Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/11/2022, 11:37

General

  • Target

    ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe

  • Size

    1.3MB

  • MD5

    c2ab5fcac98d8fde5e0f404124ef19ce

  • SHA1

    4aaac3d368603b79b670262f7b257f63236aab94

  • SHA256

    ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c

  • SHA512

    e21ce9b875ae969e12238cbdff8b584be0dff40673925fb8e3f6aa1bf205a31be5d829c22c9b506b77f0ca77f43d853c643265f2b6adbba194bd85241e9f38b7

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 15 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 12 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe
    "C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1620
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3960
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:564
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2044
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2420
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2408
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3784
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3340
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1924
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ShellExperienceHost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4400
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\sppsvc.exe'
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2800
          • C:\odt\csrss.exe
            "C:\odt\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:5116
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:160
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:800
                • C:\odt\csrss.exe
                  "C:\odt\csrss.exe"
                  7⤵
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:3892
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5444
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:5500
                      • C:\odt\csrss.exe
                        "C:\odt\csrss.exe"
                        9⤵
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:5524
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:5624
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:5680
                            • C:\odt\csrss.exe
                              "C:\odt\csrss.exe"
                              11⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:5700
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:5800
                                • C:\odt\csrss.exe
                                  "C:\odt\csrss.exe"
                                  13⤵
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  PID:5876
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat"
                                    14⤵
                                      PID:5980
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        15⤵
                                          PID:6036
                                        • C:\odt\csrss.exe
                                          "C:\odt\csrss.exe"
                                          15⤵
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          PID:6056
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
                                            16⤵
                                              PID:160
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                17⤵
                                                  PID:5184
                                                • C:\odt\csrss.exe
                                                  "C:\odt\csrss.exe"
                                                  17⤵
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  PID:3116
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
                                                    18⤵
                                                      PID:5112
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        19⤵
                                                          PID:2436
                                                        • C:\odt\csrss.exe
                                                          "C:\odt\csrss.exe"
                                                          19⤵
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          PID:2928
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
                                                            20⤵
                                                              PID:648
                                                              • C:\odt\csrss.exe
                                                                "C:\odt\csrss.exe"
                                                                21⤵
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                PID:4372
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
                                                                  22⤵
                                                                    PID:3288
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      23⤵
                                                                        PID:2648
                                                                      • C:\odt\csrss.exe
                                                                        "C:\odt\csrss.exe"
                                                                        23⤵
                                                                        • Executes dropped EXE
                                                                        • Modifies registry class
                                                                        PID:2280
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
                                                                          24⤵
                                                                            PID:1928
                                                                            • C:\Windows\system32\w32tm.exe
                                                                              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                              25⤵
                                                                                PID:5076
                                                                              • C:\odt\csrss.exe
                                                                                "C:\odt\csrss.exe"
                                                                                25⤵
                                                                                • Executes dropped EXE
                                                                                • Modifies registry class
                                                                                PID:3956
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
                                                                                  26⤵
                                                                                    PID:2596
                                                                                    • C:\Windows\system32\w32tm.exe
                                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                      27⤵
                                                                                        PID:1932
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\smss.exe'
                                            5⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2816
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3948
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3156
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4520
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3240
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3684
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3648
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:5076
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:5060
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4976
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:5096
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4596
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4656
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4328
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4660
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4344
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\odt\sppsvc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4296
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4584
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4496
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4508
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4548
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4692
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4456
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:804
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4600
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3192
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4672
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1048
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\dllhost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1028
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1356
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1188
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\DllCommonsvc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:904
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\debug\DllCommonsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4708
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\DllCommonsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1160
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:516
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4684
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:32
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\smss.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:3308
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:200
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:160
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2392
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2216
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:2184
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\sppsvc.exe'" /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:4912
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:1164
                                  • C:\Windows\system32\schtasks.exe
                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f
                                    1⤵
                                    • Process spawned unexpected child process
                                    • Creates scheduled task(s)
                                    PID:652
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    1⤵
                                      PID:5856
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      1⤵
                                        PID:5276

                                      Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              d63ff49d7c92016feb39812e4db10419

                                              SHA1

                                              2307d5e35ca9864ffefc93acf8573ea995ba189b

                                              SHA256

                                              375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

                                              SHA512

                                              00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              3KB

                                              MD5

                                              8592ba100a78835a6b94d5949e13dfc1

                                              SHA1

                                              63e901200ab9a57c7dd4c078d7f75dcd3b357020

                                              SHA256

                                              fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

                                              SHA512

                                              87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              e186e7843427f675720aa5a44346fcc5

                                              SHA1

                                              61e2258b3f3134a2e59cb7c702cc42f016d365e5

                                              SHA256

                                              60cdf598b71610e2ddc0ad3dd8ae885b6857a37ec076dee33e619a9161d1f103

                                              SHA512

                                              2d81c68a9efb1b402d74756d8a7d2aa1e37c0c7d6fdf15aea621792ef8673a9bfdbcbd032bf813ea917dc4167f441307bcf1d17cc0dac1fc14f2d1e6247fc396

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              e186e7843427f675720aa5a44346fcc5

                                              SHA1

                                              61e2258b3f3134a2e59cb7c702cc42f016d365e5

                                              SHA256

                                              60cdf598b71610e2ddc0ad3dd8ae885b6857a37ec076dee33e619a9161d1f103

                                              SHA512

                                              2d81c68a9efb1b402d74756d8a7d2aa1e37c0c7d6fdf15aea621792ef8673a9bfdbcbd032bf813ea917dc4167f441307bcf1d17cc0dac1fc14f2d1e6247fc396

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              9dae9b10fed8464da520d9f01d3ea2f9

                                              SHA1

                                              77dc9f45640dbf10aff6965f3c28c7ae24f99213

                                              SHA256

                                              ca2de87fede2a4569fc09b5409edbb344d8b7e1e0e2bd606ee3ce201f6586d7d

                                              SHA512

                                              b71ef41da8ab9df34b7498f5a6d8cc47e21a983b6d8fe4085167f251ef974783eb9fe0e67b8df9dd9de0a1e101cf2beaec822e828cdcf2aa505fb24ffd6eed1e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              5c441da4958f384fd8d1766ecbe94e2e

                                              SHA1

                                              c011ba96e01475dae49b26989af1ef101c566257

                                              SHA256

                                              db930b7eebc26051c4271be1d3b4283a74ae543680112f66db90f941c2ab042e

                                              SHA512

                                              cca99d0ac36896f50b949b7bd14e6837251145fc3bc142d6974cbb95771adfcf31885333aa8b309dcfe602b46b799ecb2030eee33b40ffb285693384ec08b892

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              8720ec8dc9cf5a8dccd0791358ef583a

                                              SHA1

                                              ad7749c1185d6907c45fc608ecb8da473203ebc8

                                              SHA256

                                              ffb97d747261a663800ba0410abe104f6e9ed4d78d007ae571adcfd258aaefec

                                              SHA512

                                              19ff1289ad07a54fd8c662a71948145a50c33443481db81f2f76cb02dac4b9c1562f8bec2c7d32f996a38510ca0746584e5d1a1617fb6b841da467cdf5cf6626

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              8720ec8dc9cf5a8dccd0791358ef583a

                                              SHA1

                                              ad7749c1185d6907c45fc608ecb8da473203ebc8

                                              SHA256

                                              ffb97d747261a663800ba0410abe104f6e9ed4d78d007ae571adcfd258aaefec

                                              SHA512

                                              19ff1289ad07a54fd8c662a71948145a50c33443481db81f2f76cb02dac4b9c1562f8bec2c7d32f996a38510ca0746584e5d1a1617fb6b841da467cdf5cf6626

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              ebea9b8d2699f2183c589dd046404b99

                                              SHA1

                                              cb2142ccfbbc0bbbe4d012f3700296ef75b5a59c

                                              SHA256

                                              4ae97535e164335db434c0a153d9d1700c8bcfca80066838417bec82569df35a

                                              SHA512

                                              061d1dd947bdf30623aaa7d829f965bfb5a8a41bd9867af561b3bde0ba5018386c7d1c48757652f7c40e608f45ac9fd602fa31364446db85d226860b27fbb090

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              ebea9b8d2699f2183c589dd046404b99

                                              SHA1

                                              cb2142ccfbbc0bbbe4d012f3700296ef75b5a59c

                                              SHA256

                                              4ae97535e164335db434c0a153d9d1700c8bcfca80066838417bec82569df35a

                                              SHA512

                                              061d1dd947bdf30623aaa7d829f965bfb5a8a41bd9867af561b3bde0ba5018386c7d1c48757652f7c40e608f45ac9fd602fa31364446db85d226860b27fbb090

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              71247185f6b866ae1fcef07c5ed12a60

                                              SHA1

                                              2a692d071d38555652d307dbb26c07e29db64370

                                              SHA256

                                              899b324db83a40fb10277e23a768ab250400c4a12a77ccce098286fa4b585d0e

                                              SHA512

                                              2206be9b365cf28169cc696122cd1bb82b00c74ebc7afe7588b8d30ef6aa7460c5ab948acaec6f75eaffbc962a2223fa6fa5442b6a5e09da2b446ea62bbcfb89

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              d5b3e713e95ad7f721b9441b7e629f00

                                              SHA1

                                              69a0060ffb4023d110f70baa89f531b46b759069

                                              SHA256

                                              79388600e027cddfabc1115e55817017032efe5639b19954903540642d0183c5

                                              SHA512

                                              176e1d2e58f0d43558c14117ec84781d9c2f5ff1799ec7055877cd537f61007b2919a198546c392dee0117e58f95d22537a48c1a0015332a11713d07355ad167

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              d5b3e713e95ad7f721b9441b7e629f00

                                              SHA1

                                              69a0060ffb4023d110f70baa89f531b46b759069

                                              SHA256

                                              79388600e027cddfabc1115e55817017032efe5639b19954903540642d0183c5

                                              SHA512

                                              176e1d2e58f0d43558c14117ec84781d9c2f5ff1799ec7055877cd537f61007b2919a198546c392dee0117e58f95d22537a48c1a0015332a11713d07355ad167

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              c43c0d4fde4864fe02f74f8e7d1dbed0

                                              SHA1

                                              437121eb2ef581abd93ff3eea4151f6f54194944

                                              SHA256

                                              58aa6cab35d66524c851e9ec29d0e26bc37d34b2a39b732902b802dbf92193a2

                                              SHA512

                                              46c508b2c5cc05176c0a99fdf6831082c397646e55cc2653f6f593e8f7b592e8adba87d3f5056c45e2308c7951f45ff0520c130fa1dc17c85d06284cb6c860da

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              c43c0d4fde4864fe02f74f8e7d1dbed0

                                              SHA1

                                              437121eb2ef581abd93ff3eea4151f6f54194944

                                              SHA256

                                              58aa6cab35d66524c851e9ec29d0e26bc37d34b2a39b732902b802dbf92193a2

                                              SHA512

                                              46c508b2c5cc05176c0a99fdf6831082c397646e55cc2653f6f593e8f7b592e8adba87d3f5056c45e2308c7951f45ff0520c130fa1dc17c85d06284cb6c860da

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              5ea4596c843e578b58231cafa1f02eb5

                                              SHA1

                                              31c589fc1f649847f046959e3791316dc802b711

                                              SHA256

                                              23a9f71024fb4774c6ee83600330ee2b9a4825bab2f82e5edd462e4f46ff16fe

                                              SHA512

                                              37be98a97779d1bf97f469be9e84eae3bb4cc9e140bf489b1d0c3afaf9cb11b4e8d7fc91a77e4aa36266f882e831a2dea3ff4a35fbc241ff0061dc3f3ddb1509

                                            • C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

                                              Filesize

                                              181B

                                              MD5

                                              6c571904eccf059df2a2b9c7c5e14599

                                              SHA1

                                              e83281f57d14ee5c430205d99943f1b162342aab

                                              SHA256

                                              30f4987c39271b2931b08666914bb8aa9a9a692f52050750b11f840fefecf6d3

                                              SHA512

                                              741f4c0cd93d91a07ff34d25662dadc0c66d850958095d50096a1a4995d8d4564455ad9aa650eb28c6ec54a67d2f5baabae08a7036509a8e8f55e65ea2858306

                                            • C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat

                                              Filesize

                                              181B

                                              MD5

                                              77c1227097c246a32cbcf7635fdc7c4c

                                              SHA1

                                              7d4c498278df2d6b98e29c97482956c16b597be4

                                              SHA256

                                              99b44adc2f056d42da296940b4d07a0fe8cae207aec7a3ae0a424a85312cf5b1

                                              SHA512

                                              d2525945e196fb3316a90b409931a1064a7d41b182321b340a9725927705efdfed2c9b24e589c23c8eae3d8025274fea64145a74c5bd2fce6e74e3f513930bc3

                                            • C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat

                                              Filesize

                                              181B

                                              MD5

                                              77c1227097c246a32cbcf7635fdc7c4c

                                              SHA1

                                              7d4c498278df2d6b98e29c97482956c16b597be4

                                              SHA256

                                              99b44adc2f056d42da296940b4d07a0fe8cae207aec7a3ae0a424a85312cf5b1

                                              SHA512

                                              d2525945e196fb3316a90b409931a1064a7d41b182321b340a9725927705efdfed2c9b24e589c23c8eae3d8025274fea64145a74c5bd2fce6e74e3f513930bc3

                                            • C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

                                              Filesize

                                              181B

                                              MD5

                                              a20c831336ba3de2a5c3fdec2fdde2a7

                                              SHA1

                                              52f2a5ba3f7caf86b2bd695344bd9b73069236be

                                              SHA256

                                              9af74507f52ddc135f9cbd76feb93ed352be88ad795575c89911bd59fe9c4676

                                              SHA512

                                              1f05df52a96fc79814e9ac003240048aa0fd5b727badb1b2754ce34d74223109387e70c97812a14279b2c408bb42fe32bd217e470047a69fb3a80522c7ad7827

                                            • C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

                                              Filesize

                                              181B

                                              MD5

                                              6742f2f77f4e921ad233a4a23f3c1d15

                                              SHA1

                                              fc3212770e8183369ebbf8014f60401e548fe79b

                                              SHA256

                                              3e1434c758488bdea24194fab134d672352ee822abee2786435e9767e102f6c4

                                              SHA512

                                              add3ca18a9b6d87b383b87c76c0247f6d0e24b2cdc317d53a047bc5f3934b044ed448dc156aa5ae3a31c1616b060c6f4adc7d6f6f10ac86d1f94490d6e01d914

                                            • C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

                                              Filesize

                                              181B

                                              MD5

                                              4d00dc1326c359289baf6301b8df5b9a

                                              SHA1

                                              091525f2ca119b2882dcee79ce72eddd5637a496

                                              SHA256

                                              34062c0cb1b44b951bff0a64f03f0af4233f1707d0aff98f25ce9ae414dae199

                                              SHA512

                                              f6cabf7d4c367aa3c55e44f3e574926d10c5a4ba6b28eb4262f71fab3e8393822ec46d7c4d33807cb5b0e97956f5a507aaf228b118b1902566b91c2d7f731b13

                                            • C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

                                              Filesize

                                              181B

                                              MD5

                                              5e6c3d183d01926c819f8df45fac43e5

                                              SHA1

                                              8044142c024c2dd5c33905c6231918c1123f6ecc

                                              SHA256

                                              d5c46b393618e947e9efb35bacd039096fe4317a866ab064b6883a7f455ae8e9

                                              SHA512

                                              4c7dc0817358e5a9026070b31449dade01ed848dd0c65463e09b6ae02147238aa0a5838ae850ef14f1229e66c47d3f1f5ba601f7ff866c22a24a0f27e92d7609

                                            • C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat

                                              Filesize

                                              181B

                                              MD5

                                              0f1821761000a82bb2dcdbe01e064b61

                                              SHA1

                                              039f363971f1b022f8f13791086b83c7ea4c3654

                                              SHA256

                                              be6167cdf4fef6b2a89f3d91df4f6498225fecb325fbc8713a4cef017d4063f9

                                              SHA512

                                              b7f60fb116e346760d80a0e842d43f9c9eecb5de93dd1529d18c1610ec00ef05a78c11ecef0e91ee50aa9752035e6a2aed225cba1036d9b728373b97f42220d4

                                            • C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat

                                              Filesize

                                              181B

                                              MD5

                                              dd5820c15338e2ca87339f68cc708bf9

                                              SHA1

                                              daf8d84aeba52eab407bc6efbbd2f43ac4265eac

                                              SHA256

                                              408bf189d2fddebbd224b1f2f151b699c1a906b4a65b65e362654814880b0075

                                              SHA512

                                              3052bf45b1495951b4289eba108c2c18d2c31635aefb9347b121c25d801afc3c11152c34d7ee7d16337fe0313f096445e723b01c05087cfa0d1134c5572dbb4a

                                            • C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

                                              Filesize

                                              181B

                                              MD5

                                              f41f55ea42384a397b2014a1d2b3f8fe

                                              SHA1

                                              7fb0b3a88a1b2da28d06354ef71b9afa26c672ab

                                              SHA256

                                              7c93ebc15d6f85b113e411b0ee1f873b9a6ea085537b2dfc7f3528d9252984dc

                                              SHA512

                                              30f1fbaacc51c1f137e86a1b119b33c56c39fcc8445ac5bf704e2c9fb4adb1f17e51c4a32699086bb6748bb1a624117f2860a21375d48f149575c3a2219078f3

                                            • C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

                                              Filesize

                                              181B

                                              MD5

                                              88ee88e10178c76a0dc36186abeadf57

                                              SHA1

                                              819900b12ea256256252668cc78dd7e6fd923cdf

                                              SHA256

                                              dd5fb40a06164a1ab768a8a704a508a53629fda6760c09d366b1e63c17121bf5

                                              SHA512

                                              ebcf3ee19932df33813d9f3ae99b32e1986edf96b5d1627e7d2267a619392fe36bb8a2bb01dfa2c5cedd71c11978b4547bd03783446e815e9a05def81de6fea9

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\odt\csrss.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/564-367-0x00000134C2CE0000-0x00000134C2D02000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/1620-180-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1620-181-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2280-898-0x00000000014F0000-0x0000000001502000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2420-373-0x000001FFF9830000-0x000001FFF98A6000-memory.dmp

                                              Filesize

                                              472KB

                                            • memory/2836-155-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-147-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-162-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-161-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-160-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-164-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-166-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-159-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-165-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-167-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-178-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-177-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-176-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-156-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-175-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-115-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-174-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-173-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-158-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-172-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-171-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-157-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-168-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-154-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-153-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-152-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-151-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-150-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-170-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-149-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-148-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-163-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-146-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-145-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-144-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-143-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-142-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-141-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-140-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-139-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-138-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-137-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-136-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-135-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-134-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-133-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-132-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-131-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-130-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-129-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-169-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-128-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-127-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-126-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-125-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-124-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-123-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-121-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-120-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-118-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-117-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2836-116-0x00000000771B0000-0x000000007733E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2928-887-0x0000000001250000-0x0000000001262000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3956-904-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3960-283-0x0000000001840000-0x000000000184C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3960-285-0x0000000001A00000-0x0000000001A0C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3960-284-0x0000000001850000-0x000000000185C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3960-282-0x0000000001820000-0x0000000001832000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3960-281-0x0000000000FC0000-0x00000000010D0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/5116-370-0x0000000001860000-0x0000000001872000-memory.dmp

                                              Filesize

                                              72KB