Overview

overview

10

Static

static

10

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01/11/2022, 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0ab4751f38e1e0e97d82a393b9a9a7e97560d02aef519bb34d2a648e03a1f448.exe

  • Size

    1.3MB

  • MD5

    080beeb3dc9b38f075fa6f31168f560b

  • SHA1

    182ef2d103ca219abb4b1562e546b91ab48361c6

  • SHA256

    0ab4751f38e1e0e97d82a393b9a9a7e97560d02aef519bb34d2a648e03a1f448

  • SHA512

    3e3bb0e3daf0a95064e57251e7243c5b48b04bad3e608e51c2ecc87b86bfdea32a79e55145efc2bd20bb3ed58cd47597f3648f93af91903e1a5dfe3d1148e1dc

  • SSDEEP

    24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 28 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 23 IoCs
  • Drops file in Program Files directory 27 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0ab4751f38e1e0e97d82a393b9a9a7e97560d02aef519bb34d2a648e03a1f448.exe
    "C:\Users\Admin\AppData\Local\Temp\0ab4751f38e1e0e97d82a393b9a9a7e97560d02aef519bb34d2a648e03a1f448.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\providercommon\DllCommonsvc.exe
          "C:\providercommon\DllCommonsvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4800
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3304
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3360
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:212
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3380
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4888
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\explorer.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2260
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2384
          • C:\providercommon\DllCommonsvc.exe
            "C:\providercommon\DllCommonsvc.exe"
            5⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3880
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
              6⤵
              • Executes dropped EXE
              PID:4776
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\Stationery\conhost.exe'
              6⤵
              • Executes dropped EXE
              PID:4276
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhostw.exe'
              6⤵
              • Executes dropped EXE
              PID:1952
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\powershell.exe'
              6⤵
              • Executes dropped EXE
              PID:2168
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
              6⤵
              • Executes dropped EXE
              PID:4544
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\conhost.exe'
              6⤵
              • Executes dropped EXE
              PID:3568
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OfficeClickToRun.exe'
              6⤵
              • Executes dropped EXE
              PID:4564
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\images\DllCommonsvc.exe'
              6⤵
              • Executes dropped EXE
              PID:1312
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
              6⤵
              • Executes dropped EXE
              PID:4896
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
              6⤵
              • Executes dropped EXE
              PID:1072
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
              6⤵
              • Executes dropped EXE
              PID:4644
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
              6⤵
              • Executes dropped EXE
              PID:4076
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\powershell.exe'
              6⤵
              • Executes dropped EXE
              PID:4232
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\powershell.exe'
              6⤵
              • Executes dropped EXE
              PID:5012
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'
              6⤵
              • Executes dropped EXE
              PID:672
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\powershell.exe'
              6⤵
              • Executes dropped EXE
              PID:1720
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
              6⤵
              • Executes dropped EXE
              PID:1896
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
              6⤵
              • Executes dropped EXE
              PID:2304
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\fr-FR\powershell.exe'
              6⤵
              • Executes dropped EXE
              PID:2368
            • C:\providercommon\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
              6⤵
              • Executes dropped EXE
              PID:3768
            • C:\Recovery\WindowsRE\SearchUI.exe
              "C:\Recovery\WindowsRE\SearchUI.exe"
              6⤵
              • Executes dropped EXE
              PID:2252
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\odt\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2912
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3288
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:4272
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:4764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:4696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4724
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4728
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:396
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\odt\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:420
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1268
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1804
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\fontdrvhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1408
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1832
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:816
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:96
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4244
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4504
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\Stationery\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\odt\services.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:220
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhostw.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:1656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2504
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\odt\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:2932
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\providercommon\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3852
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3856
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\tracing\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2244
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\images\DllCommonsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4236
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\DllCommonsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\images\DllCommonsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OfficeClickToRun.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\OfficeClickToRun.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:2168
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:1520
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1120
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\odt\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1720
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1540
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4204
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:4208
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4604
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:4628
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\en-US\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3864
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\en-US\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4868
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\powershell.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4864
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:364
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\powershell.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:4660
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:5000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:3064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f
    1⤵
      PID:220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
      1⤵
        PID:3100
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
        1⤵
        • Creates scheduled task(s)
        PID:2504
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\fr-FR\powershell.exe'" /f
        1⤵
          PID:1656
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\AppPatch\fr-FR\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:3312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\fr-FR\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:3336
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:788
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:5104
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\powershell.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:3980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:3948
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\powershell.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:4120
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:4144
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:4704
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:2656

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Recovery\WindowsRE\SearchUI.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\Recovery\WindowsRE\SearchUI.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log
          Filesize

          1KB

          MD5

          b4268d8ae66fdd920476b97a1776bf85

          SHA1

          f920de54f7467f0970eccc053d3c6c8dd181d49a

          SHA256

          61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

          SHA512

          03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          3KB

          MD5

          ad5cd538ca58cb28ede39c108acb5785

          SHA1

          1ae910026f3dbe90ed025e9e96ead2b5399be877

          SHA256

          c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

          SHA512

          c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          744a083eaaa0c81e521ef6e163e5c4fe

          SHA1

          bee12e302de1253fab4bec6c1958afee67abb770

          SHA256

          25341170d3f9dc7ca43d56ecd02c0df85f79217b7da126a7350ecdd9ca4e7f14

          SHA512

          dc2fe1bc5667a612b106be6fc67112d97c3eefbc25b0412f96528a08f38f08e92077aa6632714ea01b9d7fe46ae157ada641de0a3f4dffaf4442480b974f32a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          8cd34593b8347a6ec069775e32802291

          SHA1

          7fc111decaa8afdf496d82e850dc84c612fe5197

          SHA256

          9d0617a88256164cd731f76ef30a980c628653185b1a4e53fbb075f744a75875

          SHA512

          4b3af3b24b392d1ec0e9c132f85016c1eaf07d0795ef0ae571d7ceb6b7233e9ef614bfea84e42246a1e0e13ccbf24645c9d62c175d22d49ca9530f648cffd345

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          b2a5f8ad4cf63c7ec3d249873f04471d

          SHA1

          a12785d6badef2e939375cb245bd78ab9f14ca21

          SHA256

          eb0e8a5a8ec4136db4e0c9e6649ed012c7bd18954f530ad2293a0678c6e68476

          SHA512

          56902a74fc1c7458bdcb895f38d3cfb83e0e7f0b7326753b52a0f8c0acfaf0a885e0e1aa0e27e311477ffabfd857ed6b7cd80f5c90fd1d06a817885571821a87

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          04692f3702e6733c1bea1af4f850dc96

          SHA1

          7aa0563334dc7afdeddd324c8f4b0b93c216358c

          SHA256

          26c6f9bd4a42c25b84ea23a5e603632c5122789dc7b05c42d5f829ac073eae25

          SHA512

          a4a85ef1d9082f28844b66d2cedddc7d4360ac1cab6176345d1f2edc0ac3dd77de2d362ecb0bf0613b735fcb73f93c407806ce3b8ed968bd0ec5999ad6e9090f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          04692f3702e6733c1bea1af4f850dc96

          SHA1

          7aa0563334dc7afdeddd324c8f4b0b93c216358c

          SHA256

          26c6f9bd4a42c25b84ea23a5e603632c5122789dc7b05c42d5f829ac073eae25

          SHA512

          a4a85ef1d9082f28844b66d2cedddc7d4360ac1cab6176345d1f2edc0ac3dd77de2d362ecb0bf0613b735fcb73f93c407806ce3b8ed968bd0ec5999ad6e9090f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          04692f3702e6733c1bea1af4f850dc96

          SHA1

          7aa0563334dc7afdeddd324c8f4b0b93c216358c

          SHA256

          26c6f9bd4a42c25b84ea23a5e603632c5122789dc7b05c42d5f829ac073eae25

          SHA512

          a4a85ef1d9082f28844b66d2cedddc7d4360ac1cab6176345d1f2edc0ac3dd77de2d362ecb0bf0613b735fcb73f93c407806ce3b8ed968bd0ec5999ad6e9090f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          1KB

          MD5

          04692f3702e6733c1bea1af4f850dc96

          SHA1

          7aa0563334dc7afdeddd324c8f4b0b93c216358c

          SHA256

          26c6f9bd4a42c25b84ea23a5e603632c5122789dc7b05c42d5f829ac073eae25

          SHA512

          a4a85ef1d9082f28844b66d2cedddc7d4360ac1cab6176345d1f2edc0ac3dd77de2d362ecb0bf0613b735fcb73f93c407806ce3b8ed968bd0ec5999ad6e9090f

          Download Submit

        • C:\odt\6cb0b6c459d5d3
          Filesize

          916B

          MD5

          c1a30e3083dfc994f7046865c6e57ba8

          SHA1

          013d91219bd9d5cf2f784a99ca5b72bbd4294ea2

          SHA256

          af95ff7126a9420fa65af05134d92ca030cac243714eb97c880730163c518f6f

          SHA512

          ad4268a139ab00d2322e490591917886225422ca83ee8fb46869201216f853eca1cf875c1f488840bff2a97483d5e1429d36b257fd17ef7724bf9204d82dfd4b

          Download Submit

        • C:\odt\dwm.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\1zu9dW.bat
          Filesize

          36B

          MD5

          6783c3ee07c7d151ceac57f1f9c8bed7

          SHA1

          17468f98f95bf504cc1f83c49e49a78526b3ea03

          SHA256

          8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

          SHA512

          c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

          Download Submit

        • C:\providercommon\DllCommonsvc.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\DllCommonsvc.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\DllCommonsvc.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\powershell.exe
          Filesize

          1.0MB

          MD5

          bd31e94b4143c4ce49c17d3af46bcad0

          SHA1

          f8c51ff3ff909531d9469d4ba1bbabae101853ff

          SHA256

          b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

          SHA512

          f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

          Download Submit

        • C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
          Filesize

          197B

          MD5

          8088241160261560a02c84025d107592

          SHA1

          083121f7027557570994c9fc211df61730455bb5

          SHA256

          2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

          SHA512

          20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

          Download Submit

        • memory/212-343-0x000001B5AE980000-0x000001B5AE9A2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1992-181-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1992-182-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3380-348-0x0000019825CD0000-0x0000019825D46000-memory.dmp

          Filesize

          472KB

          Download

        • memory/3880-345-0x0000000001260000-0x0000000001272000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4372-154-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-153-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-117-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-119-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-118-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-121-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-122-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-178-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-179-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-175-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-177-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-124-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-176-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-174-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-173-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-172-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-171-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-169-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-170-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-167-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-168-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-166-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-125-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-165-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-164-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-163-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-162-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-161-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-160-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-157-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-159-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-158-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-126-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-156-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-155-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-127-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-116-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-128-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-152-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-151-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-150-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-129-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-148-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-130-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-149-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-147-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-146-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-145-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-144-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-143-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-142-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-141-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-140-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-134-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-139-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-138-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-137-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-136-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-135-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-133-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-132-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4372-131-0x0000000077520000-0x00000000776AE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4800-284-0x0000000002920000-0x000000000292C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4800-282-0x0000000000480000-0x0000000000590000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/4800-283-0x00000000027E0000-0x00000000027F2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4800-286-0x0000000002910000-0x000000000291C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/4800-285-0x0000000002900000-0x000000000290C000-memory.dmp

          Filesize

          48KB

          Download