Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/11/2022, 11:36

General

  • Target

    c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe

  • Size

    1.3MB

  • MD5

    3a82df90bc435117b625675030fb0bd0

  • SHA1

    5261f60ff20319c3daf450763aa41e6c3c8209c2

  • SHA256

    c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b

  • SHA512

    9a6a0c9444f61c0b585b250efce2e97ab4ff5990cd0189603d0929e1bfee2ac78cb572e61dd464d7b9bbbf09021e8f9bd7f67d6d2990ea02e0dc8ac9cdf09334

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 17 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 14 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe
    "C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3576
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1048
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2508
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4164
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1212
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TeQomSDh46.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4592
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:4612
              • C:\Windows\addins\sihost.exe
                "C:\Windows\addins\sihost.exe"
                6⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2224
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5112
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:3832
                    • C:\Windows\addins\sihost.exe
                      "C:\Windows\addins\sihost.exe"
                      8⤵
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:3676
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4684
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:4340
                          • C:\Windows\addins\sihost.exe
                            "C:\Windows\addins\sihost.exe"
                            10⤵
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:4696
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:4408
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:3672
                                • C:\Windows\addins\sihost.exe
                                  "C:\Windows\addins\sihost.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of WriteProcessMemory
                                  PID:3680
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:5088
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:2052
                                      • C:\Windows\addins\sihost.exe
                                        "C:\Windows\addins\sihost.exe"
                                        14⤵
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of WriteProcessMemory
                                        PID:3388
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
                                          15⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:4052
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            16⤵
                                              PID:1280
                                            • C:\Windows\addins\sihost.exe
                                              "C:\Windows\addins\sihost.exe"
                                              16⤵
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:1220
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
                                                17⤵
                                                  PID:4716
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    18⤵
                                                      PID:3688
                                                    • C:\Windows\addins\sihost.exe
                                                      "C:\Windows\addins\sihost.exe"
                                                      18⤵
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      PID:416
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"
                                                        19⤵
                                                          PID:2724
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            20⤵
                                                              PID:1748
                                                            • C:\Windows\addins\sihost.exe
                                                              "C:\Windows\addins\sihost.exe"
                                                              20⤵
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:4712
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
                                                                21⤵
                                                                  PID:5032
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    22⤵
                                                                      PID:2468
                                                                    • C:\Windows\addins\sihost.exe
                                                                      "C:\Windows\addins\sihost.exe"
                                                                      22⤵
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:4584
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
                                                                        23⤵
                                                                          PID:32
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            24⤵
                                                                              PID:4024
                                                                            • C:\Windows\addins\sihost.exe
                                                                              "C:\Windows\addins\sihost.exe"
                                                                              24⤵
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:3316
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
                                                                                25⤵
                                                                                  PID:4912
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    26⤵
                                                                                      PID:2224
                                                                                    • C:\Windows\addins\sihost.exe
                                                                                      "C:\Windows\addins\sihost.exe"
                                                                                      26⤵
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:3460
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
                                                                                        27⤵
                                                                                          PID:3524
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            28⤵
                                                                                              PID:1624
                                                                                            • C:\Windows\addins\sihost.exe
                                                                                              "C:\Windows\addins\sihost.exe"
                                                                                              28⤵
                                                                                              • Executes dropped EXE
                                                                                              • Modifies registry class
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              PID:4512
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
                                                                                                29⤵
                                                                                                  PID:4684
                                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                                    30⤵
                                                                                                      PID:4596
                                                                                                    • C:\Windows\addins\sihost.exe
                                                                                                      "C:\Windows\addins\sihost.exe"
                                                                                                      30⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      PID:4396
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2624
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\explorer.exe'
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3344
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\sihost.exe'
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:204
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3388
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3408
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:816
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'
                                                    5⤵
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1908
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4900
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4924
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4596
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4468
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1000
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\odt\ShellExperienceHost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3200
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\addins\sihost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:788
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:916
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1688
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1860
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1460
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchUI.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1532
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1820
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2200
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:2172
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1692
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\providercommon\cmd.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:868
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:696
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\odt\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:1044
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4656
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Favorites\explorer.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4908
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\explorer.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:744
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\sihost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4724
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\sihost.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4784
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:656
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:3076
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:588
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4492
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:4476
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchUI.exe'" /f
                                            1⤵
                                            • Process spawned unexpected child process
                                            • Creates scheduled task(s)
                                            PID:508

                                          Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                  Filesize

                                                  3KB

                                                  MD5

                                                  ad5cd538ca58cb28ede39c108acb5785

                                                  SHA1

                                                  1ae910026f3dbe90ed025e9e96ead2b5399be877

                                                  SHA256

                                                  c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                                  SHA512

                                                  c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  d63ff49d7c92016feb39812e4db10419

                                                  SHA1

                                                  2307d5e35ca9864ffefc93acf8573ea995ba189b

                                                  SHA256

                                                  375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

                                                  SHA512

                                                  00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  02a019f0a061d1a48d160465b5e632de

                                                  SHA1

                                                  240081b27e884c8f7b2038929a743e53b6a14ac7

                                                  SHA256

                                                  be0143a8383b2ad9b23331773e4cf85cfdd61c34a02fd68563e30ea40fa9287f

                                                  SHA512

                                                  09740cab0be6760f3aebae6cb9de1eb317030cbbf19a4785ddcbf9d7023c5beeb45b6a8cd695cbbe56c44665b13b2949e214da6653ca2f05b63e6a03907118ec

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  325ba7c3266373711c72fa591e381ca3

                                                  SHA1

                                                  d16f8386bd2e3792a56dc50569266877f65cc0c1

                                                  SHA256

                                                  71df852f809578511b4edfc899edd474e540742be217ec5af6c13c0623051242

                                                  SHA512

                                                  97c0dd863c22d902c3cbc994b055ec0cabfc4176555a0c4e73a05989d1485175f4e5ae094dc92e99f6342d0cdfb64e5e94c3604104c6d074d8001e2aa7db8c63

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  325ba7c3266373711c72fa591e381ca3

                                                  SHA1

                                                  d16f8386bd2e3792a56dc50569266877f65cc0c1

                                                  SHA256

                                                  71df852f809578511b4edfc899edd474e540742be217ec5af6c13c0623051242

                                                  SHA512

                                                  97c0dd863c22d902c3cbc994b055ec0cabfc4176555a0c4e73a05989d1485175f4e5ae094dc92e99f6342d0cdfb64e5e94c3604104c6d074d8001e2aa7db8c63

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  ad6ce0f6cc83faff98595c7e1f17b896

                                                  SHA1

                                                  7914de44c8a333a3df38eb79620b3f08858fa4ad

                                                  SHA256

                                                  b8e57cc7e51f60ca79334054f1edf60d4dd4476282890f4810a65eb6378f0079

                                                  SHA512

                                                  c70acc8c01b65f72207b7a6d93921c41d89d2b0c41973274d8680bdf09160354fd958cc72b41ef414b367e017e4be71f5c8c0ba85c4e4ab85c590ebac0150719

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  fa366de96c6a8b5fa476a522d53296c5

                                                  SHA1

                                                  327cb5c81735f30b5d41a8ed9b469aff827227e9

                                                  SHA256

                                                  84a1fa9bf57ff953b568802272747a3f8749678da78cd3b3ad3ae7a6d19caf22

                                                  SHA512

                                                  f93a42a1222f55c2f5456f9577d6bb88442ce12897025a0e72665a39eaa303679d9417e7f0269f07433d1b62edca52c8c9d554c630f56c31cfb7596638e44c6b

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  91481f12aabf4281c70a4c021d394fce

                                                  SHA1

                                                  f80242317d997c130ac1575147232d84fb148ab0

                                                  SHA256

                                                  60562bc49975a547b33c20ad9d6e08df9d0b15bddc417ec1a8c1f39c36a88bc5

                                                  SHA512

                                                  f96221f33a3a5923cd857a9982a4070335e9582a09a1e0d406380dee4ecfa6f74a2c815a0c1b6208d917ffd8f9d0c3afc1adc536589e019344986947e6b46536

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  91481f12aabf4281c70a4c021d394fce

                                                  SHA1

                                                  f80242317d997c130ac1575147232d84fb148ab0

                                                  SHA256

                                                  60562bc49975a547b33c20ad9d6e08df9d0b15bddc417ec1a8c1f39c36a88bc5

                                                  SHA512

                                                  f96221f33a3a5923cd857a9982a4070335e9582a09a1e0d406380dee4ecfa6f74a2c815a0c1b6208d917ffd8f9d0c3afc1adc536589e019344986947e6b46536

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  438866b18db37c0a6cce03c7a9dc8efe

                                                  SHA1

                                                  10334348f0535618938fa9de9d966aea941f8ac9

                                                  SHA256

                                                  147f32eeb82d505e18d7c1db7adfde57e0ee95b5ebb5083b50f329e0030d3b6b

                                                  SHA512

                                                  3b93c8db469c873a190cd69b5cc21d9a57eea95f4c728bb46ebd2e07646ebe93234fdb588b20ae6a3643956699065d7666954b3968bd86713ab4bdc69388e854

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  17e952dd76815c2779e2b07c8b4a74af

                                                  SHA1

                                                  660be13fca327bcb5766849be6d864c30ab7c546

                                                  SHA256

                                                  8a824e0a3dcea2dff871a45f9104d7f569cf2137a7d733ab425c3a860e334db9

                                                  SHA512

                                                  0002b5fe0866b5cf0a7f2c7751a763be62ba92eeb52811819045e781f2d29a73619b6cc6574afe496590522473f66a823bbf89b2295ff58348dd79e9563e481b

                                                • C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  20a15bea2af2bbee568898a0f3889e02

                                                  SHA1

                                                  22730eebc0f4bbeca1e38a82e98cc893ea223f70

                                                  SHA256

                                                  0ba59b55ea723021c9237f9fbea5b107d86eee67a7db3e4a1f8680d4ee8334bf

                                                  SHA512

                                                  152abdb0f4143366f7c7a99544ec1624b2ea056d202dd8a89313b0a60a5da80a49fad7ed78e77156dfcc0370776c90d6c7117000904189e90fd942520c8e4cc6

                                                • C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  237561babddf8d638a30baec71d52fa3

                                                  SHA1

                                                  5f681941f767c865a93e28152c6b75d1edf901d5

                                                  SHA256

                                                  c8cfa62d55233d5ba7f59f474ead575f65fd8322b776c409084f466bb416ab65

                                                  SHA512

                                                  ab5db6539da2b9e4bc2ab2a51380201204e37d3aed9ddbdb5db8d6e723118177e80f79ea4059d07affd77ebca951c072c65d9c3862cf84d64a0b7b017d2c9bde

                                                • C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  f34daa47e943522c0f3ad5287863f7bc

                                                  SHA1

                                                  b2e4f9c75573a225929de89d898fe127875f0133

                                                  SHA256

                                                  3cf0bbe2ee0b1ee409d82a22002bedcbb3c691fc2783a33cdf5ccbf9197fbba0

                                                  SHA512

                                                  c8d6452b6805c4fb60459e0de4512c082af9ffbb6a7b35bfa290e66d06d0e0ce068f187bbda87331057eee0f9ac83e4edfbb76ad3274b51461d55436d1ec6b2a

                                                • C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  ca98d0d30b65b9a90928a5db8c1c0dd9

                                                  SHA1

                                                  cf64fb1145eec1fe817925aa948e801f131f616c

                                                  SHA256

                                                  e33fc417e02b03a758f52e56dd918a9423bda1f253fd908c69c0593e77ffced1

                                                  SHA512

                                                  16ce23d992101d79ab9c17b493fc453b0897e1a443aa2fb8fcaf665056420b149f3fd34436120c7fb825d8c92c1c4ee1e08519d843e46dfa199fff0105f4fcff

                                                • C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  da578db8e7b1bbec052458ada2354a03

                                                  SHA1

                                                  dc48c6cac634ef0c9d5dcd64b925664de3d48ebe

                                                  SHA256

                                                  ea623f3f959758328560064b7f2f8dc97a448dd5b8bf6356d55e616decd08128

                                                  SHA512

                                                  dd573f8a3bb5dfc1eaf4fc3ea6e5146af05212cbc9620cf66774576d3c969bf27c7ccad2e41c86900e1fcce610cc5da88c65eb71ed8ade6f517a711acd489422

                                                • C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  68d7058740841eb184f3e1ce5d8eb796

                                                  SHA1

                                                  99263232d574cb9aae2e2e4a3269e36575219be0

                                                  SHA256

                                                  030ea6e015b0b3285d9550ee9a3de60ca5f6c7fa5dedfdb6f158c77f8980a59f

                                                  SHA512

                                                  8335184816f2d0667e51cc4f8449cf27b866cdb496a1376b2a1fab00977f6e5bc49930c76429f55689db98906236f0a7537308eed214ba7c9451ba71bc2d4975

                                                • C:\Users\Admin\AppData\Local\Temp\TeQomSDh46.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  71690e3cefbb38040ca32a39d0f58772

                                                  SHA1

                                                  dbebc5a01c065d1732684a57e06c59161592f5ff

                                                  SHA256

                                                  295fbd6cc95bedba7589150dcfe4346c9f1c57d9b77c0eae2dc0541e824ebb5a

                                                  SHA512

                                                  35005cf28f6e5de331e97785fb4d618f9094b0697fda78c1bd11a891fdab7b4a0158b05db33459f569a6a4d173b6f0447a66a27e88a62e59a1abfc50c4cd9c29

                                                • C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  934889a4e1fb725807bac0e6482492b3

                                                  SHA1

                                                  bee0b2f446f19f8bb31363063e1a024b2e827fc9

                                                  SHA256

                                                  0e1c91530655e242750c083bf1a0f49ad1236d23aafe8de67e6aa4f66c34bd77

                                                  SHA512

                                                  712ab20d007f72d9fd599b3c0c36139642f34b43e34e407eda14715509322d6fd8890026f746f7198c6dfeded451bcee27b633b5b2ff94510f6d9065823c0fc2

                                                • C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  7bc7e4b5924094ee62b95fb0d6eb855e

                                                  SHA1

                                                  acfe8493715eac24eee9d8aee16fda24939d9b8b

                                                  SHA256

                                                  41f1bf4396e999468648e4132fe5c4a33d0e227bb52b7733b2b825914a6f7131

                                                  SHA512

                                                  03afde1a043c30a01400ca14108bc35f166791dd5a94f26234300b8b5d090681a613417da5910a4f6f27174302c9117b6ba2c999cd9c1a7b9828a724f2f76731

                                                • C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  e35bf0f3a67c910f59264a0f0fe7b92b

                                                  SHA1

                                                  2bfa071ea51aef75644ca42b2e88f6b98d2c81b6

                                                  SHA256

                                                  10b51a2efa4ecac4e5165ded7f50f450d858507d1a3dad6f2184fcdee4c0a460

                                                  SHA512

                                                  d55f9fa5473603e7c945dcd0f37f046381dd33d4441f282dbcf9a256d773f43e74af57b20dcd19310bec52da759c7937253c47690be41cd3d4dbdcf2023a9d14

                                                • C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  0a4215511608b8893b6158e46327c860

                                                  SHA1

                                                  17e538a3d698f52028f35d3e33f48efcb70f0892

                                                  SHA256

                                                  f89adffec88786018758be9a1637fdc81f9278b797925a7ed831472aa26478c2

                                                  SHA512

                                                  4fee364d4ffad0599b174e717614b4f24f80c2732262151bf0ca09176578bd22e26f4c4ca4342e595eceeb7bb99361423efa3a378491c53176d3909b6d43b8e8

                                                • C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  df0d72e6751ede3d32d0d6e337f9875f

                                                  SHA1

                                                  25a5e29b6c9b70648d484865853b93c05c844bc9

                                                  SHA256

                                                  7de1f1bcfc34a65d66feab9a19e6e2612ec5f111430e1b68ac64cba4643ad1ab

                                                  SHA512

                                                  c345a95fcdd6f1b77da4f8d64f6e67bf11456c94ffdb7097832c4f1585a6e3ed3d0fdba5a81d48ec6f611fe51bc98322648513744e1a487b285509abf85c88c2

                                                • C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

                                                  Filesize

                                                  193B

                                                  MD5

                                                  df0d72e6751ede3d32d0d6e337f9875f

                                                  SHA1

                                                  25a5e29b6c9b70648d484865853b93c05c844bc9

                                                  SHA256

                                                  7de1f1bcfc34a65d66feab9a19e6e2612ec5f111430e1b68ac64cba4643ad1ab

                                                  SHA512

                                                  c345a95fcdd6f1b77da4f8d64f6e67bf11456c94ffdb7097832c4f1585a6e3ed3d0fdba5a81d48ec6f611fe51bc98322648513744e1a487b285509abf85c88c2

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\Windows\addins\sihost.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\providercommon\1zu9dW.bat

                                                  Filesize

                                                  36B

                                                  MD5

                                                  6783c3ee07c7d151ceac57f1f9c8bed7

                                                  SHA1

                                                  17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                  SHA256

                                                  8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                  SHA512

                                                  c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                                • C:\providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\providercommon\DllCommonsvc.exe

                                                  Filesize

                                                  1.0MB

                                                  MD5

                                                  bd31e94b4143c4ce49c17d3af46bcad0

                                                  SHA1

                                                  f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                  SHA256

                                                  b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                  SHA512

                                                  f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                                • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                  Filesize

                                                  197B

                                                  MD5

                                                  8088241160261560a02c84025d107592

                                                  SHA1

                                                  083121f7027557570994c9fc211df61730455bb5

                                                  SHA256

                                                  2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                  SHA512

                                                  20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                                • memory/1048-353-0x0000021C282D0000-0x0000021C28346000-memory.dmp

                                                  Filesize

                                                  472KB

                                                • memory/1316-289-0x0000000002AA0000-0x0000000002AAC000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1316-288-0x0000000002A90000-0x0000000002A9C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1316-285-0x0000000000920000-0x0000000000A30000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                • memory/1316-286-0x0000000001140000-0x0000000001152000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1316-287-0x0000000002A80000-0x0000000002A8C000-memory.dmp

                                                  Filesize

                                                  48KB

                                                • memory/1908-346-0x0000024E25CC0000-0x0000024E25CE2000-memory.dmp

                                                  Filesize

                                                  136KB

                                                • memory/2224-639-0x00000000015F0000-0x0000000001602000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/3576-184-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/3576-185-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/3676-689-0x0000000000C20000-0x0000000000C32000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/4236-167-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-153-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-168-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-170-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-172-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-173-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-171-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-169-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-121-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-166-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-175-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-165-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-122-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-164-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-163-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-158-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-160-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-162-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-161-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-159-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-157-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-156-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-155-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-120-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-177-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-125-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-128-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-119-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-124-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-127-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-181-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-133-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-176-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-145-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-182-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-146-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-135-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-148-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-149-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-178-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-154-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-134-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-174-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-152-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-151-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-150-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-138-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-147-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-179-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-129-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-144-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-143-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-142-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-130-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-140-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-131-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-180-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-141-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-132-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-139-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-136-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4236-137-0x0000000076E80000-0x000000007700E000-memory.dmp

                                                  Filesize

                                                  1.6MB

                                                • memory/4396-748-0x0000000002B40000-0x0000000002B52000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/4512-742-0x0000000001660000-0x0000000001672000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/4584-726-0x0000000001620000-0x0000000001632000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/4696-695-0x0000000000820000-0x0000000000832000-memory.dmp

                                                  Filesize

                                                  72KB