Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/11/2022, 11:44

General

  • Target

    ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe

  • Size

    1.3MB

  • MD5

    00f072b7583feca960966f047ba7739c

  • SHA1

    a8e568a2684fc83dfd03c488f373e8e366db17d0

  • SHA256

    ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f

  • SHA512

    7fcd53ae8af8a923ec0bf0cc3d88b8c06c4ee0dd872b26ecfee8d916ee0e0101f6e1163847e34c15b2face2fc19c84007e9b74a5f7497965c32e3338039163e0

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 14 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 11 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 12 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies registry class 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe
    "C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2652
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4556
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3152
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2236
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sppsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2172
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2776
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\System.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2608
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\sihost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2356
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4948
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4264
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:972
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\sihost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1848
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\ShellExperienceHost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4836
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2200
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PWgslm4zbP.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4416
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:212
              • C:\providercommon\spoolsv.exe
                "C:\providercommon\spoolsv.exe"
                6⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1808
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:5128
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:5232
                    • C:\providercommon\spoolsv.exe
                      "C:\providercommon\spoolsv.exe"
                      8⤵
                      • Executes dropped EXE
                      • Modifies registry class
                      • Suspicious use of WriteProcessMemory
                      PID:5408
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
                        9⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5516
                        • C:\Windows\system32\w32tm.exe
                          w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                          10⤵
                            PID:5572
                          • C:\providercommon\spoolsv.exe
                            "C:\providercommon\spoolsv.exe"
                            10⤵
                            • Executes dropped EXE
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:5596
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
                              11⤵
                              • Suspicious use of WriteProcessMemory
                              PID:5696
                              • C:\Windows\system32\w32tm.exe
                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                12⤵
                                  PID:5752
                                • C:\providercommon\spoolsv.exe
                                  "C:\providercommon\spoolsv.exe"
                                  12⤵
                                  • Executes dropped EXE
                                  • Modifies registry class
                                  • Suspicious use of WriteProcessMemory
                                  PID:5772
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
                                    13⤵
                                      PID:5868
                                      • C:\Windows\system32\w32tm.exe
                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                        14⤵
                                          PID:5924
                                        • C:\providercommon\spoolsv.exe
                                          "C:\providercommon\spoolsv.exe"
                                          14⤵
                                          • Executes dropped EXE
                                          • Modifies registry class
                                          PID:5944
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
                                            15⤵
                                              PID:6044
                                              • C:\Windows\system32\w32tm.exe
                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                16⤵
                                                  PID:6100
                                                • C:\providercommon\spoolsv.exe
                                                  "C:\providercommon\spoolsv.exe"
                                                  16⤵
                                                  • Executes dropped EXE
                                                  • Modifies registry class
                                                  PID:6124
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
                                                    17⤵
                                                      PID:5140
                                                      • C:\Windows\system32\w32tm.exe
                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                        18⤵
                                                          PID:5264
                                                        • C:\providercommon\spoolsv.exe
                                                          "C:\providercommon\spoolsv.exe"
                                                          18⤵
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          PID:4332
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
                                                            19⤵
                                                              PID:4924
                                                              • C:\Windows\system32\w32tm.exe
                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                20⤵
                                                                  PID:4256
                                                                • C:\providercommon\spoolsv.exe
                                                                  "C:\providercommon\spoolsv.exe"
                                                                  20⤵
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  PID:1884
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
                                                                    21⤵
                                                                      PID:2832
                                                                      • C:\Windows\system32\w32tm.exe
                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                        22⤵
                                                                          PID:5308
                                                                        • C:\providercommon\spoolsv.exe
                                                                          "C:\providercommon\spoolsv.exe"
                                                                          22⤵
                                                                          • Executes dropped EXE
                                                                          • Modifies registry class
                                                                          PID:4460
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
                                                                            23⤵
                                                                              PID:5332
                                                                              • C:\Windows\system32\w32tm.exe
                                                                                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                24⤵
                                                                                  PID:4808
                                                                                • C:\providercommon\spoolsv.exe
                                                                                  "C:\providercommon\spoolsv.exe"
                                                                                  24⤵
                                                                                  • Executes dropped EXE
                                                                                  • Modifies registry class
                                                                                  PID:4956
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
                                                                                    25⤵
                                                                                      PID:1528
                                                                                      • C:\Windows\system32\w32tm.exe
                                                                                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                                        26⤵
                                                                                          PID:3684
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:5028
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4440
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4424
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2780
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4432
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:2736
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\ShellExperienceHost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4452
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4760
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4468
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4844
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4684
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4688
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4620
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3768
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4884
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4868
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1892
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4856
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3828
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:460
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4708
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:3172
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1640
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1920
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:672
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:536
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:448
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:620
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1680
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1204
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1180
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1648
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1536
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1076
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:920
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:1368
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4796
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:4908
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:32
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\sihost.exe'" /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:328
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\sihost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:224
                                      • C:\Windows\system32\schtasks.exe
                                        schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\sihost.exe'" /rl HIGHEST /f
                                        1⤵
                                        • Process spawned unexpected child process
                                        • Creates scheduled task(s)
                                        PID:208

                                      Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              3KB

                                              MD5

                                              ad5cd538ca58cb28ede39c108acb5785

                                              SHA1

                                              1ae910026f3dbe90ed025e9e96ead2b5399be877

                                              SHA256

                                              c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                                              SHA512

                                              c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              d63ff49d7c92016feb39812e4db10419

                                              SHA1

                                              2307d5e35ca9864ffefc93acf8573ea995ba189b

                                              SHA256

                                              375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

                                              SHA512

                                              00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              794bca7499c793c4f621ad8df8fd78de

                                              SHA1

                                              191a45fd0dd64e2e8225e80769943cfde11a4a77

                                              SHA256

                                              3ccbafd8c55bbb52938a7422c6720a28102e69cabfbf3a9e3be125f53c3f60e1

                                              SHA512

                                              fa82cc4a4e8acf6897b977dc59860dd04a939423a5787afabeb6ed797227fb22f229499f6e1fd46e9a1dc8cf9a5ac59d22713796c7b898fdd192da3b21e7ad1c

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              794bca7499c793c4f621ad8df8fd78de

                                              SHA1

                                              191a45fd0dd64e2e8225e80769943cfde11a4a77

                                              SHA256

                                              3ccbafd8c55bbb52938a7422c6720a28102e69cabfbf3a9e3be125f53c3f60e1

                                              SHA512

                                              fa82cc4a4e8acf6897b977dc59860dd04a939423a5787afabeb6ed797227fb22f229499f6e1fd46e9a1dc8cf9a5ac59d22713796c7b898fdd192da3b21e7ad1c

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              1a7edda8e497deac257bc67f5912be8b

                                              SHA1

                                              af575ca7a97a8d280561477785692b406b7bf5ea

                                              SHA256

                                              cce496f7be83e77e6f56c2861348b6b4e1cd5029fc39314c3b4632bf84d2b956

                                              SHA512

                                              c543c362e700d12cc9c7d6223e8e168a5470d703f04ba003d44d64971e1f098e924b8c09fb6c9563f68f9890f3efa379ed2999dbc86f7861af38dee6ad3efc29

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              5529b0c4372c5381248b8fe5f3c6fa0a

                                              SHA1

                                              e4ba3c3974d6938480a9fbba3a9574ce6e42da77

                                              SHA256

                                              b9412dd833a169328cae96c561d5aa6574426f87a01d9140c190d8c7697fd5b9

                                              SHA512

                                              6be25d3f9ad71faaf0987271d739404362fc4043d3b5868cce93e3356bb334f2208c84d9eb814866df485d40d177082098824d6c253dab78acd9e98fdcd15caf

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              5529b0c4372c5381248b8fe5f3c6fa0a

                                              SHA1

                                              e4ba3c3974d6938480a9fbba3a9574ce6e42da77

                                              SHA256

                                              b9412dd833a169328cae96c561d5aa6574426f87a01d9140c190d8c7697fd5b9

                                              SHA512

                                              6be25d3f9ad71faaf0987271d739404362fc4043d3b5868cce93e3356bb334f2208c84d9eb814866df485d40d177082098824d6c253dab78acd9e98fdcd15caf

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              055d8ebf26a8add9fb0d763baaf6167e

                                              SHA1

                                              c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5

                                              SHA256

                                              465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca

                                              SHA512

                                              2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              055d8ebf26a8add9fb0d763baaf6167e

                                              SHA1

                                              c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5

                                              SHA256

                                              465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca

                                              SHA512

                                              2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              055d8ebf26a8add9fb0d763baaf6167e

                                              SHA1

                                              c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5

                                              SHA256

                                              465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca

                                              SHA512

                                              2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              055d8ebf26a8add9fb0d763baaf6167e

                                              SHA1

                                              c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5

                                              SHA256

                                              465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca

                                              SHA512

                                              2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              478e53f46a69a899ea092e5f6462c4e4

                                              SHA1

                                              c543c3afd4eb8dc4d6aa0431e774adeef7c2b297

                                              SHA256

                                              9ddef2286a1017fdbe22f3086d4049c71d7efceb23c3dd3a36b1ce3ac7c78319

                                              SHA512

                                              f858b002fb1923698a2eaf923941e98110c434a00a37ae29f6070fa39cdc1b63c9f28b94a1721da4f8774bfd7d4dcbb31019e68321caddac6a7b77fc54958ddc

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              478e53f46a69a899ea092e5f6462c4e4

                                              SHA1

                                              c543c3afd4eb8dc4d6aa0431e774adeef7c2b297

                                              SHA256

                                              9ddef2286a1017fdbe22f3086d4049c71d7efceb23c3dd3a36b1ce3ac7c78319

                                              SHA512

                                              f858b002fb1923698a2eaf923941e98110c434a00a37ae29f6070fa39cdc1b63c9f28b94a1721da4f8774bfd7d4dcbb31019e68321caddac6a7b77fc54958ddc

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              30c35bdc02a952bfb7f292426ff762e0

                                              SHA1

                                              aa03b4f58529f4edfc0e59b927ee783396a1cdbf

                                              SHA256

                                              60ded1ff1559ec1cb94bdcff7638e23d9b91775eb04e86d79b171cd06c407dc7

                                              SHA512

                                              860cce050428f172c0931b91138d99d44f8c980d5b730e09fe529b9ce5868ac6299315d697b026517629ba563b4a90a0b418a1a5b4a1072771d7f61402dbbb4d

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              30c35bdc02a952bfb7f292426ff762e0

                                              SHA1

                                              aa03b4f58529f4edfc0e59b927ee783396a1cdbf

                                              SHA256

                                              60ded1ff1559ec1cb94bdcff7638e23d9b91775eb04e86d79b171cd06c407dc7

                                              SHA512

                                              860cce050428f172c0931b91138d99d44f8c980d5b730e09fe529b9ce5868ac6299315d697b026517629ba563b4a90a0b418a1a5b4a1072771d7f61402dbbb4d

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              911B

                                              MD5

                                              9af189021b6c1fd7fb611a18bd968f46

                                              SHA1

                                              90218c5aa530c2cd88b87fc39469826b9da83fe1

                                              SHA256

                                              6c5daaf568c6b52d1a6f8072a748828c27ca7c738843fd7251022f29be68b902

                                              SHA512

                                              f25392cee1f2c3780104c801525aa4980074a1cdcecea365911a812f9247ea01fc4465268acc383c936c14e8b4f72182715c0677aeac70e8e226727d187f259b

                                            • C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

                                              Filesize

                                              194B

                                              MD5

                                              c6b53e81cd21621deb98acbcbb2e21ce

                                              SHA1

                                              72cc01701237745c5b3298e063c2083b214a3a09

                                              SHA256

                                              424c4da5e8e3371470d3493f662424bb722cca6fbe6d659e58665cd25c63d6f9

                                              SHA512

                                              e8f61e983cc822d67b4c3ac09db5a2bc9d36ca6ae3fe2630592599731ed9888bafe8511346b70de913747dc30e058990be7bcf9493983f184da1d6be1684920a

                                            • C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

                                              Filesize

                                              194B

                                              MD5

                                              1858f84b7b73cfc217a383938d8a8150

                                              SHA1

                                              f2d4f39c94b0536ce58c66de2907c4907d5bb56f

                                              SHA256

                                              605c285c4597920bdd8034383c15a5353364d6d196af343a454636d8f5963bdd

                                              SHA512

                                              ab56ec1da589d522aa81592cbf78095f4eacdf4f327e7ed32af16595ab399680f08e604f59c4f6d2c43049e5dd7bef9184e443f8ab79b34c0437e268283218e7

                                            • C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

                                              Filesize

                                              194B

                                              MD5

                                              7dd00e66241426450b56f1f115ceb80e

                                              SHA1

                                              98639aed96f54eac569e89a9c6f6286d9a18d4d6

                                              SHA256

                                              60605d1ab886e82cc1c7705da9d448cca3f4acb08370f6d38d061c28015716be

                                              SHA512

                                              0de20b247eeffc29c61f2ec8fb1184276c6f5d0863bfdf77be6c689447cf81873f15388b5d45077b455d2c15829b51c2800035c695337e064c39eea90eef7895

                                            • C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

                                              Filesize

                                              194B

                                              MD5

                                              88a7ce9cd7b544d05a86f94cba9a27b5

                                              SHA1

                                              9cdfc5303b2a7fb2101c7f37519f8258bc0772aa

                                              SHA256

                                              16759d19c55967e95a37d2b0bc5c78ec841a61c6b011d76587ba57897d89420b

                                              SHA512

                                              a372fe26342b481c25aa3de7d0901b79a5839ae6a9a82e99d268d2d53ca7c25512f07ca7caba6817f99e2691b757f623d313e2b1f1c2d95b7c8322acfbf17740

                                            • C:\Users\Admin\AppData\Local\Temp\PWgslm4zbP.bat

                                              Filesize

                                              194B

                                              MD5

                                              974f032b9d4985b67e238195836760e7

                                              SHA1

                                              073aca2817e08e9c304ffeb5b524444c7eb59ea3

                                              SHA256

                                              26cac475cdc07dbc12d05abcae35165229395fdee157ef0d871b270d0e2844f4

                                              SHA512

                                              8d84cc61e33d4fdc7e7a4c697ea2347e5f93c22ff4bf6d3ff22cbfea4cc5e6d1ab091cf4249cc805074d3c2fcd269887cd47d7844cde5e7e7fdd32aae49d669e

                                            • C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

                                              Filesize

                                              194B

                                              MD5

                                              9a559e7e3fd0255348066cf199bfaa33

                                              SHA1

                                              55d131797dc7e954565c003c96b3f4a75f68ca7c

                                              SHA256

                                              79fb6f577c6b26c855324e950aa519ebf202546c7c16c210732f026477fb6d39

                                              SHA512

                                              dc7f4c160c24424fe1333663b31d9c2044dd8894fb1306c70748703059e538c2f159cab88f559e8f434ee3f2c64dfa0a29bfdd87a9917a5b86142b7bb9ee7858

                                            • C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

                                              Filesize

                                              194B

                                              MD5

                                              abcc3e6cd11705b1229d042deff0f307

                                              SHA1

                                              9e6470168afd91974bf7ce07f2c56db0391cfb01

                                              SHA256

                                              cc2e5af570af0a30d48afaf1155f33c07c7491e694fc14bfd5d52137ac29e339

                                              SHA512

                                              96f6411a260f79a31bb2218345801d1890a32ef6d5d485b32ac995791e7b79ddacb2b4aebbfaae7e37fbffa44543be588ff30b311e3e325b159428a23d0c9995

                                            • C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

                                              Filesize

                                              194B

                                              MD5

                                              a498e97d8b84c0d44a3b50ca3119ffd3

                                              SHA1

                                              aac60788bcb3c383c901c0ab4230fa1dba29ff08

                                              SHA256

                                              2ec5126271d8505e5bbf20e60c560b07443fec630ce5456cdba331382fa4badd

                                              SHA512

                                              b7e5bf0ca5e2fb2601e35f1c7b90dfb78cb16ffb537e4e8d5fc335cd7d1f548988ddee69beb547aa2e338355bf9c2f5be7614b1e289effea08d03f2ca6009736

                                            • C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

                                              Filesize

                                              194B

                                              MD5

                                              2d8f36700eed18cb19b066e809dc5e21

                                              SHA1

                                              6dacd20c8575597da12d3e0b4415a2c286c17384

                                              SHA256

                                              9c4ccc086bd6a026697a748d7016e04ffa27e03d4012072da7d9ae417ff91b29

                                              SHA512

                                              a85ae8df30a374232279eb355cd4aeb8437db8b2887b6a51c692ad1f905ed846095c2146eb046c325c7cb23de24733bcc1bd996b4344e7eede30fc7b275c19e5

                                            • C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

                                              Filesize

                                              194B

                                              MD5

                                              c69e1cb69599953c63b0855d2975ae88

                                              SHA1

                                              d13695216683f0db9be9b7284083f083fc0641d0

                                              SHA256

                                              6f9bd18d43d08998d864fd62b2ee3b28810e6247fd089ee3cfa4bc0e9eefa1ab

                                              SHA512

                                              9e59973f752014c4350c9a9bfbf6b919199390dc67dfa46012a05554af1a55f2e25e226f6926fcf6c6412cb6855e3a03b438598525f52b50c61cc4da3806e294

                                            • C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

                                              Filesize

                                              194B

                                              MD5

                                              6cdd9f3084064e977cf457d9c97cac40

                                              SHA1

                                              403b28699e84605a3491b212bf0b345af9ee4952

                                              SHA256

                                              1b1f4d1f551db1e69dfe6eedc81f0a542f4efd7eb86958b18beec0c65b4c0867

                                              SHA512

                                              99e4d63e74f8a7738ea998ab52194be0e2bab62d36e05153e33e29844dbf23c61d5d404bebf8d10816caff1200b3a429f4ab66919d852e2f6a2b165b24a56f9b

                                            • C:\providercommon\1zu9dW.bat

                                              Filesize

                                              36B

                                              MD5

                                              6783c3ee07c7d151ceac57f1f9c8bed7

                                              SHA1

                                              17468f98f95bf504cc1f83c49e49a78526b3ea03

                                              SHA256

                                              8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                                              SHA512

                                              c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\DllCommonsvc.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\spoolsv.exe

                                              Filesize

                                              1.0MB

                                              MD5

                                              bd31e94b4143c4ce49c17d3af46bcad0

                                              SHA1

                                              f8c51ff3ff909531d9469d4ba1bbabae101853ff

                                              SHA256

                                              b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                                              SHA512

                                              f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                                            • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

                                              Filesize

                                              197B

                                              MD5

                                              8088241160261560a02c84025d107592

                                              SHA1

                                              083121f7027557570994c9fc211df61730455bb5

                                              SHA256

                                              2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                                              SHA512

                                              20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                                            • memory/1808-639-0x00000000028A0000-0x00000000028B2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/1980-186-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/1980-185-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2132-401-0x0000019AB0070000-0x0000019AB00E6000-memory.dmp

                                              Filesize

                                              472KB

                                            • memory/2652-163-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-150-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-182-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-181-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-180-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-179-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-178-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-121-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-177-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-122-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-176-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-123-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-125-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-126-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-128-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-129-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-175-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-130-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-131-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-174-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-132-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-173-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-172-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-171-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-170-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-169-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-168-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-135-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-136-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-167-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-134-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-137-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-166-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-165-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-164-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-120-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-162-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-161-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-160-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-138-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-159-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-139-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-158-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-157-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-156-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-155-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-154-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-153-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-152-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-151-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-183-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-149-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-148-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-147-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-146-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-145-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-144-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-140-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-143-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-142-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2652-141-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

                                              Filesize

                                              1.6MB

                                            • memory/2832-381-0x000001CE520C0000-0x000001CE520E2000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/3152-289-0x00000000023D0000-0x00000000023DC000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3152-287-0x00000000008D0000-0x00000000008E2000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/3152-290-0x0000000002540000-0x000000000254C000-memory.dmp

                                              Filesize

                                              48KB

                                            • memory/3152-286-0x00000000001B0000-0x00000000002C0000-memory.dmp

                                              Filesize

                                              1.1MB

                                            • memory/3152-288-0x0000000002560000-0x000000000256C000-memory.dmp

                                              Filesize

                                              48KB