Analysis

  • max time kernel
    139s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/11/2022, 10:40

General

  • Target

    afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b.exe

  • Size

    1.3MB

  • MD5

    069ab7753787b28e4cae6ed668eee798

  • SHA1

    ec766d6180e92cbdaec010c468541b2d75212cb7

  • SHA256

    afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b

  • SHA512

    00ed9370904e400647f64157a788809b8986019f341fcf7e482f22e949288f84d80b85f2a8c42f630884c2d231d79389fd7f444f90e0286da2a4f3954ae32712

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 15 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 11 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b.exe
    "C:\Users\Admin\AppData\Local\Temp\afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3044
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3148
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4176
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2296
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\ShellExperienceHost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1940
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3572
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\en-US\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4144
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:992
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\System.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2932
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vn4jLRsnhP.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2592
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:3736
              • C:\odt\services.exe
                "C:\odt\services.exe"
                6⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:4428
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:768
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:3408
                    • C:\odt\services.exe
                      "C:\odt\services.exe"
                      8⤵
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:1828
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5088
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:4756
                          • C:\odt\services.exe
                            "C:\odt\services.exe"
                            10⤵
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:4028
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2144
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:64
                                • C:\odt\services.exe
                                  "C:\odt\services.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of WriteProcessMemory
                                  PID:4224
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3700
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:992
                                      • C:\odt\services.exe
                                        "C:\odt\services.exe"
                                        14⤵
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of WriteProcessMemory
                                        PID:2544
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
                                          15⤵
                                            PID:3556
                                            • C:\odt\services.exe
                                              "C:\odt\services.exe"
                                              16⤵
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:4480
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
                                                17⤵
                                                  PID:1116
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    18⤵
                                                      PID:4660
                                                    • C:\odt\services.exe
                                                      "C:\odt\services.exe"
                                                      18⤵
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:5024
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
                                                        19⤵
                                                          PID:4020
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            20⤵
                                                              PID:1456
                                                            • C:\odt\services.exe
                                                              "C:\odt\services.exe"
                                                              20⤵
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:1576
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
                                                                21⤵
                                                                  PID:1996
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    22⤵
                                                                      PID:4060
                                                                    • C:\odt\services.exe
                                                                      "C:\odt\services.exe"
                                                                      22⤵
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:2932
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"
                                                                        23⤵
                                                                          PID:4048
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            24⤵
                                                                              PID:740
                                                                            • C:\odt\services.exe
                                                                              "C:\odt\services.exe"
                                                                              24⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:4044
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
                                                                                25⤵
                                                                                  PID:2436
                                                                                  • C:\odt\services.exe
                                                                                    "C:\odt\services.exe"
                                                                                    26⤵
                                                                                      PID:164
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:696
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4860
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4248
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\odt\services.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4764
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4680
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3136
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4660
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4736
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4632
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:396
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:488
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:584
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\PrintHood\ShellExperienceHost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4892
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\ShellExperienceHost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1280
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\ShellExperienceHost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1272
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\odt\Idle.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1524
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1076
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:344
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SearchUI.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2056
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2208
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:768
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4784
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3388
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:204
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\System.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:188
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\System.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3376
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\System.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3336
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\en-US\spoolsv.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:164
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3344
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\en-US\spoolsv.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1592
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2284
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2260
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4148
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    1⤵
                                      PID:4148
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      1⤵
                                        PID:5008

                                      Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              3KB

                                              MD5

                                              ad5cd538ca58cb28ede39c108acb5785

                                              SHA1

                                              1ae910026f3dbe90ed025e9e96ead2b5399be877

                                              SHA256

                                              c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                              SHA512

                                              c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              d63ff49d7c92016feb39812e4db10419

                                              SHA1

                                              2307d5e35ca9864ffefc93acf8573ea995ba189b

                                              SHA256

                                              375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

                                              SHA512

                                              00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              9bd0836a87c8bbaf84daf3c5bf80bb06

                                              SHA1

                                              da5262f8741142f59bb46179959f1215b822ea77

                                              SHA256

                                              74618af81b11b9de67d4ca044171be70789a252663f000bd3a37c2bf835e385d

                                              SHA512

                                              d33426cfb8dacf848501fbf011d644cc9eaafae3cdc3b264b07120cfe9bb7dbce179aebd2837b43f6986ef243882f4d799803ecc88a9a146586d11a50b384988

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              ce0439191c9c9f05076833df33755c54

                                              SHA1

                                              8b17354831c6905c4b2f49b1904493991552338c

                                              SHA256

                                              f06bdf40868fcd08af4d52c932ba47f1a768cf6e0de3191f84edd838a28e5bbf

                                              SHA512

                                              48cfda97dce8bef6e2d6d6c752e4bd6f3876dc4d879564089db2842ade22ab84276389cccee6504cc347e8b08235f71b7e74dbc7743ac750debeb14028c0d167

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              ce0439191c9c9f05076833df33755c54

                                              SHA1

                                              8b17354831c6905c4b2f49b1904493991552338c

                                              SHA256

                                              f06bdf40868fcd08af4d52c932ba47f1a768cf6e0de3191f84edd838a28e5bbf

                                              SHA512

                                              48cfda97dce8bef6e2d6d6c752e4bd6f3876dc4d879564089db2842ade22ab84276389cccee6504cc347e8b08235f71b7e74dbc7743ac750debeb14028c0d167

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              86626ddde5cf0e7b5a34521531fa79d5

                                              SHA1

                                              0201ea4b74e6f636d8611f76b331ac943fd110a5

                                              SHA256

                                              f79288656cc4582c8f2e5c125b2bf644e4e5233efadf82645be8a761e81b6f9b

                                              SHA512

                                              ec6533f7221d28397654762d3a4b9f5a06c788047cec7a818831dfcfb2e61bb0b1ebd68a3130b9b2fb7b80bfbbde66ae1ba0b15d700a0ce2127dc2c1df647819

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              aab29239277b56bb1036457794112766

                                              SHA1

                                              44693e645f69cbdb999a586d681a450a3d4e66ab

                                              SHA256

                                              76eb5ef5589f510804669cdf81cb037dfe298cac99f890a7ee147c5c1f8ef8c1

                                              SHA512

                                              9e896217ef71805d66374e2abb1b42b087fb47f8125f0e64126e8b1c66f18bc860e18b04f8f021cc1bd2e8903318b2672199b058a75a20ae21ff527de29a7353

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              be2608aee4c8dfe7626666142cc35643

                                              SHA1

                                              b5e605d00ac9ac9f51317a6f97ffaf4e7d49565d

                                              SHA256

                                              5928f64a47234891ce8b9eeb9abccda6f9cc04a09ddee34d7c475f8c39f3e164

                                              SHA512

                                              6a39ccda01e60ca23b1c99da13175f5b9cdfaf4768625a80dd1d8f17cb80d77ad7ce9f4b2e07a0bd87283dae27f104b56237244350c8cdbff2a086d2468f5ab6

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              be2608aee4c8dfe7626666142cc35643

                                              SHA1

                                              b5e605d00ac9ac9f51317a6f97ffaf4e7d49565d

                                              SHA256

                                              5928f64a47234891ce8b9eeb9abccda6f9cc04a09ddee34d7c475f8c39f3e164

                                              SHA512

                                              6a39ccda01e60ca23b1c99da13175f5b9cdfaf4768625a80dd1d8f17cb80d77ad7ce9f4b2e07a0bd87283dae27f104b56237244350c8cdbff2a086d2468f5ab6

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              6a7b0146514eff49e22022b99ce3cb4e

                                              SHA1

                                              f2d880c3fa6ff38e79581dd03948caab86cc86c3

                                              SHA256

                                              41b4d1a6405eb9156b0233a7a0fd775fd57d996a70d11605aef9f0d3c60abd1e

                                              SHA512

                                              6d2807b9de12f726701bbfb80a8cd83ddf2279b3c1bce6f25d0faff72baa4a67383c63faa778feea8cc3a65d33967634a8e83b9c2ec8a3ff729062fe90a94a9e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              6a7b0146514eff49e22022b99ce3cb4e

                                              SHA1

                                              f2d880c3fa6ff38e79581dd03948caab86cc86c3

                                              SHA256

                                              41b4d1a6405eb9156b0233a7a0fd775fd57d996a70d11605aef9f0d3c60abd1e

                                              SHA512

                                              6d2807b9de12f726701bbfb80a8cd83ddf2279b3c1bce6f25d0faff72baa4a67383c63faa778feea8cc3a65d33967634a8e83b9c2ec8a3ff729062fe90a94a9e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              e9cdd8c7201334fd30fa112022adbcfb

                                              SHA1

                                              dcf33b75476d2d3ff98509029b62946fdfcf74f8

                                              SHA256

                                              4e25700d9b3a9c17780645adeed2022afd6ebd8cfdf17374a5536ed73f38185b

                                              SHA512

                                              88b9542251499d7ffbf24e8ad3659704642e1cddc549f3cd435d01049bd6c21d3f5961338625b60c2fabf7e4c552611c1e5da6cee77f48bd52373fca09c875ea

                                            • C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

                                              Filesize

                                              184B

                                              MD5

                                              bbd4d97f3eeb6ed4b237e02bddb245af

                                              SHA1

                                              edd6232f8714ca8dd12a9649d6786f3d7b68fc4e

                                              SHA256

                                              fab4ca6af500bb72cc0d3bcc44bbfed9719bc8f20041504785f9d7f3ff6f3488

                                              SHA512

                                              0891e8a8748064575bf13ea5d9a02e85a09f468572c328fb7b37551c17826bb57eb3efe482912029c30bd937128216afa3e014e04c5a22b539d64a3867abac94

                                            • C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

                                              Filesize

                                              184B

                                              MD5

                                              084f45a36d703a2074f98cd5607ff4bf

                                              SHA1

                                              b2d3c120fe9f6c9ad0b36ae185eb09b243db3914

                                              SHA256

                                              fee39e3ffa9185edab91d7df564eb8c265d2a3bc63e1ad069fe53816ff521154

                                              SHA512

                                              a1b887f3c63a824140db5fb1436eec4b79c0967f85a676aec049164ca0533c801edb6a2950f4e5cd2ee8878004a420b40a80656eded6ebbc3947f381b55ab6ad

                                            • C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

                                              Filesize

                                              184B

                                              MD5

                                              a4859afaf94ca147f8a14730d355e95c

                                              SHA1

                                              6eef40ec5465db96d5513f093875e1a951fdc3b7

                                              SHA256

                                              e07aaa337ab63c9c4e806ae127a6e2006a2acce7ff886a815196ef887c5c00d2

                                              SHA512

                                              708ca153e45c97a72596f1f302d4864cf38300581122a4cfe6824af84c5635c2c39d47900f4877284872d51f3a45d1461a08198ddf1a8a986abb771a4c3203e1

                                            • C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

                                              Filesize

                                              184B

                                              MD5

                                              3657598d61bdfcb9d1e2db57c5f6fd48

                                              SHA1

                                              f8ef8b88f4b15ea5d1cb1609d94ff329049ccb24

                                              SHA256

                                              7fd2f04638d538990517a9c739332468d6195889a77ef0dc660bf29cc881f302

                                              SHA512

                                              95aee0084f493850e1b4a1d553e8bc8f5df06f6b113f59fb7f465ffd67ef992e6bd66525fb5715033fc8dea031985e031707487b9ac153d2300348441268fe07

                                            • C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

                                              Filesize

                                              184B

                                              MD5

                                              58ce0bd09c60a0eead17d2d131ba9606

                                              SHA1

                                              954f214f23dfe9370f5130489b31821946e03bb4

                                              SHA256

                                              ecc3657b0fbcde753b17e685d8d19ace48ac026b7371ca68308937d8fc08a04e

                                              SHA512

                                              f56e72e284506870f4e5dce87274a7cb41571e29a2b55d0c0c66300407734769d56dde5277a292574b676739d6288449fc11f075c3b8ec19a1ffd88fd0f5fe76

                                            • C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

                                              Filesize

                                              184B

                                              MD5

                                              483290a74af0d433ba85881ec0fae278

                                              SHA1

                                              6fd6573b49696d43b81794fb7e1aff46beaa5b1f

                                              SHA256

                                              ef1d71fbfb78b585b004864034e8bee5b10137338480e3aec2c27cf1aff6afe4

                                              SHA512

                                              a187941b41ec9495d931cd54131fad192c7537120392ee7d19f674295f4101e69cf820f2d1f1ca847212c485856c9ebdd32d38beb7b98c3a8281c5f092702d54

                                            • C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

                                              Filesize

                                              184B

                                              MD5

                                              1082bd2b7ca8fd1e3c704c2534796b0b

                                              SHA1

                                              c74017d79c69648afaa98d0b27cf54b7e01f524e

                                              SHA256

                                              5d24e6dc2301545d7c227dbb130f041ea6970baff9298d7748a355774b285dd7

                                              SHA512

                                              0bce141cb09e2bc2f03b0e6c4f105ef0fccdc5d1f610967f8989a37e0064b5eb32cc02cdab199a59550b36e860225c0ab5b5fb42cd6e3bb20dce9b3964fd6979

                                            • C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

                                              Filesize

                                              184B

                                              MD5

                                              5acc65e7ba9f51625e59deee94c06c56

                                              SHA1

                                              61185dea71acc6af536644daaa1f7e2424ba02c5

                                              SHA256

                                              d21e6663fa02b570179cd45b42c938bacd85ee56d66777f07a4572ba81e4a36a

                                              SHA512

                                              4e6734a1ed948a834212b8b21a46930c5fd7d76f894625d8ad860fd43ac6c5db09f37e545368e75ad7b3a209bf4afacce6b39b8ecc7c059763193935ad517a82

                                            • C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat

                                              Filesize

                                              184B

                                              MD5

                                              d21ec4d0780985a26a490012d5e21316

                                              SHA1

                                              bd2970eba86844dc126a5520968c66eaaf95b7c3

                                              SHA256

                                              52903157b507a26a62709c86cdcf0e8d7b173ad002e363016eb4fb6abb1d3afa

                                              SHA512

                                              ca53c3427a4561b6158256afcfd45a6c73c340d3c6c50b2d6e38e3bec07e773ecb8f31af62fe92f23098905fe742ddee2a73a77cb080042ea0785b2d98303c06

                                            • C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

                                              Filesize

                                              184B

                                              MD5

                                              e3e9ee764b296cfa923d95ad51fbc65d

                                              SHA1

                                              f22a245488fb2ed7ccd2706dfc3c5385b39dfb3b

                                              SHA256

                                              da5237e50a21b6c4c39a4c2f3e73ecd908fa6d89f30e607459d8dcfd849f309f

                                              SHA512

                                              a3b2a37dd9f28c11ee583763dfd60d6c6e58bfd15549b4b068d300ef7bee6245c4a8e15bfdc22ed52113cdb4ef8a182c17c1d02ac962e27d50a2506735a6ce31

                                            • C:\Users\Admin\AppData\Local\Temp\vn4jLRsnhP.bat

                                              Filesize

                                              184B

                                              MD5

                                              4926edb8ed0d3a089fc65d7b1605ff28

                                              SHA1

                                              c04c38dcf0c5f9ff07933169df2b21075686b4bf

                                              SHA256

                                              bd3d51816ddba3bd99f62ba04d189252ee505ee65efd54b055b46edd9d615748

                                              SHA512

                                              2f31ab3a80e0ec1e75856c1bb594a19f942e900993869d3b46696503b6bed6925241d4252431ba3e28c951ca3276c63ffb4d2048500372275de9965b31b9692c

                                            • C:\odt\services.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\services.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\services.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\services.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\services.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\services.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\services.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\services.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\services.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\services.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\services.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\services.exe

                                              Filesize

                                              1024KB

                                              MD5

                                              887fe6ed44d18d2e5e67d8b7e077faa5

                                              SHA1

                                              c52d0450b3a9034838c2a365d50f1b664b86c5bb

                                              SHA256

                                              0703dd0a856000ba62cfe5db142e920859f42aa245547b5b58bba2e80a5c5566

                                              SHA512

                                              e444d1df6ff80fe1d611d5dba9523c78746d09ca0c4da8e48a9b3f692558caacbc725c79e7eca1c71e1630a8f547cc6abe76058ae222c9f92862cf7ed2bfcb57

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/1828-754-0x0000000000780000-0x0000000000792000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1992-182-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1992-181-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2932-359-0x000001BC2CD30000-0x000001BC2CD52000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/3148-284-0x00000000014F0000-0x00000000014FC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3148-285-0x00000000014D0000-0x00000000014DC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3148-282-0x0000000000D10000-0x0000000000E20000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/3148-283-0x0000000001340000-0x0000000001352000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3148-286-0x00000000014E0000-0x00000000014EC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3952-397-0x000002659A3B0000-0x000002659A426000-memory.dmp

                                              Filesize

                                              472KB

                                            • memory/4028-760-0x0000000000D80000-0x0000000000D92000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4372-148-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-145-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-176-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-175-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-174-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-172-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-173-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-171-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-179-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-169-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-170-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-167-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-168-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-165-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-164-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-163-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-154-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-156-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-157-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-162-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-161-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-160-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-159-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-118-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-117-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-146-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-158-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-155-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-153-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-152-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-151-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-150-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-178-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-149-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-166-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-177-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-122-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-147-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-144-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-116-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-143-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-142-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-121-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-141-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-119-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-140-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-139-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-124-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-127-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-138-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-126-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-136-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-137-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-135-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-134-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-133-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-132-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-131-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-130-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-129-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-128-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4372-125-0x0000000077520000-0x00000000776AE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4428-700-0x0000000001050000-0x0000000001062000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4480-776-0x00000000015F0000-0x0000000001602000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/5024-782-0x0000000000A60000-0x0000000000A72000-memory.dmp

                                              Filesize

                                              72KB