Analysis

  • max time kernel
    35s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/10/2022, 22:54

General

  • Target

    68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40.exe

  • Size

    1.3MB

  • MD5

    7e27554bec453471ca9e7fe05048dc6f

  • SHA1

    320172e80965c23c2e4868ed3cde43ad1d8cfaa8

  • SHA256

    68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40

  • SHA512

    77bd5878c5f388d836f51782e26278beccf9aa0d782c0f45b46babd2ce67bb43f9919b2139bd6cca2443e470505f8f72e806389f00ea0b603e536bb45288e115

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 24 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 21 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 45 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40.exe
    "C:\Users\Admin\AppData\Local\Temp\68c80a1af2f37bf3f6d3af6f6319f062514ccaba2e5392bfd9ebdb0f78675e40.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4892
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3884
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4680
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:576
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\winlogon.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4544
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\MsDtc\Trace\taskhostw.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\ShellExperienceHost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1236
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:612
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2288
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Executes dropped EXE
              PID:4328
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
              6⤵
              • Executes dropped EXE
              PID:3488
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\dllhost.exe'
              6⤵
              • Executes dropped EXE
              PID:1280
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
              6⤵
              • Executes dropped EXE
              PID:2284
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
              6⤵
              • Executes dropped EXE
              PID:4060
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'
              6⤵
              • Executes dropped EXE
              PID:4388
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
              6⤵
              • Executes dropped EXE
              PID:4792
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\conhost.exe'
              6⤵
              • Executes dropped EXE
              PID:4312
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\sppsvc.exe'
              6⤵
              • Executes dropped EXE
              PID:4292
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
              6⤵
              • Executes dropped EXE
              PID:5096
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
              6⤵
              • Executes dropped EXE
              PID:4580
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\smss.exe'
              6⤵
              • Executes dropped EXE
              PID:1688
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
              6⤵
              • Executes dropped EXE
              PID:4748
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\1041\cmd.exe'
              6⤵
              • Executes dropped EXE
              PID:2388
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive\conhost.exe'
              6⤵
              • Executes dropped EXE
              PID:4344
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\explorer.exe'
              6⤵
              • Executes dropped EXE
              PID:1112
            • C:\providercommon\powershell.exe
              "C:\providercommon\powershell.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:4544
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
              6⤵
              • Executes dropped EXE
              PID:4824
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
              6⤵
              • Executes dropped EXE
              PID:2220
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4952
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3144
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4320
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:3704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5056
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\MsDtc\Trace\taskhostw.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SysWOW64\MsDtc\Trace\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5088
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\MsDtc\Trace\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:3156
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4604
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\ShellExperienceHost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3028
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\ShellExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\ShellExperienceHost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4580
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4500
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4536
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\odt\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3368
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:4932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2232
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3880
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\odt\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2808
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4296
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1460
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4504
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:1280
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3516
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4432
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4388
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4196
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3144
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\providercommon\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5080
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3156
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\providercommon\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4380
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4584
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1036
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1924
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4512
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5004
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework64\1041\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4484
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\1041\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2352
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Microsoft.NET\Framework64\1041\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\OneDrive\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3784
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\OneDrive\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:4260
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:3444
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:5100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
    1⤵
      PID:1932
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /f
      1⤵
      • Creates scheduled task(s)
      PID:3304
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:4504
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\explorer.exe'" /rl HIGHEST /f
      1⤵
      • Creates scheduled task(s)
      PID:3752

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

            Filesize

            1KB

            MD5

            b4268d8ae66fdd920476b97a1776bf85

            SHA1

            f920de54f7467f0970eccc053d3c6c8dd181d49a

            SHA256

            61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

            SHA512

            03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            3KB

            MD5

            ad5cd538ca58cb28ede39c108acb5785

            SHA1

            1ae910026f3dbe90ed025e9e96ead2b5399be877

            SHA256

            c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

            SHA512

            c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            0bdfaa14d7814b541a77f4e97920dfd6

            SHA1

            c239720eee47db7f7136bb78e37c539b9e735c4c

            SHA256

            4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272

            SHA512

            dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            0bdfaa14d7814b541a77f4e97920dfd6

            SHA1

            c239720eee47db7f7136bb78e37c539b9e735c4c

            SHA256

            4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272

            SHA512

            dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            9354e505638093f20dfa38d9c6620235

            SHA1

            08f95f01067f7773367e78a0d2de873dd5985e22

            SHA256

            8f87916468b41e7b623aeff0bd0cf8fc229a600c3e2ad6fd658bf7676d9ed3f2

            SHA512

            655b3ef7bc0b14ddd45507df5fc5252fea8508fd1d2de75a53d26b5084d58c813673bf173e41b6f03bd06f5a4240db13945ef340483262b12e4fe93da5ff775e

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            02b6c68dead38613d1a8ea25fc80efc8

            SHA1

            3ebea48bb5ebe6cbf73f4ecbee0b67fd253b02e9

            SHA256

            e5d94cb19f98851096d1c2114e3d18543082cbfe1d91c42f927fcde3b7be75a7

            SHA512

            baef4ccff193426df30097f39126e271311ea0614ec24356069e15672fbf877248993c58a8816427bf93c5ff96e57357168449b3a2581e464b73e9b83286b492

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            666645396c2ed47289bcde84115d9d2c

            SHA1

            1dacfec155d8a12dcc82fe379065a2e8c40f0f2c

            SHA256

            2913fcb0ba9c883a39984545cc43be1a35b2cc4675304f109aec03ce197be6c5

            SHA512

            01f79e028aa30418f6e37f420fb16ec7102c4a02a0051bec89528d42743ac1861e859125636024fe83de58a3dd97d31f468e5070a579706b42846f9499fd2efe

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            666645396c2ed47289bcde84115d9d2c

            SHA1

            1dacfec155d8a12dcc82fe379065a2e8c40f0f2c

            SHA256

            2913fcb0ba9c883a39984545cc43be1a35b2cc4675304f109aec03ce197be6c5

            SHA512

            01f79e028aa30418f6e37f420fb16ec7102c4a02a0051bec89528d42743ac1861e859125636024fe83de58a3dd97d31f468e5070a579706b42846f9499fd2efe

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            b8b3d31292f7920c38c3a83906b632b7

            SHA1

            0c5d7a42b818fc8db912ab01dbe3b04dcda7d653

            SHA256

            d0416df7bc7f535bf09de98008733d43ccf416fb6bb4085b9a95f018c5b34ff7

            SHA512

            8d1d22938112c9f283e8b2db17e9319dbebf875be7cd088421b7804cad7d3a7ffced413aa29d54111acac819da07f3f5d55c637566488f8cb6d0fef6724f206c

          • C:\providercommon\1zu9dW.bat

            Filesize

            36B

            MD5

            6783c3ee07c7d151ceac57f1f9c8bed7

            SHA1

            17468f98f95bf504cc1f83c49e49a78526b3ea03

            SHA256

            8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

            SHA512

            c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

          • C:\providercommon\DllCommonsvc.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\DllCommonsvc.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\DllCommonsvc.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\powershell.exe

            Filesize

            1.0MB

            MD5

            bd31e94b4143c4ce49c17d3af46bcad0

            SHA1

            f8c51ff3ff909531d9469d4ba1bbabae101853ff

            SHA256

            b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

            SHA512

            f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

            Filesize

            197B

            MD5

            8088241160261560a02c84025d107592

            SHA1

            083121f7027557570994c9fc211df61730455bb5

            SHA256

            2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

            SHA512

            20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

          • memory/2288-330-0x0000000001430000-0x0000000001442000-memory.dmp

            Filesize

            72KB

          • memory/2716-150-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-133-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-167-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-168-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-169-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-170-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-171-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-172-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-174-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-173-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-175-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-176-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-177-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-178-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-179-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-117-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-118-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-119-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-158-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-159-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-116-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-121-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-157-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-156-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-161-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-122-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-149-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-124-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-125-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-126-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-127-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-128-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-155-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-162-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-154-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-153-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-152-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-166-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-151-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-129-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-164-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-130-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-160-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-148-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-131-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-139-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-132-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-144-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-145-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-143-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-146-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-142-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-165-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-141-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-147-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-140-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-138-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-137-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-163-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-134-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-135-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/2716-136-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/3884-284-0x00000000017D0000-0x00000000017DC000-memory.dmp

            Filesize

            48KB

          • memory/3884-285-0x0000000002F90000-0x0000000002F9C000-memory.dmp

            Filesize

            48KB

          • memory/3884-286-0x0000000002FA0000-0x0000000002FAC000-memory.dmp

            Filesize

            48KB

          • memory/3884-283-0x00000000017C0000-0x00000000017D2000-memory.dmp

            Filesize

            72KB

          • memory/3884-282-0x0000000000E20000-0x0000000000F30000-memory.dmp

            Filesize

            1.1MB

          • memory/4544-329-0x000001FDAB6D0000-0x000001FDAB6F2000-memory.dmp

            Filesize

            136KB

          • memory/4680-335-0x000002657B4D0000-0x000002657B546000-memory.dmp

            Filesize

            472KB

          • memory/4892-182-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB

          • memory/4892-181-0x0000000077A60000-0x0000000077BEE000-memory.dmp

            Filesize

            1.6MB