Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/11/2022, 11:39

General

  • Target

    f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe

  • Size

    1.3MB

  • MD5

    a12831c75a8464f91cb0952e8a4d98db

  • SHA1

    fe2edc85a4e8ec8c13e604fddfcd7f2ae7b26929

  • SHA256

    f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f

  • SHA512

    dd090cb39e8d781e88c025fce90d1c83f07c72ca0e9595b6f6855568483f78c592623a2129a4c564aa3d72bbb5e47a89228dd3c32ede64f99fca106f83afe6cf

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 48 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 15 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 12 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 48 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe
    "C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4696
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3556
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4772
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2520
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3912
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4012
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\dwm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2648
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2188
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\cmd.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1284
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\conhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4220
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchUI.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4412
          • C:\Program Files\MSBuild\dwm.exe
            "C:\Program Files\MSBuild\dwm.exe"
            5⤵
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4900
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:5244
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:5160
                • C:\Program Files\MSBuild\dwm.exe
                  "C:\Program Files\MSBuild\dwm.exe"
                  7⤵
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:5980
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:6100
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:4528
                      • C:\Program Files\MSBuild\dwm.exe
                        "C:\Program Files\MSBuild\dwm.exe"
                        9⤵
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:4476
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4304
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:3260
                            • C:\Program Files\MSBuild\dwm.exe
                              "C:\Program Files\MSBuild\dwm.exe"
                              11⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:396
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
                                12⤵
                                  PID:5400
                                  • C:\Windows\system32\w32tm.exe
                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                    13⤵
                                      PID:4188
                                    • C:\Program Files\MSBuild\dwm.exe
                                      "C:\Program Files\MSBuild\dwm.exe"
                                      13⤵
                                      • Executes dropped EXE
                                      • Modifies registry class
                                      PID:5568
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat"
                                        14⤵
                                          PID:5304
                                          • C:\Windows\system32\w32tm.exe
                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                            15⤵
                                              PID:4232
                                            • C:\Program Files\MSBuild\dwm.exe
                                              "C:\Program Files\MSBuild\dwm.exe"
                                              15⤵
                                              • Executes dropped EXE
                                              • Modifies registry class
                                              PID:412
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"
                                                16⤵
                                                  PID:4248
                                                  • C:\Windows\system32\w32tm.exe
                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                    17⤵
                                                      PID:4716
                                                    • C:\Program Files\MSBuild\dwm.exe
                                                      "C:\Program Files\MSBuild\dwm.exe"
                                                      17⤵
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      PID:364
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
                                                        18⤵
                                                          PID:3816
                                                          • C:\Windows\system32\w32tm.exe
                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                            19⤵
                                                              PID:5800
                                                            • C:\Program Files\MSBuild\dwm.exe
                                                              "C:\Program Files\MSBuild\dwm.exe"
                                                              19⤵
                                                              • Executes dropped EXE
                                                              • Modifies registry class
                                                              PID:2612
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
                                                                20⤵
                                                                  PID:4776
                                                                  • C:\Windows\system32\w32tm.exe
                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                    21⤵
                                                                      PID:2232
                                                                    • C:\Program Files\MSBuild\dwm.exe
                                                                      "C:\Program Files\MSBuild\dwm.exe"
                                                                      21⤵
                                                                      • Executes dropped EXE
                                                                      • Modifies registry class
                                                                      PID:4540
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
                                                                        22⤵
                                                                          PID:1224
                                                                          • C:\Windows\system32\w32tm.exe
                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                            23⤵
                                                                              PID:3724
                                                                            • C:\Program Files\MSBuild\dwm.exe
                                                                              "C:\Program Files\MSBuild\dwm.exe"
                                                                              23⤵
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              PID:4312
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
                                                                                24⤵
                                                                                  PID:3800
                                                                                  • C:\Windows\system32\w32tm.exe
                                                                                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                    25⤵
                                                                                      PID:1120
                                                                                    • C:\Program Files\MSBuild\dwm.exe
                                                                                      "C:\Program Files\MSBuild\dwm.exe"
                                                                                      25⤵
                                                                                      • Executes dropped EXE
                                                                                      • Modifies registry class
                                                                                      PID:4700
                                                                                      • C:\Windows\System32\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
                                                                                        26⤵
                                                                                          PID:2392
                                                                                          • C:\Windows\system32\w32tm.exe
                                                                                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                            27⤵
                                                                                              PID:4912
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
                                                  5⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4200
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4380
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4332
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4340
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3652
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:5040
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:5024
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4940
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:5036
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4608
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3176
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3880
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4304
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\odt\SearchUI.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4180
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4680
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 12 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4556
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\odt\SearchUI.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4476
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4512
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4460
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4504
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4436
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:860
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4656
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4344
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2572
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1872
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1052
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:944
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1432
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:816
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:844
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:908
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1944
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3116
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:188
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:200
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:3256
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:4640
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2236
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2208
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:1440
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:676
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:752
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:744
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2108
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2240
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SearchUI.exe'" /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2408
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Admin\SearchUI.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2904
                                        • C:\Windows\system32\schtasks.exe
                                          schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SearchUI.exe'" /rl HIGHEST /f
                                          1⤵
                                          • Process spawned unexpected child process
                                          • Creates scheduled task(s)
                                          PID:2716

                                        Network

                                              MITRE ATT&CK Enterprise v6

                                              Replay Monitor

                                              Loading Replay Monitor...

                                              Downloads

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Program Files\MSBuild\dwm.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

                                                Filesize

                                                1KB

                                                MD5

                                                d63ff49d7c92016feb39812e4db10419

                                                SHA1

                                                2307d5e35ca9864ffefc93acf8573ea995ba189b

                                                SHA256

                                                375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

                                                SHA512

                                                00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                Filesize

                                                3KB

                                                MD5

                                                ad5cd538ca58cb28ede39c108acb5785

                                                SHA1

                                                1ae910026f3dbe90ed025e9e96ead2b5399be877

                                                SHA256

                                                c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                                SHA512

                                                c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                4dd63e07607ba0ddffea2322a093b96a

                                                SHA1

                                                388b4318a9662adb8b08b11a58e021d479f97ae9

                                                SHA256

                                                c0ad0fc641c5a85a002805a44b1412ee20e6982517b51927e2adb48606cc920c

                                                SHA512

                                                38e975456e95ea2b1acebf92e6baedac67801454d0f9a487939f5b57d1ad14c16c825c152a922a0d609f69241d78abfed2a73bcad8257d65d2017efa0218293d

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                3a664255c97733804f7f63100d93cbd6

                                                SHA1

                                                a3075d899b36ee98e9cc2f85c9eb8df3a20abcf9

                                                SHA256

                                                ab128874f205d3d7c305b6a8ab946e8268da98093110046ec42693e563040dce

                                                SHA512

                                                3a36b4e8c6a1e8376ba667813a87f615deeb0b533d52a38941a0cd23b57fe10a8c2b12db6828d7c7ce345527eb1a45c64adf4bcd46d77576288d2b4b946dc813

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                3a664255c97733804f7f63100d93cbd6

                                                SHA1

                                                a3075d899b36ee98e9cc2f85c9eb8df3a20abcf9

                                                SHA256

                                                ab128874f205d3d7c305b6a8ab946e8268da98093110046ec42693e563040dce

                                                SHA512

                                                3a36b4e8c6a1e8376ba667813a87f615deeb0b533d52a38941a0cd23b57fe10a8c2b12db6828d7c7ce345527eb1a45c64adf4bcd46d77576288d2b4b946dc813

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                94aca9ba1f84a489b4e97898bca4539b

                                                SHA1

                                                32bb3571fe4739ace62cf8704e039bbeead2939f

                                                SHA256

                                                17c0363e17f591bf9f53fab05ff46b37ea6a6d78c807b05ce07367c065286e79

                                                SHA512

                                                7430b7583ac55ee15f6c4bf8ae32d486dc6f0e187a040738e8e53785c4df1b722103eebb7970a985b96b5ae9746478376815913ba7d4a2a9e1029c4910af47be

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                94aca9ba1f84a489b4e97898bca4539b

                                                SHA1

                                                32bb3571fe4739ace62cf8704e039bbeead2939f

                                                SHA256

                                                17c0363e17f591bf9f53fab05ff46b37ea6a6d78c807b05ce07367c065286e79

                                                SHA512

                                                7430b7583ac55ee15f6c4bf8ae32d486dc6f0e187a040738e8e53785c4df1b722103eebb7970a985b96b5ae9746478376815913ba7d4a2a9e1029c4910af47be

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                e9ba28f2d4217a343c8648d22fbe9737

                                                SHA1

                                                07b1892d6330f61f2ead872cd41a60ab19f403a0

                                                SHA256

                                                da824bc99d5c24d7ca83e1e1cfee8288b7ad61736c3f143d816171b2044a4b73

                                                SHA512

                                                29e202086d319135bb79ffd233e7b58eab0e7888485baaece1bc3a478b862c712ce061d1dd29017cb67ef0fe66037ec725996e19203a3f046ee46f94cfa35c35

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                bcd75daea7963167d3f8e40ba986ee7e

                                                SHA1

                                                6e0535c54ab8f7708932ba2f9674a2a6962c3943

                                                SHA256

                                                99e82cbcc52a5f6b16bba8994228c35dba87abb8f047c5a210959b24c1f9b88f

                                                SHA512

                                                38b27ccf948d4a81eaff88b8358cd5ec1e4ed688c743436302eaa39866ffdade4b4d5567b146211d633d3d64626899de7637e4780d5b6412c19cdebc4edc2268

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                d95a9865506ac32268c0388f8549a004

                                                SHA1

                                                30d102f0d293abe78b4594933dfceaaed69c2706

                                                SHA256

                                                17b28959d997b5a2e0d6a7ab08798a76e7a7c3b37ed1a6494a5e90ddb844e08f

                                                SHA512

                                                ff4fddb63ec196a5e0851866df4dc322ceb9e3c5b3817c30fc481b9acbaa9404479dcb990b935fb330e525fa90896852b35533a470dba9036483239fb87c482e

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                d95a9865506ac32268c0388f8549a004

                                                SHA1

                                                30d102f0d293abe78b4594933dfceaaed69c2706

                                                SHA256

                                                17b28959d997b5a2e0d6a7ab08798a76e7a7c3b37ed1a6494a5e90ddb844e08f

                                                SHA512

                                                ff4fddb63ec196a5e0851866df4dc322ceb9e3c5b3817c30fc481b9acbaa9404479dcb990b935fb330e525fa90896852b35533a470dba9036483239fb87c482e

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                6451f086db7687095451e197015c8d10

                                                SHA1

                                                a2c5fd63d4679e7ba4cafec585bd3aaf212d2476

                                                SHA256

                                                be28a4bf8dc8962d3a3fd92bab88af741b57b571d507da5e6d73e2ced22b537d

                                                SHA512

                                                6be7e42d2c7c72653b1b1f360f8252f3f3a4f703129ea5072998422243cb8a95f2402fc92a77a846f5a5843b92a74949b9287019d3b8bb28fa3ef6c71f29e692

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                3ce3ed4732ea2563a7d5e88d3da49cd3

                                                SHA1

                                                a2f686162e1e8b28fd5bb1dcbae15b4110f34100

                                                SHA256

                                                e0e7157657b14528b91ee8d0b04bd16cabd21cbd00a97a5c35ec0d773931cc02

                                                SHA512

                                                79db38e035fe56d1de5942c9941951c3bd564f13f871d32de50a626d7695be133cbae0cf63b56770f29f8016a25951a8bb7700934f48deb778c3418de3d1910c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                3ce3ed4732ea2563a7d5e88d3da49cd3

                                                SHA1

                                                a2f686162e1e8b28fd5bb1dcbae15b4110f34100

                                                SHA256

                                                e0e7157657b14528b91ee8d0b04bd16cabd21cbd00a97a5c35ec0d773931cc02

                                                SHA512

                                                79db38e035fe56d1de5942c9941951c3bd564f13f871d32de50a626d7695be133cbae0cf63b56770f29f8016a25951a8bb7700934f48deb778c3418de3d1910c

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                aca575bb5b733dafbdc71372e52547ef

                                                SHA1

                                                ed6bb9828fdf19693a86e6d74a0c7915be8d67e5

                                                SHA256

                                                e9be6f64f6ef44b4e30ae07d77ad7dcb41c1c1c3afe5da15c5c016d11eb8bd7f

                                                SHA512

                                                149bed98bc521acdc7392315c5b2bc132dff649ee6873f20c9bf7239100abbe12a61c767f094aa8c93e26b06a2ebbaa5938c669cc655f9dca0d38a5cfe02c493

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                aca575bb5b733dafbdc71372e52547ef

                                                SHA1

                                                ed6bb9828fdf19693a86e6d74a0c7915be8d67e5

                                                SHA256

                                                e9be6f64f6ef44b4e30ae07d77ad7dcb41c1c1c3afe5da15c5c016d11eb8bd7f

                                                SHA512

                                                149bed98bc521acdc7392315c5b2bc132dff649ee6873f20c9bf7239100abbe12a61c767f094aa8c93e26b06a2ebbaa5938c669cc655f9dca0d38a5cfe02c493

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                1aada366135da6f493d1fb63feaefe9e

                                                SHA1

                                                7a2e7a5dfb5c0374b719c7b050b0adaf48d451aa

                                                SHA256

                                                8f8fd98c392da6385211f970c638104f11407dcf935b062bb5f333d8daf46391

                                                SHA512

                                                bd88dc26e7f615e3aa02cf7dcc88a103b1c7df3b40abd6795b08964a15dc0b0a61554a33d2b280a1cebc01b0e0f3af05b22e63c5701c4ef18d18ef58d819b33e

                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Filesize

                                                1KB

                                                MD5

                                                1aada366135da6f493d1fb63feaefe9e

                                                SHA1

                                                7a2e7a5dfb5c0374b719c7b050b0adaf48d451aa

                                                SHA256

                                                8f8fd98c392da6385211f970c638104f11407dcf935b062bb5f333d8daf46391

                                                SHA512

                                                bd88dc26e7f615e3aa02cf7dcc88a103b1c7df3b40abd6795b08964a15dc0b0a61554a33d2b280a1cebc01b0e0f3af05b22e63c5701c4ef18d18ef58d819b33e

                                              • C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat

                                                Filesize

                                                197B

                                                MD5

                                                0b982405a999928e2ccbe8427bd714e3

                                                SHA1

                                                ab7528f5d605efa4d0630272cc6055951d8f3306

                                                SHA256

                                                2b6649a587c39b9d53559d8a1b4a09d7aa72664ea8b29f7d55a763635a94bc21

                                                SHA512

                                                ccd54ffe25c36ad3e10f083fb88e1b766a17b555283fa7de18454158df09b1e005f1f0de8a4b032afdc406e0bd17accd86282b68670758a22b3f38211ea75ecd

                                              • C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat

                                                Filesize

                                                197B

                                                MD5

                                                fcb02c8d1310b991994a853fbc77f907

                                                SHA1

                                                a40f1b5403bbf05ed8194854be55fa2aed93a271

                                                SHA256

                                                c4fb72fefdf1411abcf347db5d002a6fef2559ab6c00065a72f9ff90376dff20

                                                SHA512

                                                93ba1ef90582fc3375049c5e9d2df818f6e91ab7f01a88e00fbe7872a00d9046166a7508d38172e72da257badf1b7f4742606d5b782da3f7f1573418a61f2e73

                                              • C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

                                                Filesize

                                                197B

                                                MD5

                                                5f34dd91b67e3e6cce9bff23023fba1e

                                                SHA1

                                                6e1c508d36895de29d7f822950c5418e3669d7f4

                                                SHA256

                                                2e5c642c995124b651def3c03d99b7d911f0dbfeb15952a79a36753a24abf762

                                                SHA512

                                                de7b1a2559f098c6370c0d1db1bdd3bff7c8338f28ec3e4d7fe66828b512c4a9002e1971d983cc42f9d372768776739160f6bd28648505b71fd5918456a3239e

                                              • C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

                                                Filesize

                                                197B

                                                MD5

                                                00a7d2623671304e88923e97e449aade

                                                SHA1

                                                1364efd78d24e1e8153aaadaf2def767717aa130

                                                SHA256

                                                c95b5e1165bd305657aed3278499e3536587b8ae65cf8aaa99a8c30904d865a7

                                                SHA512

                                                a1f8b444aa9a5d06ed21e38dd844ffcafdd6dc1f480414b41cc9d2c637984407633555f50a864da375048a5b2069b3713786976cc46ec6621eced4f925e9ecce

                                              • C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat

                                                Filesize

                                                197B

                                                MD5

                                                4d4247814705e009157329a520f9e3b3

                                                SHA1

                                                7cfa598425716ff5c42ed51122f32131c6d4daa6

                                                SHA256

                                                3ec0eb5c5b71f1ad28b4392c52dbb52ac0ba119e6af18f5fef17c146af49c045

                                                SHA512

                                                fb5f1f5983d91dc48f37e10647236278d0f1274aa73686a027730e87bce9b07ad6e9ad5e0fa54becee850f0b33b3b3ed090ccd0b80a731c0e6adb48a7455d76c

                                              • C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

                                                Filesize

                                                197B

                                                MD5

                                                399924d5ceaded76fc71ddc01192ca5b

                                                SHA1

                                                adf654ba327349b572f6703c9fbd482659591829

                                                SHA256

                                                b07c9606420b77a721404206b43cf47eb1a4a185181c8c2d03a8130c9a110242

                                                SHA512

                                                a05261b00c7f850dccda5a466ab55f307f74156ee7e1ddf3562e257219b424840f2c28473fc5ba1b3c70287da1bf127d6cae86d7bffba80bdf91e84d46a33d78

                                              • C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

                                                Filesize

                                                197B

                                                MD5

                                                54fbf3131a7a654b542fda33da55a207

                                                SHA1

                                                48e9d33d10484efa36edbc696692eec402fb3fcc

                                                SHA256

                                                64b6de21a44c7a9904505311ac5f0d4f85e0947604f94e6c3b9e51f047e481fd

                                                SHA512

                                                9992b88c803b7b35c1171e6a67619254749af39084a141e82e8e24dda22428ef73f5630284d06c4ae8fe067f0d8895d77f722156344c34effec6cce6a980b24b

                                              • C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

                                                Filesize

                                                197B

                                                MD5

                                                1de03e5acfa59717c6b97693f4c16438

                                                SHA1

                                                77ac6d79588b0f06fb5f9b28a03915ddcd5b7808

                                                SHA256

                                                809b7412b35b7ba8c2aabb48f659d90db58264c5f930dd0ec341b95d655a9181

                                                SHA512

                                                5f224684ac1085094eec4d2216a8450bae791510e32ad5ed9d28dde6f464e7ba105891a62aeed284478ae8019529b1d11ba9990665c3a90b677ebb45d2c5ad8a

                                              • C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat

                                                Filesize

                                                197B

                                                MD5

                                                87252dedc67e686a8047ac03ecd2310e

                                                SHA1

                                                b9973782e07c20e5b389d9a19baa39309b6a07fd

                                                SHA256

                                                d63e5da2af9a93aed6b873fa2bf798ca754bbd360c60415b4e26a3eaef3daf21

                                                SHA512

                                                a96acae6a507894172646861132ad708665145d8fed2a8ff406a4567521f8d49e2dd60409753badd86f65ffd79745e9384b9c7b635a2ec9378305472a21d063a

                                              • C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

                                                Filesize

                                                197B

                                                MD5

                                                7db8a8e4ba082515d2ba89a386caacfd

                                                SHA1

                                                05afc9082e37c1e90a91139149ac17963398b03d

                                                SHA256

                                                341c4bbc8ced38be49120599fd92257fc418824217001007a944a93a35087f80

                                                SHA512

                                                e11d4a56cd8b8085327e19cb3c5bb0a8a6bd9de76bd52c1d1d0aeb2651a5d2087da2b3491dd2d0bc1446154ed894e7826472bfe5a3b405fd28852dbc2f6e6923

                                              • C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

                                                Filesize

                                                197B

                                                MD5

                                                3fe4dc2bc049629dcf4a8aa5eea56e59

                                                SHA1

                                                11f38aef6314fa5663b41354c0fd47ac38d4dc9a

                                                SHA256

                                                600821eff272a1d3b102977888a930e55430d5d8200157ba1dc44903ba6487a8

                                                SHA512

                                                39af477bbe44cd8259777cb6a9b1e39404368d00ea096d6d4bfc705bbb03906dbb6fd1fc5a66e7e3cfa3cd06c465c1b953b62aaa6bbf0222da34d12b8764d81c

                                              • C:\providercommon\1zu9dW.bat

                                                Filesize

                                                36B

                                                MD5

                                                6783c3ee07c7d151ceac57f1f9c8bed7

                                                SHA1

                                                17468f98f95bf504cc1f83c49e49a78526b3ea03

                                                SHA256

                                                8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                                SHA512

                                                c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\DllCommonsvc.exe

                                                Filesize

                                                1.0MB

                                                MD5

                                                bd31e94b4143c4ce49c17d3af46bcad0

                                                SHA1

                                                f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                                SHA256

                                                b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                                SHA512

                                                f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                              • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                                Filesize

                                                197B

                                                MD5

                                                8088241160261560a02c84025d107592

                                                SHA1

                                                083121f7027557570994c9fc211df61730455bb5

                                                SHA256

                                                2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                                SHA512

                                                20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                              • memory/364-943-0x0000000001760000-0x0000000001772000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/396-926-0x00000000028D0000-0x00000000028E2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/412-937-0x00000000009E0000-0x00000000009F2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/1920-418-0x000001CBF89A0000-0x000001CBF8A16000-memory.dmp

                                                Filesize

                                                472KB

                                              • memory/2720-373-0x00000291E9620000-0x00000291E9642000-memory.dmp

                                                Filesize

                                                136KB

                                              • memory/4696-153-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-145-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-172-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-120-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-180-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-171-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-170-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-119-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-174-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-121-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-122-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-124-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-169-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-181-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-182-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-168-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-167-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-166-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-165-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-164-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-163-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-162-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-161-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-160-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-159-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-157-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-158-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-156-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-155-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-154-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-179-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-152-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-151-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-150-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-149-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-125-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-127-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-148-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-128-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-129-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-147-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-130-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-146-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-178-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-173-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-144-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-143-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-131-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-142-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-175-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-132-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-141-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-177-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-140-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-176-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-139-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-138-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-137-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-133-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-136-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-134-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4696-135-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/4700-964-0x0000000001090000-0x00000000010A2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/4772-288-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/4772-285-0x00000000009D0000-0x0000000000AE0000-memory.dmp

                                                Filesize

                                                1.1MB

                                              • memory/4772-286-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/4772-289-0x0000000001020000-0x000000000102C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/4772-287-0x0000000001010000-0x000000000101C000-memory.dmp

                                                Filesize

                                                48KB

                                              • memory/4900-388-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

                                                Filesize

                                                72KB

                                              • memory/5056-185-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB

                                              • memory/5056-184-0x0000000077740000-0x00000000778CE000-memory.dmp

                                                Filesize

                                                1.6MB