Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/11/2022, 11:41

General

  • Target

    6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe

  • Size

    1.3MB

  • MD5

    3f08062dec8c3da63ec82160172de788

  • SHA1

    03a8656f37fa99ef74f693a38c53b0bfcf195b54

  • SHA256

    6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d

  • SHA512

    f1cac8a0b725e1ebff89c5224e6db8c315d78f8b335a2594d7f017d29b424fe8088cad8ce54021c4de1df1f3e5b2346c39ec9551e1bfa07ee7afb75a51062226

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 15 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 12 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe
    "C:\Users\Admin\AppData\Local\Temp\6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3576
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2500
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\cmd.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2056
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2868
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3904
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2820
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4568
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4644
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3424
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3704
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\taskhostw.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3996
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5040
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5024
          • C:\providercommon\dllhost.exe
            "C:\providercommon\dllhost.exe"
            5⤵
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3060
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:5472
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:5528
                • C:\providercommon\dllhost.exe
                  "C:\providercommon\dllhost.exe"
                  7⤵
                  • Executes dropped EXE
                  • Modifies registry class
                  • Suspicious use of WriteProcessMemory
                  PID:5704
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5812
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      9⤵
                        PID:5868
                      • C:\providercommon\dllhost.exe
                        "C:\providercommon\dllhost.exe"
                        9⤵
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:5888
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
                          10⤵
                          • Suspicious use of WriteProcessMemory
                          PID:5996
                          • C:\Windows\system32\w32tm.exe
                            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                            11⤵
                              PID:6052
                            • C:\providercommon\dllhost.exe
                              "C:\providercommon\dllhost.exe"
                              11⤵
                              • Executes dropped EXE
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:6072
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"
                                12⤵
                                • Suspicious use of WriteProcessMemory
                                PID:5200
                                • C:\Windows\system32\w32tm.exe
                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                  13⤵
                                    PID:5260
                                  • C:\providercommon\dllhost.exe
                                    "C:\providercommon\dllhost.exe"
                                    13⤵
                                    • Executes dropped EXE
                                    • Modifies registry class
                                    PID:5276
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
                                      14⤵
                                        PID:4716
                                        • C:\Windows\system32\w32tm.exe
                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                          15⤵
                                            PID:5344
                                          • C:\providercommon\dllhost.exe
                                            "C:\providercommon\dllhost.exe"
                                            15⤵
                                            • Executes dropped EXE
                                            • Modifies registry class
                                            PID:5536
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
                                              16⤵
                                                PID:1464
                                                • C:\Windows\system32\w32tm.exe
                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                  17⤵
                                                    PID:4448
                                                  • C:\providercommon\dllhost.exe
                                                    "C:\providercommon\dllhost.exe"
                                                    17⤵
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    PID:4456
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
                                                      18⤵
                                                        PID:3212
                                                        • C:\Windows\system32\w32tm.exe
                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                          19⤵
                                                            PID:4732
                                                          • C:\providercommon\dllhost.exe
                                                            "C:\providercommon\dllhost.exe"
                                                            19⤵
                                                            • Executes dropped EXE
                                                            • Modifies registry class
                                                            PID:5600
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
                                                              20⤵
                                                                PID:4076
                                                                • C:\Windows\system32\w32tm.exe
                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                  21⤵
                                                                    PID:388
                                                                  • C:\providercommon\dllhost.exe
                                                                    "C:\providercommon\dllhost.exe"
                                                                    21⤵
                                                                    • Executes dropped EXE
                                                                    • Modifies registry class
                                                                    PID:4676
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"
                                                                      22⤵
                                                                        PID:5012
                                                                        • C:\Windows\system32\w32tm.exe
                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                          23⤵
                                                                            PID:4904
                                                                          • C:\providercommon\dllhost.exe
                                                                            "C:\providercommon\dllhost.exe"
                                                                            23⤵
                                                                            • Executes dropped EXE
                                                                            • Modifies registry class
                                                                            PID:1836
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
                                                                              24⤵
                                                                                PID:696
                                                                                • C:\Windows\system32\w32tm.exe
                                                                                  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                  25⤵
                                                                                    PID:3904
                                                                                  • C:\providercommon\dllhost.exe
                                                                                    "C:\providercommon\dllhost.exe"
                                                                                    25⤵
                                                                                    • Executes dropped EXE
                                                                                    • Modifies registry class
                                                                                    PID:3076
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
                                                                                      26⤵
                                                                                        PID:4544
                                                                                        • C:\Windows\system32\w32tm.exe
                                                                                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                          27⤵
                                                                                            PID:5068
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4596
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4924
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4900
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\ELAMBKUP\cmd.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:508
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4476
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\ELAMBKUP\cmd.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4464
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1000
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4500
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3184
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3200
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3076
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:656
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4772
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4760
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4704
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4744
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4752
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4660
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SearchUI.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1360
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:60
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:916
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:820
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1848
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1744
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1620
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2160
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2292
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1584
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1332
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2392
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3796
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1192
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:792
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\providercommon\SearchUI.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3400
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3396
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3412
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:188
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:204
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:212
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:304
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2208
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2756
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2188
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2480
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1212

                                      Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              d63ff49d7c92016feb39812e4db10419

                                              SHA1

                                              2307d5e35ca9864ffefc93acf8573ea995ba189b

                                              SHA256

                                              375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

                                              SHA512

                                              00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              3KB

                                              MD5

                                              ad5cd538ca58cb28ede39c108acb5785

                                              SHA1

                                              1ae910026f3dbe90ed025e9e96ead2b5399be877

                                              SHA256

                                              c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                              SHA512

                                              c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              84f0ee796ef63ebeb2840c0319b52514

                                              SHA1

                                              1cbe24f52959c91056b27e69dade88d59995f39e

                                              SHA256

                                              6dd0a6bf4fc0aae88b19eda65013b4852ed0366322b6e5ffb9032309f1838ed5

                                              SHA512

                                              68595ba944477478b2d87a4d4f630f71452423f688594c65330a3df2693c4b41a4b4c61a17744cedaa7c4f99dbfa019a1040edc30111c0701d6cf626ed742c87

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              0254001c1d00e45465706c1ea9ba803f

                                              SHA1

                                              dcb753772f1c27fceb06a17ea7204dcca1d84663

                                              SHA256

                                              e36f91375f5774c5b0e62006fba90699e60b8c20676cb4955cf97cf245049c27

                                              SHA512

                                              f0b9870df6ec5c3a644685d36066409dfaa7db628b2db5f74965f961734bded2324340065fdc7e5719122bbecf22c5f90a46f2f83de1350cade1d6372bf35095

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              b533160f31dbbb5a1826bc88d206d05b

                                              SHA1

                                              fa44f7b545ea8fcbdabc014b9a8c8e43637872a5

                                              SHA256

                                              7fdc4efd759f9c40f69634077dcccf70d6b786b69f39334b9fa96edce6d24c26

                                              SHA512

                                              583b31a73d1a074736f8027d038570150bd92153f6a03e7b668b7c6a9f7ba3d2699fd51bbeb282ae94992cf5e105e809c9dda1a43ae61ed4c6869661a2fdbe53

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              b533160f31dbbb5a1826bc88d206d05b

                                              SHA1

                                              fa44f7b545ea8fcbdabc014b9a8c8e43637872a5

                                              SHA256

                                              7fdc4efd759f9c40f69634077dcccf70d6b786b69f39334b9fa96edce6d24c26

                                              SHA512

                                              583b31a73d1a074736f8027d038570150bd92153f6a03e7b668b7c6a9f7ba3d2699fd51bbeb282ae94992cf5e105e809c9dda1a43ae61ed4c6869661a2fdbe53

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              51b27223e327ca9e2c267cc869b6f5b1

                                              SHA1

                                              becbb554e2305e818331a7ba1e4703ffa12913f2

                                              SHA256

                                              c7aa373bea9de4ae95d4d202e5834b37c2529f8b20b995ae4692f85c92f1dfad

                                              SHA512

                                              f3e1da6fe772b0d1d37a7b613e50dd724f783a6e7651ecbab473b21a9c96d61aea806780816d550af4a3b38c0e70b0b0d1a6a9cff5cd7eacf3b9e4e791e9aaeb

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              51b27223e327ca9e2c267cc869b6f5b1

                                              SHA1

                                              becbb554e2305e818331a7ba1e4703ffa12913f2

                                              SHA256

                                              c7aa373bea9de4ae95d4d202e5834b37c2529f8b20b995ae4692f85c92f1dfad

                                              SHA512

                                              f3e1da6fe772b0d1d37a7b613e50dd724f783a6e7651ecbab473b21a9c96d61aea806780816d550af4a3b38c0e70b0b0d1a6a9cff5cd7eacf3b9e4e791e9aaeb

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              24cafba099dbe70d35438be636f9c629

                                              SHA1

                                              0fa52af1b1c4939d841c2ad37b19cbe692b7fdc7

                                              SHA256

                                              d16191dca2e343716f5919a12b2f9403b2949eb93880fd591afccea1575016f3

                                              SHA512

                                              df944cec6dfd5f9f2e44f4eeb39bccd42f5f0863df89a6ee110b7d8161fceed9f9a5293af7455d13593ae2d5b01e293c473642267c6f6c7b6dbbf387e645b5be

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              ea8eb4c93b171a1bd8f78c2f8d3c5f91

                                              SHA1

                                              c974b8f55f8e9523e09efcca15e98bbc3fdaecf9

                                              SHA256

                                              c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa

                                              SHA512

                                              842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              ea8eb4c93b171a1bd8f78c2f8d3c5f91

                                              SHA1

                                              c974b8f55f8e9523e09efcca15e98bbc3fdaecf9

                                              SHA256

                                              c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa

                                              SHA512

                                              842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              13f2c453c15b89b97f1acb91f3534286

                                              SHA1

                                              b242be1472270a92e1e2d9301ddbf8381cdfcbad

                                              SHA256

                                              bf834352853ee87a849d402660e739c7fa7e601a238a387a19c3066c5005ba41

                                              SHA512

                                              e10e561ecb20f21f71ae64d296e74eb35ef8d10dd36bfaa87bdc3adc17fddfdf90fc0edee0433d16e9664e04283ec2cfc6a46d2e1b5dd9325e7082dd110b6766

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              13f2c453c15b89b97f1acb91f3534286

                                              SHA1

                                              b242be1472270a92e1e2d9301ddbf8381cdfcbad

                                              SHA256

                                              bf834352853ee87a849d402660e739c7fa7e601a238a387a19c3066c5005ba41

                                              SHA512

                                              e10e561ecb20f21f71ae64d296e74eb35ef8d10dd36bfaa87bdc3adc17fddfdf90fc0edee0433d16e9664e04283ec2cfc6a46d2e1b5dd9325e7082dd110b6766

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              763149d014a7ddf2ad863a0e819bd1c2

                                              SHA1

                                              f5de8a47c4f472156c9cf2074a1b1a29e47b1540

                                              SHA256

                                              91caad5c7b34eccb86cbb5b2b8b7f528f57b734613b0968d0789d8f56ff26dda

                                              SHA512

                                              7affb43ca2e83e785846365f62a5333ca4c4b7adb0983637705e88f20e6b37551610d6b0280197729d995089fd9480f849fc287d4eb93160e7e19157bfd86a3c

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              4fa1a5ed0b5a4405fd738cee04ab3ddc

                                              SHA1

                                              29aea989663d67ce25316f6c1ef2a7f827b919c7

                                              SHA256

                                              e88d533dd98636ff7d096c9e8718647b7d039e7d8a00a05651004c3d1fb153c4

                                              SHA512

                                              0e6f1cdafe07e675f7c01847437647ead27bf75297223ac13fa29235a77f7b2ad0fd67819e7efa150cf2b8e2233b163c07ef256cabf5883f9d99bc5487034035

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              4fa1a5ed0b5a4405fd738cee04ab3ddc

                                              SHA1

                                              29aea989663d67ce25316f6c1ef2a7f827b919c7

                                              SHA256

                                              e88d533dd98636ff7d096c9e8718647b7d039e7d8a00a05651004c3d1fb153c4

                                              SHA512

                                              0e6f1cdafe07e675f7c01847437647ead27bf75297223ac13fa29235a77f7b2ad0fd67819e7efa150cf2b8e2233b163c07ef256cabf5883f9d99bc5487034035

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              374f110164d9beec260f38b402a46831

                                              SHA1

                                              2395c7f81b95b2e7869e3fd661327609e791ddb5

                                              SHA256

                                              ce6caa88628ce18c4bf6cc51c359eba292555a300f65e097b3127b392f2fe16c

                                              SHA512

                                              25215a37ef2208e9fc40814c3e9c65fe6e6cb4d08dbb0ae60688cc74fd90ac2424af55121a7d48057dd4e9d905cee30641c8d39ada6b5ca1d7a79728f0066381

                                            • C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

                                              Filesize

                                              194B

                                              MD5

                                              2fec1a154b940e9c344f90e0ed3213ec

                                              SHA1

                                              e1132b2f9f9bdc18d0ea3ca4103bf2fa7dc4e09e

                                              SHA256

                                              2c1abba318dabe3a3d9a843e6c0deb8a864e28875de07c1a137195102d01365e

                                              SHA512

                                              f8ec89a5fc6aabab4f547c6b78fd0fc44cf12eeeeb1e8d5b4e44f580b3d9c486f80dd4ec515090ed7f422dc2b2ae9fb661c8e93779cd2914189eee0e36a6e64f

                                            • C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat

                                              Filesize

                                              194B

                                              MD5

                                              b7aaae1a89ba2fbdfa88a27ea4df1eb7

                                              SHA1

                                              6b7de573a630a6f38a8466d514f2e426ba1e1b1c

                                              SHA256

                                              ea41674c77b4126cefcc79ea00521a1357a0c634c01ac3a20cd89ee9e234e550

                                              SHA512

                                              69994803c116affd5123f29a640cee4d6b6eec4baab73aca904115f0a2fc93ab0c04930e750c13ada8730a03f75a05d9ad052a8d5c9c9ba37dd76007c87cfbd2

                                            • C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

                                              Filesize

                                              194B

                                              MD5

                                              045ba6530ca6e9b502dc6645a47ee518

                                              SHA1

                                              29b76f83a95a42fe8c04633447dd7b1eea29211c

                                              SHA256

                                              1406bbfdcde2c6d608884b289ba7c55eb3f76cdd0ade2a0c4dae6b1f21f98970

                                              SHA512

                                              842551a34556c1d3b2228aab1755bf0e4ffb6354ef167924f59cb5a27fb4af73ab15269bce327accc6755409ebec97e6032093cc72f021e8460a7f3e594cd2e4

                                            • C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

                                              Filesize

                                              194B

                                              MD5

                                              b3cfbde2503a29d1c22bfeb58f72e377

                                              SHA1

                                              7c7138eb99515dbd35f5e2cb81878ca9cb74395b

                                              SHA256

                                              23e4b04f51326bb8b9bc9facc29d0d21e98f4b040381e09aad4134a9d5df4bcb

                                              SHA512

                                              e53d3b83337e6c4f1138c5c6b5a945114fe50b2e209f46a317ee0a22442decb26aab4c41c462e0cd25abaabce4676de3e6bf0a4baca27ff9ec0dbf07c89cb13d

                                            • C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

                                              Filesize

                                              194B

                                              MD5

                                              26ee6df37223b5dc5dab7058ed3493d1

                                              SHA1

                                              43d7c938037168ab9fbc27903569da9bee42ed8b

                                              SHA256

                                              5159b4ed7cdf6fac09f16d09be7af42dc151fe0bface7530261fc72483bc7305

                                              SHA512

                                              27ff69be18258da1421a40020f012448519b36d9cdd096df1bbd2a0a0f1ca295b7ee07816cda412cb604bcecf75e15affabf36ec4ef1401c30d5ca340b6f39e0

                                            • C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

                                              Filesize

                                              194B

                                              MD5

                                              92f2df47aebdf101a031bc9165034f7b

                                              SHA1

                                              04939ec7074e06e13aeb635108f4f636f65881c6

                                              SHA256

                                              01269acbbb58419d195e7d880a65af9182f1a93f75816088131e7810269aae0e

                                              SHA512

                                              6b629e9278fb94ccc93933b51b188ee8a9d5815b816a7d8f787d28a3ea5173b4fb07c855c91ffe67e66c117d85cdc61eb076cdda814e12f962c1df265f203277

                                            • C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

                                              Filesize

                                              194B

                                              MD5

                                              5bb71e5aaeb8cb4b887ba0d7571c4e4c

                                              SHA1

                                              1fb0be7d8b6b0b848fa027b9b5a2e9959dd07ec8

                                              SHA256

                                              3f3c7968e8328abe7aa2112acbb2c2d5d370b19a52c6127db38ad23e4253883a

                                              SHA512

                                              f9260a50991f9bb3f0c90673afc1f529f1335268cb081199a9378e62bf16f387935641f8079de89c59ffcd294b75dc4de3b21cb10a77572b8ea76f9db14e961a

                                            • C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

                                              Filesize

                                              194B

                                              MD5

                                              46253a1aade2967e02dd198fccaa7515

                                              SHA1

                                              72e8fa18f1b286c06eaa5e8809ad3c57be87b263

                                              SHA256

                                              24488651f168fddec4e341787288784df99fe548fc45d8b213e67da3ed5cc495

                                              SHA512

                                              560621708567a94eb4498f8ff7b8d698cc6d539d34827775b01a1811b2a85282815f4b0d05cd63aa7f5eafc0d3d36ea1f0725214a2b1a3bbdedff31e06409d45

                                            • C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat

                                              Filesize

                                              194B

                                              MD5

                                              df52fc6ab41da3949bb7d2fbe457d77f

                                              SHA1

                                              89a55fdb9cadbe7119c5fdfde3a22d60ca78dfff

                                              SHA256

                                              45644411eb5a0081800a1efb1bc0b3a2d297423b485e7f9813cd4b1f57ae0918

                                              SHA512

                                              6706f55e765ccb60b25f562823b434c8465c3ceb8f243a8644ce7deca40880ada52dfecc1e83257a391a6890b2e7b356edca06a2fa746dcee6a7de1ec48bf1c7

                                            • C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat

                                              Filesize

                                              194B

                                              MD5

                                              524ba7d1f241d0ebc81dc96458de1cae

                                              SHA1

                                              48a8031332e17dcd42a7c083262891c13fcf9bc4

                                              SHA256

                                              ae0ed97eae4ee407c38e43f74fed33b50fa392dbcf36030d807d46862f3416ff

                                              SHA512

                                              3397be6ad91aa3b381178b46016394018f09f6cd63cb5b9231a16ccb1f91845f605a80ec4d0bea77567debeabd80cb2065554fe83bad765492a120c3d7d80435

                                            • C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

                                              Filesize

                                              194B

                                              MD5

                                              288065600cb3e759be3df0543f2f8a16

                                              SHA1

                                              0d13e4a688106f01221ac2b0a9b0d1576a7afde3

                                              SHA256

                                              77bf94a48f3fb56b0360ab1a7cd0714d8b4f7e312414b3c73f18db5cd697dfc3

                                              SHA512

                                              c925a784071172963f4eebd94dffade9f845c48b1ad0bbcc597b5f3fd4da643027eba81ae7023eba2733d115b97b3e8ee8ccaed0da3855bf2b9c23042210ba54

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\dllhost.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/1316-289-0x0000000000E10000-0x0000000000E1C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1316-288-0x0000000000E00000-0x0000000000E0C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1316-287-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/1316-285-0x0000000000540000-0x0000000000650000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/1316-286-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1836-907-0x0000000000F60000-0x0000000000F72000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/2500-373-0x0000022EB8EA0000-0x0000022EB8EC2000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/2500-377-0x0000022ED11C0000-0x0000022ED1236000-memory.dmp

                                              Filesize

                                              472KB

                                            • memory/3060-431-0x0000000001030000-0x0000000001042000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3576-184-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/3576-185-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-120-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-150-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-182-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-180-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-178-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-179-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-176-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-177-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-134-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-132-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-175-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-119-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-174-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-135-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-131-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-136-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-173-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-172-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-171-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-170-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-169-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-168-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-137-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-167-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-138-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-166-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-165-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-164-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-163-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-162-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-161-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-160-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-159-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-158-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-157-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-156-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-155-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-154-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-151-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-153-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-181-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-152-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-140-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-149-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-139-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-121-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-122-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-148-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-124-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-147-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-125-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-127-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-146-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-128-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-145-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-129-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-130-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-133-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-144-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-141-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-142-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4248-143-0x0000000076E80000-0x000000007700E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/4456-890-0x0000000000A40000-0x0000000000A52000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/5600-896-0x0000000002A70000-0x0000000002A82000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/5704-862-0x00000000007A0000-0x00000000007B2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/5888-868-0x0000000000960000-0x0000000000972000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/6072-874-0x0000000000B80000-0x0000000000B92000-memory.dmp

                                              Filesize

                                              72KB