
        24⤵
        
        PID:1200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1564
        
        C:\Users\Admin\Music\sppsvc.exe
        
        "C:\Users\Admin\Music\sppsvc.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        26⤵
        
        PID:3080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06c0a54cb244cb834becfdb812d3a4fa

SHA1
b994b8b83506ff3799c0e39b9e93407a34e6c70d

SHA256
cafd7cc81936bdf543d268b5e67921fa7ece1e1441510cbacb3270a08ea00385

SHA512
3ae186868b489784d8459878102a99bf8e7606a84a2277aab305d8a2161388dd9ab157508ce8b5c692137187e96e000f819a50ccbfc73427581c744befdd2b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06c0a54cb244cb834becfdb812d3a4fa

SHA1
b994b8b83506ff3799c0e39b9e93407a34e6c70d

SHA256
cafd7cc81936bdf543d268b5e67921fa7ece1e1441510cbacb3270a08ea00385

SHA512
3ae186868b489784d8459878102a99bf8e7606a84a2277aab305d8a2161388dd9ab157508ce8b5c692137187e96e000f819a50ccbfc73427581c744befdd2b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cec33ec6907120b7693e6de943cd1a9c

SHA1
e013b50f348d1bc5764edfa32292de8b731938ff

SHA256
6f3a5a085039384638f0e0aac7d6ba7dc2adc73af66e0abd5f162b3d043442aa

SHA512
95efa51c037bbe8ad7df7a9f28cb9ecc8f47b33a96327b4efd4e2528eab16e5f410cbeed00b03a8afd2e57c0f29a930e4d312d3ac907933b916ce7229be0a439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cec33ec6907120b7693e6de943cd1a9c

SHA1
e013b50f348d1bc5764edfa32292de8b731938ff

SHA256
6f3a5a085039384638f0e0aac7d6ba7dc2adc73af66e0abd5f162b3d043442aa

SHA512
95efa51c037bbe8ad7df7a9f28cb9ecc8f47b33a96327b4efd4e2528eab16e5f410cbeed00b03a8afd2e57c0f29a930e4d312d3ac907933b916ce7229be0a439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da620bfaeb6a2ea4d6aec798488fc184

SHA1
03db0dd14013355038f03a05900db8fe3ac6786a

SHA256
a23995266845201abcc9955807fbe2866d1241995f8fc8d01cd70369b0e76f8e

SHA512
f763b1faaad468f679b45b0ddb66ac8a16a4b6000fd8bc2f5e171f86d413b11bb32ddfc19c00bc02c836f5d56661c1e9749e4619440bc81fd596c256fb93e6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87a93c492601d028ce22280bfdc2becb

SHA1
d197eb2ce17f64d9cc4345108b4611a8732ce915

SHA256
8bb63ba35f80c438b9105c92ddd9d85691baeadbe579eb11e579160b09a0bc6a

SHA512
f6aecd1757388de252a521715c9b9ab8a02a79190a77a7da3d780a90c9f7cb5a890cfbb1dc2894fca6bceb745945a3f4af8413b8a92a4b5f17ea2696b20c0fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
196B

MD5
edfa1f3d59a52b90f0c27fcc27bf8138

SHA1
5329d8a931ac44f085567f87ed25d0bed8894063

SHA256
00bfda7376251371d9a839890e688065fe53b344afbc3753abd16a3c5f1654bb

SHA512
92df4d3212c2f96ad9606e8ed4a23484f0df3b1e1c3a17d5dc205fd3bf82647f15e26c7f67272c506e2df11b98e2692f6f27c22a4a29c34f9dc6073b78b4bc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

Filesize
196B

MD5
95e8ebf82275b6f2d98e141079e0ed61

SHA1
9c1341e1f4a230711858d2e1da3f5faf24249ff2

SHA256
c0bbb9dfc1342620f6719aaa04700274aad37f9b676f0ef8d9f52ad8ac5725d6

SHA512
a27efebaea4b3018e63d898ecff9bc2ccf8a4a6d9b54dde0e5636fc0d9854e5d3770bbe00570079eb3eaf44c18323ea7e9a82bc510ba749114e86445b274dad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat

Filesize
196B

MD5
0a3eafce77cffacf3a76d94dcd21ac77

SHA1
1fdee765038d22cba11f7e6f136c0d027812ee6b

SHA256
d4654db0e8f62bd44d67d1961a463d6497ec6b1565505920176c2a93ffbbbdfc

SHA512
1dea6fc715fd4642dc11c4fec3cde08ce16ac66f9d0dfccceb85e38af7409d8b23f7dc088ee0c3d9013bde7c3733224ec5e3d54a56879eb2d745a28a50848f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

Filesize
196B

MD5
d261a2ebe9dd66f3b9d6feb1b4f62c13

SHA1
8f53e86cce93ce8c64d45a5736859614c21b6cdf

SHA256
a4ab5ee84c6026e1c2d3141cea66653d531f3ba9d41043ca56477c43ba40f233

SHA512
2c128bcb2bcce83f6592eba925c2c4c2faa9d723395cc10c155e52b5a1f1b944890ac55735548171ca4ce06d764ce2159dadbfd1ba90b92280b9fe60f038c4e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

Filesize
196B

MD5
531c0b728515447dd9403fc97e64d9e3

SHA1
470e41224f7205aa4d1832974dac88114811a776

SHA256
b5a624ab7e8cda17f14c394d035ce7277d9e7b4ce70f73e681a7af7f390b1106

SHA512
019eb9e1d556dd11d05a09282b28dc1750183b00fffcb16946df3c5562f18fdb59efe5a0152eb1f3df5c1c38929cc7ad3e2f2cacc9bc17c88eda17d4f76fee50

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat

Filesize
196B

MD5
3b3a4b6c6dd4012f697a8e4a5c51187e

SHA1
98d73d5f4e7290403753971408df28244feb0160

SHA256
869bc9ebdb9edfc47fe2cba0fa9ac4d02ef240927d17a3aba012ccc12c7d5d4c

SHA512
24d8dc4276b2df380158e850bfc2110f2542186246115c9a33039c55ff121aaa1ac2ad5fde7ac81f36924cf56d420d9619afb3fac6ae48f7e78d1cc5bee464eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
196B

MD5
2a0b9b5ef421add8b2574d8147dec389

SHA1
aabe104e7af3032ef3f4132fe99bc626f0a3bbda

SHA256
ea17d5eecc0fc046f54cb60aff6e17526c06e265740a3bd9c2f3c86b36c2ade7

SHA512
303eb9570f0155cfd9923ca16d31f0c7147a05e1d124467a9afeeda0205292599ce6e47b41d74ed269308ae9dbe3334e2270c65767cdec04ef3f765f7d18fc4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

Filesize
196B

MD5
1c093f68d622c1cb6dd3fd07d1a56c2f

SHA1
7f8a89a9925ec509d72b7b95d8960c97caceaa9b

SHA256
a7d4a52b351572bcde8043bf04c92f7ff00509b7cee2c70be770a380d69ecd8a

SHA512
05040fdbbdabb97be9b52c6fd957b032403236b1a5c4c2666b246b6da63d805c3ce172f521d0dc14f364014dbc77aad956563a61d6e7bb8c5da640922c7407a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
196B

MD5
8013add6e5f949010c8966d9cc78d332

SHA1
ac03a29967d22358b0e331b1747d7f9c284defd3

SHA256
26ee26a016e79d4d2787ecc3dfa7d491b59b8e6c4e11212c6ca1c1e86786545e

SHA512
e08567ff8587ca8e0f08a21cf13ac8612c8dcc44166be45e855d61068a994df2edd1463b27fe7ca5325346b3f286c251171cb80075212d69cc8b530249ca3cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat

Filesize
196B

MD5
ca08a960ade59596808347069e6e9f86

SHA1
74af0e4f7d27ff836716c9bab64c97ad6e76e9ea

SHA256
87c702ccf867cc0452b65eeb4125e49a3e39b7f4707671401bef0e14187365f2

SHA512
38be64626bdc6eb42181184d8777d9490c0ebba4024caf4d5f173cef12647555b9a653c1de998019cc18e646c81df281ef2399bf9db23d7636c89b9824c0ebaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat

Filesize
196B

MD5
b91aaae3c3c625928697b206e2448880

SHA1
4c6547dfefcbd065cfce11c941d6d39e828169bd

SHA256
881e96d35e35995a82f430bcb2b73d5d422ce45d81421bf4ae64b5060c77995e

SHA512
29168bd5f4aaecdaab9b64bca7a0a1a7b70584254c4fdbe0e9bab07ee1a08f603df25da4c4f427632b313b616837af9cfcdffe4f6dfa3baa0f9f256847e79d84

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\Music\sppsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/640-338-0x0000020738D40000-0x0000020738DB6000-memory.dmp

Filesize
472KB

Download
memory/648-328-0x0000023773540000-0x0000023773562000-memory.dmp

Filesize
136KB

Download
memory/820-584-0x00000000017E0000-0x00000000017F2000-memory.dmp

Filesize
72KB

Download
memory/1484-606-0x00000000029B0000-0x00000000029C2000-memory.dmp

Filesize
72KB

Download
memory/1596-590-0x0000000001000000-0x0000000001012000-memory.dmp

Filesize
72KB

Download
memory/1656-159-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-138-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-180-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-181-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-182-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-120-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-121-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-122-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-178-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-177-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-124-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-125-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-176-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-175-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-127-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-128-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-129-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-130-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-131-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-174-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-173-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-172-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-171-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-170-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-169-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-168-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-167-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-166-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-165-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-164-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-163-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-162-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-161-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-160-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-119-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-158-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-157-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-156-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-132-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-155-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-133-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-154-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-153-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-134-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-152-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-151-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-135-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-150-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-136-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-137-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-149-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-179-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-139-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-148-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-140-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-147-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-141-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-142-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-146-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-143-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-144-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-145-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/4060-573-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/4132-287-0x0000000001470000-0x000000000147C000-memory.dmp

Filesize
48KB

Download
memory/4132-286-0x0000000001460000-0x0000000001472000-memory.dmp

Filesize
72KB

Download
memory/4132-289-0x0000000001800000-0x000000000180C000-memory.dmp

Filesize
48KB

Download
memory/4132-288-0x000000001C2E0000-0x000000001C2EC000-memory.dmp

Filesize
48KB

Download
memory/4132-285-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/4204-562-0x0000000000C20000-0x0000000000C32000-memory.dmp

Filesize
72KB

Download
memory/5060-185-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/5060-184-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download