Overview

overview

10

Static

static

10

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03/11/2022, 05:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    60fdb38fec27f8a769cda8949294783d1559031cdecb230676bb6db228a472dc.exe

  • Size

    1.3MB

  • MD5

    12603d7fb1338ca0f68ae74f4d4d9f6b

  • SHA1

    63200a37da667f44ad85e3136fb38a78cd4a8f83

  • SHA256

    60fdb38fec27f8a769cda8949294783d1559031cdecb230676bb6db228a472dc

  • SHA512

    276c82682e7aee9f1f66fd4c58b765d9ae4f1b7fbc249e3457ab8f3c71db4ade618d8b222cab90f94f15750890caa92b702fe0bf2a07ad07b809696904d21797

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 22 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 18 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\60fdb38fec27f8a769cda8949294783d1559031cdecb230676bb6db228a472dc.exe
    "C:\Users\Admin\AppData\Local\Temp\60fdb38fec27f8a769cda8949294783d1559031cdecb230676bb6db228a472dc.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3288
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4984
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1192
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2068
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\sihost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2840
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2276
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:196
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1840
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3828
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3480
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4816
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2688
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX4As6TRPF.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3524
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1732
              • C:\providercommon\DllCommonsvc.exe
                "C:\providercommon\DllCommonsvc.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:4812
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:384
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\powershell.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:1348
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:4308
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:2256
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\winlogon.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:4572
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\powershell.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:3840
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\powershell.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:4380
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:4928
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:4124
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:3052
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\WmiPrvSE.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:1620
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\fontdrvhost.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:4736
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\conhost.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:1948
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:4416
                • C:\providercommon\powershell.exe
                  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\powershell.exe'
                  7⤵
                  • Executes dropped EXE
                  PID:1448
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G58brWjr2x.bat"
                  7⤵
                    PID:3824
                    • C:\Windows\system32\w32tm.exe
                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                      8⤵
                        PID:3580
                      • C:\Program Files\7-Zip\Lang\powershell.exe
                        "C:\Program Files\7-Zip\Lang\powershell.exe"
                        8⤵
                        • Executes dropped EXE
                        PID:2248
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhostw.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4104
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4476
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\odt\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:3780
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:4748
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:4424
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4708
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4444
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4788
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:4636
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4648
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\odt\dwm.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4684
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4380
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1924
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:4416
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4392
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4404
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3932
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Users\Default\sihost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4780
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1468
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Default\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4400
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:388
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4832
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:4840
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4812
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1172
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1168
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1732
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1484
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:1048
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:1056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Services\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:512
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:1736
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:528
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1180
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\powershell.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:4028
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:512
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\powershell.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\fr-FR\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4788
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2192
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\providercommon\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:532
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1916
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4832
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Reports\conhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4732
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4388
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\PLA\Reports\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:4640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\fontdrvhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4348
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:788
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\fontdrvhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4824
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Videos\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:4480
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2076
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4920
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1272
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2328
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\odt\conhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4784
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4788
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:2192
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f
          1⤵
            PID:3184
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\SKB\LanguageModels\winlogon.exe'" /f
            1⤵
            • Creates scheduled task(s)
            PID:1916
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:4832
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\SKB\LanguageModels\winlogon.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:4732
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\providercommon\powershell.exe'" /f
            1⤵
            • Creates scheduled task(s)
            PID:4388
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:4640
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\odt\sppsvc.exe'" /f
            1⤵
            • Creates scheduled task(s)
            PID:2192
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:3980
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:1916
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:4732
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /f
            1⤵
            • Creates scheduled task(s)
            PID:1700
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /rl HIGHEST /f
            1⤵
            • Creates scheduled task(s)
            PID:1600
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\powershell.exe'" /rl HIGHEST /f
            1⤵
              PID:760
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Windows\Provisioning\Packages\powershell.exe'" /f
              1⤵
                PID:3344
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\powershell.exe'" /rl HIGHEST /f
                1⤵
                • Creates scheduled task(s)
                PID:4936
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Windows\Provisioning\Packages\powershell.exe'" /rl HIGHEST /f
                1⤵
                • Creates scheduled task(s)
                PID:1180

              Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Program Files\7-Zip\Lang\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\Program Files\7-Zip\Lang\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log
                      Filesize

                      1KB

                      MD5

                      b4268d8ae66fdd920476b97a1776bf85

                      SHA1

                      f920de54f7467f0970eccc053d3c6c8dd181d49a

                      SHA256

                      61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

                      SHA512

                      03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      3KB

                      MD5

                      ad5cd538ca58cb28ede39c108acb5785

                      SHA1

                      1ae910026f3dbe90ed025e9e96ead2b5399be877

                      SHA256

                      c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

                      SHA512

                      c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      9aefa22dfba5a7c309ebb8f763719210

                      SHA1

                      8ea34443089b782f672e34455a8f3efd0b5aaa43

                      SHA256

                      eac2b20c59d77b6d7efac0321198e6a62d6ecc61688540a2221a9c92586d7fc1

                      SHA512

                      289aada75790823470251bd1b8edfcf2d367147197db41d962fcdfc82002dfea6e7323816383cff28d6e44203e05a334fa1cd9ea2c5853446ba33d9357216c60

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      aa5edf81798112655a2f0bd22dce6882

                      SHA1

                      2fb1b3f2eb08d23b2a9e0edeca93c46cf9500269

                      SHA256

                      828b7893b1085bcca72911fe1909715d003f9670ac6adaf51a52ddd11a2ba2ab

                      SHA512

                      c0a0114fbf92e4f992239fde8b6bf437a2308ac18736780e792f7c75914aac953bb971c209f63d907a1e9fde67e8dfb9ba94aae45cc2651853316efc7ff777d9

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      aa5edf81798112655a2f0bd22dce6882

                      SHA1

                      2fb1b3f2eb08d23b2a9e0edeca93c46cf9500269

                      SHA256

                      828b7893b1085bcca72911fe1909715d003f9670ac6adaf51a52ddd11a2ba2ab

                      SHA512

                      c0a0114fbf92e4f992239fde8b6bf437a2308ac18736780e792f7c75914aac953bb971c209f63d907a1e9fde67e8dfb9ba94aae45cc2651853316efc7ff777d9

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      407b61ec11a020ec7accd0dbdda6ea61

                      SHA1

                      f1a237280f123abac60e4ee503fd07e6f9bed711

                      SHA256

                      6de2fbcdc254cf8aae24466cccf88c6fb0f972b38f53cd79398669123a808846

                      SHA512

                      b6c61975dcbd75a004a01aaea18ce493bdbd1fd4feae78c988bcb5eb48b9b7ca9d7b80af9d8098efb4c73aee28e07fbf0ae336ba8ebd3aab947d627cd607b02b

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      3003b692276a462246bd778c3b774f04

                      SHA1

                      736cff1463ee6c791c5d378d865324347f3af631

                      SHA256

                      b620fa994e4b9dc827d6a7a5559d7e74a509114f063c00d44afcf89c56a13e19

                      SHA512

                      299bb720debefe3b6633e8b3b51e4b9fe3b370644aba80d108a0d3903232742129dc77ed5c409f9c5ff687770e4d9728f240b3a873549f838d186fc984ae1baf

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      3003b692276a462246bd778c3b774f04

                      SHA1

                      736cff1463ee6c791c5d378d865324347f3af631

                      SHA256

                      b620fa994e4b9dc827d6a7a5559d7e74a509114f063c00d44afcf89c56a13e19

                      SHA512

                      299bb720debefe3b6633e8b3b51e4b9fe3b370644aba80d108a0d3903232742129dc77ed5c409f9c5ff687770e4d9728f240b3a873549f838d186fc984ae1baf

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      b39618172470f02c971f2ab95782b7ed

                      SHA1

                      0f9ce4328425bea8deb233dc954f98ee6978491c

                      SHA256

                      612bf57afa9daa2c1ddd40252a0b2a05429a5dde3337c0afb98ab86a22f21652

                      SHA512

                      bada29830ed618e63760da7d240353969a347de86b3c6bc323066fc10d3889aba0101e5ce4219d073e086f6c811c7f94f253bd7e369f3db8bc6ed84bd9efb1e3

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      b39618172470f02c971f2ab95782b7ed

                      SHA1

                      0f9ce4328425bea8deb233dc954f98ee6978491c

                      SHA256

                      612bf57afa9daa2c1ddd40252a0b2a05429a5dde3337c0afb98ab86a22f21652

                      SHA512

                      bada29830ed618e63760da7d240353969a347de86b3c6bc323066fc10d3889aba0101e5ce4219d073e086f6c811c7f94f253bd7e369f3db8bc6ed84bd9efb1e3

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      79aedca9c23b38f4b2020b5fdb11f66a

                      SHA1

                      1333745b3937b01f0076350af3213f0cbf86db3e

                      SHA256

                      54b9dd62f3b6bdb48df16ff2b3299553785d73a9c84140d8f83a91a42bf6d23a

                      SHA512

                      caab260b752b367f7702838be450abfb0c7ece36110c981cb1c312d79b539033034d1dd93407c16f1facfa1ebf46a792516cc9981ff5fefd44a3e1733571684a

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      28dd982e2c8e54431499e84d14051893

                      SHA1

                      9fb3fbeeb368302b60c9ce1a725bbc203de9a0fb

                      SHA256

                      b35c6c1d445166a51fdaad028ec3f2d4297c0841d603db7d4e25be0769967f34

                      SHA512

                      9425fb15adac97b47795b14c7fed324c5053ca8eba807ab2fed3de190c2fc19066698b6c88fe429dcc1c2b2d63fcf50a13960aeb91816af062e4475a38d9aefb

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      4f50301f5070d2894525e5f1f23789eb

                      SHA1

                      61bb2c6286ddaec491a86c8d541e11c806b56780

                      SHA256

                      a25628f50c0b794d778bac6d85b6e6734a9d65e396339d0d8d9373c872f1e8b9

                      SHA512

                      1e47c21403c74c0b9edd1b046ca669389b1bafd3b5100fb88775c634a98638d4bfcce368a5c416b0c5411035789067c328bc41477d8e6cba693afe90c24613c8

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      4f50301f5070d2894525e5f1f23789eb

                      SHA1

                      61bb2c6286ddaec491a86c8d541e11c806b56780

                      SHA256

                      a25628f50c0b794d778bac6d85b6e6734a9d65e396339d0d8d9373c872f1e8b9

                      SHA512

                      1e47c21403c74c0b9edd1b046ca669389b1bafd3b5100fb88775c634a98638d4bfcce368a5c416b0c5411035789067c328bc41477d8e6cba693afe90c24613c8

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      4f8edc002df005b2207559ccedb9633e

                      SHA1

                      31cd9c0c87c0f85e8ca5d39b7d8fc18d175aadc7

                      SHA256

                      a08bf81336538586165188f7a6bb185d068cd146c7be23e71f5b5ed704e52bbd

                      SHA512

                      675bfcc4d1f138b9d5c94fe7ef352d374a711f9978492fc3ecdad24651d95f5f845dd06b47b189ff01d3e2433968289d77b74245dbf36c7716f66ed4a3a386ee

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\G58brWjr2x.bat
                      Filesize

                      207B

                      MD5

                      9f14d8daf95f9213d9cc6b91ebd9f940

                      SHA1

                      ef121cf240249eea2090072e906828e6ab09e9dc

                      SHA256

                      d4cd43e6e08a3ea817f0d907ae1fc55f710d9bb6c03999d7c989cf019f2fe505

                      SHA512

                      7809ab9c1e963a80dbdd6b1d721c453d000008831aff6a1541c15c23b0c11930b513c6b143a398a4c82dabd6e37715f0a3fe0a262c2f4d74cd1a9fefacf9b526

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\PX4As6TRPF.bat
                      Filesize

                      199B

                      MD5

                      a8731c171f69936600360e70b8e87173

                      SHA1

                      4d7ee0b6077b71e0a9f4bb8579d79f10f5883367

                      SHA256

                      41ba77f5a3d86af2874c2b7add1579fdb71b6421fba2c8dd207767785cc228c0

                      SHA512

                      53c8883aac16c320d346091051436dcdc23e55d1684799f4ff3a981df3ad49a3d4517c0f65ee6df033c3cfdb66602066c311f511701bfb9dffee4276a1acc698

                      Download Submit

                    • C:\providercommon\1zu9dW.bat
                      Filesize

                      36B

                      MD5

                      6783c3ee07c7d151ceac57f1f9c8bed7

                      SHA1

                      17468f98f95bf504cc1f83c49e49a78526b3ea03

                      SHA256

                      8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

                      SHA512

                      c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

                      Download Submit

                    • C:\providercommon\DllCommonsvc.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\DllCommonsvc.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\DllCommonsvc.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\powershell.exe
                      Filesize

                      1.0MB

                      MD5

                      bd31e94b4143c4ce49c17d3af46bcad0

                      SHA1

                      f8c51ff3ff909531d9469d4ba1bbabae101853ff

                      SHA256

                      b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

                      SHA512

                      f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

                      Download Submit

                    • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
                      Filesize

                      197B

                      MD5

                      8088241160261560a02c84025d107592

                      SHA1

                      083121f7027557570994c9fc211df61730455bb5

                      SHA256

                      2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

                      SHA512

                      20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

                      Download Submit

                    • memory/1840-382-0x000002C174E20000-0x000002C174E96000-memory.dmp

                      Filesize

                      472KB

                      Download

                    • memory/1916-186-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/1916-185-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2276-362-0x000001A8F61E0000-0x000001A8F6202000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2692-159-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-155-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-182-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-181-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-180-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-179-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-121-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-178-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-177-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-122-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-123-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-125-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-126-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-128-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-129-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-176-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-175-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-174-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-130-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-172-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-173-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-171-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-131-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-170-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-132-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-133-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-134-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-169-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-135-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-168-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-167-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-166-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-165-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-136-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-164-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-163-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-162-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-161-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-160-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-120-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-158-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-157-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-156-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-183-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-154-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-153-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-152-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-151-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-150-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-149-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-148-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-147-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-146-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-137-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-145-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-144-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-143-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-142-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-141-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-140-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-138-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/2692-139-0x0000000077890000-0x0000000077A1E000-memory.dmp

                      Filesize

                      1.6MB

                      Download

                    • memory/3028-286-0x0000000000890000-0x00000000009A0000-memory.dmp

                      Filesize

                      1.1MB

                      Download

                    • memory/3028-287-0x00000000029C0000-0x00000000029D2000-memory.dmp

                      Filesize

                      72KB

                      Download

                    • memory/3028-288-0x00000000029D0000-0x00000000029DC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3028-289-0x0000000002B30000-0x0000000002B3C000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/3028-290-0x0000000002B40000-0x0000000002B4C000-memory.dmp

                      Filesize

                      48KB

                      Download