Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/11/2022, 11:37

General

  • Target

    f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe

  • Size

    1.3MB

  • MD5

    540f580f1975e6ad3b45dc3ad3a3c233

  • SHA1

    b91b221b6606d681c16ad7fca2f3f5d019323b20

  • SHA256

    f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8

  • SHA512

    f6e70b41260552d33ba69be58c9c4fe9d129dc14ed74d86a481c7feda8b13fb8e18a1192ffe02c9004dd2ec26d1b2ef8faa76bdfc8bc001b947fa050f85203fd

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 16 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 13 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe
    "C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5100
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4616
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1280
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1500
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:880
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1180
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3312
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:208
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\sppsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2232
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dwm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3264
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8sB0Cn4pv.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4408
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:768
              • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                6⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:4692
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4812
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:4844
                    • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                      "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                      8⤵
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:4472
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4800
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:1980
                          • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                            "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                            10⤵
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:1304
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2932
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:2688
                                • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                                  "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of WriteProcessMemory
                                  PID:1016
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"
                                    13⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1296
                                    • C:\Windows\system32\w32tm.exe
                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                      14⤵
                                        PID:1576
                                      • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                                        "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                                        14⤵
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of WriteProcessMemory
                                        PID:4264
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
                                          15⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:2164
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            16⤵
                                              PID:3788
                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                                              "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                                              16⤵
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              PID:2288
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
                                                17⤵
                                                  PID:364
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    18⤵
                                                      PID:3276
                                                    • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                                                      "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                                                      18⤵
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      PID:2780
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
                                                        19⤵
                                                          PID:3488
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            20⤵
                                                              PID:656
                                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                                                              "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                                                              20⤵
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              PID:4028
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
                                                                21⤵
                                                                  PID:1556
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    22⤵
                                                                      PID:4508
                                                                    • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                                                                      "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                                                                      22⤵
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      PID:416
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
                                                                        23⤵
                                                                          PID:4700
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            24⤵
                                                                              PID:4616
                                                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                                                                              "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                                                                              24⤵
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              PID:524
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
                                                                                25⤵
                                                                                  PID:4220
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    26⤵
                                                                                      PID:5052
                                                                                    • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                                                                                      "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                                                                                      26⤵
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      PID:4276
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"
                                                                                        27⤵
                                                                                          PID:768
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            28⤵
                                                                                              PID:3332
                                                                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe
                                                                                              "C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
                                                                                              28⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:5020
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3184
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3168
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4960
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3116
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4972
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4932
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4976
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4864
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4824
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4808
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4872
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4804
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:5024
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1996
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3868
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4692
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4788
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4984
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4660
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4628
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3520
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3112
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:928
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:5072
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:380
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4452
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2008

                                      Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Program Files (x86)\MSBuild\Microsoft\System.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              d63ff49d7c92016feb39812e4db10419

                                              SHA1

                                              2307d5e35ca9864ffefc93acf8573ea995ba189b

                                              SHA256

                                              375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

                                              SHA512

                                              00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              3KB

                                              MD5

                                              ad5cd538ca58cb28ede39c108acb5785

                                              SHA1

                                              1ae910026f3dbe90ed025e9e96ead2b5399be877

                                              SHA256

                                              c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                              SHA512

                                              c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              abf7fc04f64886ca908084fdacf6b490

                                              SHA1

                                              6e54771bf8208d50eb2e28f19fbc39a89d73e177

                                              SHA256

                                              1bdeec29a69dc2353c6fb83a30ef8e4c261ea619d52e59f46bd1171cc6b2603d

                                              SHA512

                                              7baebde225b8510c43452a61695c14d85432ada4d568e2432775b04a90a912e7238b717d60397f6cd48409bf808c91e13489383b08ead8d5aada439d026183c9

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              0bdfaa14d7814b541a77f4e97920dfd6

                                              SHA1

                                              c239720eee47db7f7136bb78e37c539b9e735c4c

                                              SHA256

                                              4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272

                                              SHA512

                                              dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              abf7fc04f64886ca908084fdacf6b490

                                              SHA1

                                              6e54771bf8208d50eb2e28f19fbc39a89d73e177

                                              SHA256

                                              1bdeec29a69dc2353c6fb83a30ef8e4c261ea619d52e59f46bd1171cc6b2603d

                                              SHA512

                                              7baebde225b8510c43452a61695c14d85432ada4d568e2432775b04a90a912e7238b717d60397f6cd48409bf808c91e13489383b08ead8d5aada439d026183c9

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              edf66e57ae463c5ef325c9c4c1387a42

                                              SHA1

                                              9cbe9222c0234720109eb65e8f08e6248a55331c

                                              SHA256

                                              cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260

                                              SHA512

                                              a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              16702505b6f5af88f06aa6619382bf9a

                                              SHA1

                                              4b64f968c4a7889b5078a5ab44ced78813153db4

                                              SHA256

                                              78a9f48ea9f2dc8e634ef056f2a976f7405cd4175bada9f5cbc0daf992da742c

                                              SHA512

                                              a05a3937e8b49854ddf78c93ca35235ceb9f72ab67af36d00c268db28aff86e5120e4505eff0fa0adbd12298deca1515069f993a5f766353404f4723a6bb65d9

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              edf66e57ae463c5ef325c9c4c1387a42

                                              SHA1

                                              9cbe9222c0234720109eb65e8f08e6248a55331c

                                              SHA256

                                              cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260

                                              SHA512

                                              a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              edf66e57ae463c5ef325c9c4c1387a42

                                              SHA1

                                              9cbe9222c0234720109eb65e8f08e6248a55331c

                                              SHA256

                                              cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260

                                              SHA512

                                              a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              29b209d9727cbb94862959a28841f6a8

                                              SHA1

                                              dee0f0b5396aa5ef76f6b57e3882cb839d5b5c9c

                                              SHA256

                                              cd1f4392ee8bb902981eff13c269ebc12130925aafab6826588f02b9339d2892

                                              SHA512

                                              c326f8c3a27636a21323b1f9a1c55b49aa5760a4548a2208254143df51b6c822ee4cf1d6d7977f9864dd4e38373da9e90a50337172333d5cdc6adea1e4eea57d

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              29b209d9727cbb94862959a28841f6a8

                                              SHA1

                                              dee0f0b5396aa5ef76f6b57e3882cb839d5b5c9c

                                              SHA256

                                              cd1f4392ee8bb902981eff13c269ebc12130925aafab6826588f02b9339d2892

                                              SHA512

                                              c326f8c3a27636a21323b1f9a1c55b49aa5760a4548a2208254143df51b6c822ee4cf1d6d7977f9864dd4e38373da9e90a50337172333d5cdc6adea1e4eea57d

                                            • C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

                                              Filesize

                                              216B

                                              MD5

                                              3ed2fe80a84d683cd56eb73d9a3681e6

                                              SHA1

                                              f4c16e2024877802fa183a27f07b07e282fa6a55

                                              SHA256

                                              a4baf1ea979bdec8fe986fe1028bf7f81ecee6e6fa53588664061dc0085f0acc

                                              SHA512

                                              8518f4cfcfba920ae0ac795f78d9ba82fafb26aca6ab10fb7f1c142f48f93ac4a6c40af4f9a74988d01781614e135d238fb2e75cdbbad53f0556c8bd2a6228b6

                                            • C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

                                              Filesize

                                              216B

                                              MD5

                                              1fda1ee45b830ae50b6a80ba6a98e869

                                              SHA1

                                              d8ee1db1147d079390af15c795f4016fd6b19bf6

                                              SHA256

                                              19fa24203dbccf01c388dec7ae3af84e3e948d368cf89d115fb6c57c55450b11

                                              SHA512

                                              7be4a326681c0a473e09cfde1fc462d652bf11794ec28522afbfdced7db8083760b944ec2a4b458b97b911bb170a8d1bf623584d741c6c43025105ceb67b1f13

                                            • C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

                                              Filesize

                                              216B

                                              MD5

                                              45889d1187ae42ea09e11c9181e92305

                                              SHA1

                                              285246e52208a22e683394c3eafb22ea4018fc55

                                              SHA256

                                              1d9e6e578418b7ea2be8322dbc8d10158a3042a277509551ce54e9ee3eee7b17

                                              SHA512

                                              63c6347445193bbb5e77fa5fa466c3d53d0fad01beee309327f7fb4a3167d5d1d4ae41fa3df209cd3bae991c96f2e4f84536462c668bf8ddcb55675813776cb2

                                            • C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat

                                              Filesize

                                              216B

                                              MD5

                                              bcad8f63bf49e1f04c7ed57f496269a1

                                              SHA1

                                              3ddde6230dfe21d802808253366f5e55b9b79642

                                              SHA256

                                              918ae2ef1897af6a54b54ed74c1cdabc1d23c66e6a9391ecb27b13586165e73e

                                              SHA512

                                              4e1c724b0e4de99bc08551dd13fbf7cd302f7bf9233b3bba09bce3a216afa40b1077f8f7048ace322c06b5f1d1f0b9bc94cf6f9f07c8916b1fc3b9fcf8d4697d

                                            • C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

                                              Filesize

                                              216B

                                              MD5

                                              d3544c44a7bb5b918122465af4ff2083

                                              SHA1

                                              1706b4f6a1428f0a1aa882b669c02351315b5133

                                              SHA256

                                              14630635d69f1efa5a56695b79bbf94a1588942ab03e5120353356e8706a619f

                                              SHA512

                                              5360249959b58e4e04a150d68f8f62553c22c41180c67ccc43c2be270f54e4165c848f39b6b0766aa905789595454ecfdf653cf3046334d43a8a4099376e9ba4

                                            • C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

                                              Filesize

                                              216B

                                              MD5

                                              a93422901e3b8c87e18da23a8d19291c

                                              SHA1

                                              2dbac899a2dd51f52097fbe53b93929c3d5b1c37

                                              SHA256

                                              161d1fb4c39df0b031b5fb5e1decaa0368abc05858ce8cdd3b07da9ffb4094e4

                                              SHA512

                                              6a841f4d99972b001e9e08cd4ab499c7ef19f4283a4fa91903c2baad6670f1135225100645428dfe8b91cb30d01a77a7602723613e48c2a6cb258b2d458b2849

                                            • C:\Users\Admin\AppData\Local\Temp\d8sB0Cn4pv.bat

                                              Filesize

                                              216B

                                              MD5

                                              4a7951267e8ff4bc00e1827e437b7485

                                              SHA1

                                              30ded6defac1a366d6dd9b4f567b965a20d77af8

                                              SHA256

                                              aee9ba502ee5496e1ebe71928077ac7ab030d05e3948bd34732596d19e287334

                                              SHA512

                                              7ddd53c8b8ca3a17598220ffc8465b528a85e8015471d81cce4952e83e5f78fe7748a1849ed41544b0a6dd9e8f72822cc41cbb40f66e4f3bd608f68250078447

                                            • C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

                                              Filesize

                                              216B

                                              MD5

                                              7e5b4012fa636bc4a1cd12bc0b85a945

                                              SHA1

                                              1a10b718fff8381ab3716ec33bca7290ab560b26

                                              SHA256

                                              3fb03f1bbd57e962cfa49464501a2db59f913a10131c750ab0c3b559c8e29d99

                                              SHA512

                                              84778dc91f640ff95a1196dd129adbb0417bf9612305eef3e5df1424765514f71e00cff7551224378b4d9fe9c11cd3f64095508ee3534096038c331930117c64

                                            • C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat

                                              Filesize

                                              216B

                                              MD5

                                              2b27069a4eb0d4b4651d092e495f7939

                                              SHA1

                                              620fdd482ef7318e89c07fd524e4877894480160

                                              SHA256

                                              c698ac62e9896f4c2e0cbc23d804c730962ab5be5d8df975954f91ce7468129c

                                              SHA512

                                              4d7cb0870f07279c117aad0a2686fef3917e993b7193319063efcfd7a5325c7eea8bef2371f1ce79131a965ab0fbb7f3c9dcca74ac01d34f4c7a841b3326ae06

                                            • C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat

                                              Filesize

                                              216B

                                              MD5

                                              69efed9115a94abf1d518ae2378de5fd

                                              SHA1

                                              5cd8e8d2193769e7acf8f53a800695c500bd6360

                                              SHA256

                                              7dda6460cdbec09f0f7ba9b24312d5897815c35eb6a46c589fc1cdf59ef2d5ca

                                              SHA512

                                              ace971a606dc0ac5aa100d62bc7da2d3334bd3aec2dc5a9e7976f099f57109969486f8385b2d1998b6de21081f18623f6059503a88d70191ffc46435c296b26b

                                            • C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

                                              Filesize

                                              216B

                                              MD5

                                              d64dcb4f2e0cc43a77f6662be41773d2

                                              SHA1

                                              f34a62f0198f7a792bf3b9435587294a32b40e3c

                                              SHA256

                                              8bbc252ec1c568ec22a3c61d1fa923a71a9973569dd495299d1b7a074cdc2640

                                              SHA512

                                              9e0ee12550eafdfbaf00d83fae9293516f1d8bf6dbb0e1470d96689f3f2e082492dbfac75a1f0dad611ec57ebe4c0a805d499504cf6122a96041384b3a8d067a

                                            • C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat

                                              Filesize

                                              216B

                                              MD5

                                              befcb53f41f729946fd4ee4dd08f85ee

                                              SHA1

                                              26e2ecb0e57888e01d268663d687e28e3d208c43

                                              SHA256

                                              f0b24bbcfec58d1355ae10da3d3d822fda9633593982c6cad8a2148a701efd95

                                              SHA512

                                              f3ed8f8ee70a9e4959c865ccb56e078adbab5a84987b2ae527dfbc880f6b373b206162ff3a95ed2d2664639813ee852318f06168ab5a7a708737d0aa59d6b568

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/416-712-0x0000000000720000-0x0000000000732000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1180-341-0x000001BC0C4A0000-0x000001BC0C4C2000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/1280-358-0x0000014BFED90000-0x0000014BFEE06000-memory.dmp

                                              Filesize

                                              472KB

                                            • memory/1304-680-0x0000000000F90000-0x0000000000FA2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1980-163-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-121-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-122-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-183-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-182-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-123-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-125-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-181-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-180-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-126-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-128-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-129-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-130-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-131-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-179-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-178-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-177-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-176-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-175-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-132-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-133-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-174-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-134-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-135-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-136-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-173-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-172-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-170-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-171-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-137-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-169-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-168-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-138-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-167-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-166-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-165-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-164-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-120-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-161-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-162-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-160-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-159-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-158-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-139-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-157-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-143-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-142-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-156-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-155-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-141-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-154-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-140-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-153-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-152-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-151-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-144-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-150-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-145-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-149-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-148-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-147-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-146-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/3512-185-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/3512-186-0x0000000077460000-0x00000000775EE000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4028-706-0x00000000026F0000-0x0000000002702000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4616-290-0x00000000017B0000-0x00000000017BC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4616-286-0x0000000000EF0000-0x0000000001000000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/4616-289-0x00000000017A0000-0x00000000017AC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4616-288-0x00000000017C0000-0x00000000017CC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/4616-287-0x0000000001510000-0x0000000001522000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/4692-627-0x0000000000F50000-0x0000000000F62000-memory.dmp

                                              Filesize

                                              72KB