dcrat | f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a

Analysis

max time kernel
56s
max time network
144s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2022, 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe
Size

1.3MB
MD5

fae8ca0cccd6610616b2a77255b8c6a2
SHA1

3782da47a80bd8e3663e845f51640787623adadf
SHA256

f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a
SHA512

addd9198fc7dfdb69aa867b3cb474775d4e0eded55d398ab52dfad669433fd3d1f685da8923683ecd6eda9e7d1f85db2e44b22c905578c7298780b3efe41ac89
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3172	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4396	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	200	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5464	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5640	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5796	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5804	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5944	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5964	4752	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5988	4752	schtasks.exe	70

DCRat payload 28 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac2e-280.dat	dcrat
behavioral1/files/0x000800000001ac2e-281.dat	dcrat
behavioral1/memory/3936-282-0x00000000007F0000-0x0000000000900000-memory.dmp	dcrat
behavioral1/files/0x000800000001ac2e-378.dat	dcrat
behavioral1/files/0x000600000001ac68-878.dat	dcrat
behavioral1/files/0x000900000001ac8c-956.dat	dcrat
behavioral1/files/0x000900000001ac8c-957.dat	dcrat
behavioral1/files/0x000900000001ac8c-959.dat	dcrat
behavioral1/files/0x000900000001ac8c-963.dat	dcrat
behavioral1/files/0x000900000001ac8c-967.dat	dcrat
behavioral1/files/0x000900000001ac8c-965.dat	dcrat
behavioral1/files/0x000900000001ac8c-961.dat	dcrat
behavioral1/files/0x000900000001ac8c-969.dat	dcrat
behavioral1/files/0x000900000001ac8c-971.dat	dcrat
behavioral1/files/0x000900000001ac8c-973.dat	dcrat
behavioral1/files/0x000900000001ac8c-975.dat	dcrat
behavioral1/files/0x000900000001ac8c-978.dat	dcrat
behavioral1/files/0x000900000001ac8c-977.dat	dcrat
behavioral1/files/0x000900000001ac8c-987.dat	dcrat
behavioral1/files/0x000900000001ac8c-989.dat	dcrat
behavioral1/files/0x000900000001ac8c-991.dat	dcrat
behavioral1/files/0x000900000001ac8c-992.dat	dcrat
behavioral1/files/0x000900000001ac8c-994.dat	dcrat
behavioral1/files/0x000600000001aca2-997.dat	dcrat
behavioral1/files/0x000600000001aca2-996.dat	dcrat
behavioral1/files/0x000900000001ac8c-985.dat	dcrat
behavioral1/files/0x000900000001ac8c-982.dat	dcrat
behavioral1/files/0x000900000001ac8c-981.dat	dcrat

Executes dropped EXE 23 IoCs

pid	Process
3936	DllCommonsvc.exe
2804	DllCommonsvc.exe
1336	powershell.exe
5696	powershell.exe
5692	powershell.exe
4320	powershell.exe
1920	powershell.exe
5684	powershell.exe
4720	powershell.exe
1804	powershell.exe
4824	powershell.exe
3136	powershell.exe
1952	powershell.exe
4244	powershell.exe
3728	powershell.exe
2716	powershell.exe
4852	powershell.exe
5156	powershell.exe
1484	powershell.exe
2312	powershell.exe
3028	powershell.exe
1284	powershell.exe
5024	smss.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\e6c9b481da804f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	DllCommonsvc.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\AppReadiness\e978f868350d50	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\en-US\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\e978f868350d50	DllCommonsvc.exe
File created	C:\Windows\schemas\Provisioning\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\schemas\Provisioning\e978f868350d50	DllCommonsvc.exe
File created	C:\Windows\AppReadiness\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\CbsTemp\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\CbsTemp\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1340	schtasks.exe
1560	schtasks.exe
1140	schtasks.exe
644	schtasks.exe
5788	schtasks.exe
4532	schtasks.exe
4448	schtasks.exe
5972	schtasks.exe
412	schtasks.exe
2896	schtasks.exe
660	schtasks.exe
1572	schtasks.exe
4428	schtasks.exe
5012	schtasks.exe
348	schtasks.exe
3192	schtasks.exe
4304	schtasks.exe
5796	schtasks.exe
5384	schtasks.exe
5412	schtasks.exe
3136	schtasks.exe
2928	schtasks.exe
5000	schtasks.exe
4472	schtasks.exe
872	schtasks.exe
5464	schtasks.exe
5192	schtasks.exe
2512	schtasks.exe
4616	schtasks.exe
1944	schtasks.exe
6080	schtasks.exe
5372	schtasks.exe
1792	schtasks.exe
5760	schtasks.exe
4440	schtasks.exe
4908	schtasks.exe
5044	schtasks.exe
4596	schtasks.exe
5244	schtasks.exe
5288	schtasks.exe
1020	schtasks.exe
5396	schtasks.exe
4248	schtasks.exe
5988	schtasks.exe
1332	schtasks.exe
584	schtasks.exe
2912	schtasks.exe
4396	schtasks.exe
1864	schtasks.exe
5980	schtasks.exe
6140	schtasks.exe
4456	schtasks.exe
5468	schtasks.exe
4232	schtasks.exe
5444	schtasks.exe
3172	schtasks.exe
816	schtasks.exe
5844	schtasks.exe
1264	schtasks.exe
312	schtasks.exe
5640	schtasks.exe
6108	schtasks.exe
784	schtasks.exe
1796	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings	f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
3936	DllCommonsvc.exe
2072	powershell.exe
2072	powershell.exe
2192	powershell.exe
2192	powershell.exe
2072	powershell.exe
2696	powershell.exe
2696	powershell.exe
3812	powershell.exe
3812	powershell.exe
2764	powershell.exe
2764	powershell.exe
2696	powershell.exe
3764	powershell.exe
3764	powershell.exe
2072	powershell.exe
4688	powershell.exe
4688	powershell.exe
4676	powershell.exe
4676	powershell.exe
2764	powershell.exe
2696	powershell.exe
3836	powershell.exe
3836	powershell.exe
4728	powershell.exe
4728	powershell.exe
2192	powershell.exe
4180	powershell.exe
4180	powershell.exe
3836	powershell.exe
1008	powershell.exe
1008	powershell.exe
4820	powershell.exe
4820	powershell.exe
1392	powershell.exe
1392	powershell.exe
4196	powershell.exe
4196	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	DllCommonsvc.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	3384	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2804	DllCommonsvc.exe
Token: SeIncreaseQuotaPrivilege	2072	powershell.exe
Token: SeSecurityPrivilege	2072	powershell.exe
Token: SeTakeOwnershipPrivilege	2072	powershell.exe
Token: SeLoadDriverPrivilege	2072	powershell.exe
Token: SeSystemProfilePrivilege	2072	powershell.exe
Token: SeSystemtimePrivilege	2072	powershell.exe
Token: SeProfSingleProcessPrivilege	2072	powershell.exe
Token: SeIncBasePriorityPrivilege	2072	powershell.exe
Token: SeCreatePagefilePrivilege	2072	powershell.exe
Token: SeBackupPrivilege	2072	powershell.exe
Token: SeRestorePrivilege	2072	powershell.exe
Token: SeShutdownPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeSystemEnvironmentPrivilege	2072	powershell.exe
Token: SeRemoteShutdownPrivilege	2072	powershell.exe
Token: SeUndockPrivilege	2072	powershell.exe
Token: SeManageVolumePrivilege	2072	powershell.exe
Token: 33	2072	powershell.exe
Token: 34	2072	powershell.exe
Token: 35	2072	powershell.exe
Token: 36	2072	powershell.exe
Token: SeIncreaseQuotaPrivilege	2696	powershell.exe
Token: SeSecurityPrivilege	2696	powershell.exe
Token: SeTakeOwnershipPrivilege	2696	powershell.exe
Token: SeLoadDriverPrivilege	2696	powershell.exe
Token: SeSystemProfilePrivilege	2696	powershell.exe
Token: SeSystemtimePrivilege	2696	powershell.exe
Token: SeProfSingleProcessPrivilege	2696	powershell.exe
Token: SeIncBasePriorityPrivilege	2696	powershell.exe
Token: SeCreatePagefilePrivilege	2696	powershell.exe
Token: SeBackupPrivilege	2696	powershell.exe
Token: SeRestorePrivilege	2696	powershell.exe
Token: SeShutdownPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeSystemEnvironmentPrivilege	2696	powershell.exe
Token: SeRemoteShutdownPrivilege	2696	powershell.exe
Token: SeUndockPrivilege	2696	powershell.exe
Token: SeManageVolumePrivilege	2696	powershell.exe
Token: 33	2696	powershell.exe
Token: 34	2696	powershell.exe
Token: 35	2696	powershell.exe
Token: 36	2696	powershell.exe
Token: SeIncreaseQuotaPrivilege	2764	powershell.exe
Token: SeSecurityPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 4768	2668	f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe	66
PID 2668 wrote to memory of 4768	2668	f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe	66
PID 2668 wrote to memory of 4768	2668	f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe	66
PID 4768 wrote to memory of 3680	4768	WScript.exe	67
PID 4768 wrote to memory of 3680	4768	WScript.exe	67
PID 4768 wrote to memory of 3680	4768	WScript.exe	67
PID 3680 wrote to memory of 3936	3680	cmd.exe	69
PID 3680 wrote to memory of 3936	3680	cmd.exe	69
PID 3936 wrote to memory of 2072	3936	DllCommonsvc.exe	122
PID 3936 wrote to memory of 2072	3936	DllCommonsvc.exe	122
PID 3936 wrote to memory of 2192	3936	DllCommonsvc.exe	157
PID 3936 wrote to memory of 2192	3936	DllCommonsvc.exe	157
PID 3936 wrote to memory of 3812	3936	DllCommonsvc.exe	123
PID 3936 wrote to memory of 3812	3936	DllCommonsvc.exe	123
PID 3936 wrote to memory of 2696	3936	DllCommonsvc.exe	124
PID 3936 wrote to memory of 2696	3936	DllCommonsvc.exe	124
PID 3936 wrote to memory of 2764	3936	DllCommonsvc.exe	125
PID 3936 wrote to memory of 2764	3936	DllCommonsvc.exe	125
PID 3936 wrote to memory of 3764	3936	DllCommonsvc.exe	126
PID 3936 wrote to memory of 3764	3936	DllCommonsvc.exe	126
PID 3936 wrote to memory of 4676	3936	DllCommonsvc.exe	130
PID 3936 wrote to memory of 4676	3936	DllCommonsvc.exe	130
PID 3936 wrote to memory of 4688	3936	DllCommonsvc.exe	131
PID 3936 wrote to memory of 4688	3936	DllCommonsvc.exe	131
PID 3936 wrote to memory of 3836	3936	DllCommonsvc.exe	132
PID 3936 wrote to memory of 3836	3936	DllCommonsvc.exe	132
PID 3936 wrote to memory of 4728	3936	DllCommonsvc.exe	152
PID 3936 wrote to memory of 4728	3936	DllCommonsvc.exe	152
PID 3936 wrote to memory of 4820	3936	DllCommonsvc.exe	134
PID 3936 wrote to memory of 4820	3936	DllCommonsvc.exe	134
PID 3936 wrote to memory of 1008	3936	DllCommonsvc.exe	147
PID 3936 wrote to memory of 1008	3936	DllCommonsvc.exe	147
PID 3936 wrote to memory of 4180	3936	DllCommonsvc.exe	136
PID 3936 wrote to memory of 4180	3936	DllCommonsvc.exe	136
PID 3936 wrote to memory of 1392	3936	DllCommonsvc.exe	137
PID 3936 wrote to memory of 1392	3936	DllCommonsvc.exe	137
PID 3936 wrote to memory of 4196	3936	DllCommonsvc.exe	138
PID 3936 wrote to memory of 4196	3936	DllCommonsvc.exe	138
PID 3936 wrote to memory of 4844	3936	DllCommonsvc.exe	139
PID 3936 wrote to memory of 4844	3936	DllCommonsvc.exe	139
PID 3936 wrote to memory of 3384	3936	DllCommonsvc.exe	140
PID 3936 wrote to memory of 3384	3936	DllCommonsvc.exe	140
PID 3936 wrote to memory of 1368	3936	DllCommonsvc.exe	149
PID 3936 wrote to memory of 1368	3936	DllCommonsvc.exe	149
PID 3936 wrote to memory of 2804	3936	DllCommonsvc.exe	158
PID 3936 wrote to memory of 2804	3936	DllCommonsvc.exe	158
PID 2804 wrote to memory of 1336	2804	DllCommonsvc.exe	217
PID 2804 wrote to memory of 1336	2804	DllCommonsvc.exe	217
PID 2804 wrote to memory of 5696	2804	DllCommonsvc.exe	218
PID 2804 wrote to memory of 5696	2804	DllCommonsvc.exe	218
PID 2804 wrote to memory of 5692	2804	DllCommonsvc.exe	223
PID 2804 wrote to memory of 5692	2804	DllCommonsvc.exe	223
PID 2804 wrote to memory of 4320	2804	DllCommonsvc.exe	222
PID 2804 wrote to memory of 4320	2804	DllCommonsvc.exe	222
PID 2804 wrote to memory of 1920	2804	DllCommonsvc.exe	221
PID 2804 wrote to memory of 1920	2804	DllCommonsvc.exe	221
PID 2804 wrote to memory of 5684	2804	DllCommonsvc.exe	220
PID 2804 wrote to memory of 5684	2804	DllCommonsvc.exe	220
PID 2804 wrote to memory of 4720	2804	DllCommonsvc.exe	219
PID 2804 wrote to memory of 4720	2804	DllCommonsvc.exe	219
PID 2804 wrote to memory of 1804	2804	DllCommonsvc.exe	224
PID 2804 wrote to memory of 1804	2804	DllCommonsvc.exe	224
PID 2804 wrote to memory of 4824	2804	DllCommonsvc.exe	226
PID 2804 wrote to memory of 4824	2804	DllCommonsvc.exe	226

C:\Users\Admin\AppData\Local\Temp\f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe
"C:\Users\Admin\AppData\Local\Temp\f45ea312f758d397ca56081095a26f746c30d12ea7ce1a2ade8c6b9a818b3a5a.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CbsTemp\wininit.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Skins\System.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\ja-JP\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Executes dropped EXE
        
        PID:1336
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        6⤵
        Executes dropped EXE
        
        PID:5696
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\Provisioning\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:4720
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\conhost.exe'
        6⤵
        Executes dropped EXE
        
        PID:5684
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:1920
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:4320
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:5692
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        6⤵
        Executes dropped EXE
        
        PID:1804
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'
        6⤵
        Executes dropped EXE
        
        PID:3136
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        6⤵
        Executes dropped EXE
        
        PID:4824
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:3728
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        6⤵
        Executes dropped EXE
        
        PID:2716
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:4244
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:1952
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\conhost.exe'
        6⤵
        Executes dropped EXE
        
        PID:4852
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'
        6⤵
        Executes dropped EXE
        
        PID:5156
      - C:\odt\smss.exe
        
        "C:\odt\smss.exe"
        6⤵
        Executes dropped EXE
        
        PID:5024
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:1284
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\powershell.exe'
        6⤵
        Executes dropped EXE
        
        PID:3028
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'
        6⤵
        Executes dropped EXE
        
        PID:2312
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
        6⤵
        Executes dropped EXE
        
        PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ModemLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Visualizations\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Visualizations\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\CbsTemp\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\CbsTemp\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\odt\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
PID:200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\en-US\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\providercommon\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\providercommon\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\PackageManifests\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\PackageManifests\conhost.exe'" /rl HIGHEST /f
1⤵
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Windows\schemas\Provisioning\powershell.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\schemas\Provisioning\powershell.exe'" /rl HIGHEST /f
1⤵
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\Provisioning\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:5680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
PID:5692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
PID:5736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /f
1⤵
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Windows\AppReadiness\powershell.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\AppReadiness\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\providercommon\powershell.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:6108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
PID:5144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\odt\powershell.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
PID:5328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Creates scheduled task(s)
PID:5412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\odt\smss.exe'" /f
1⤵
PID:5628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
PID:6056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /f
1⤵
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\powershell.exe'" /f
1⤵
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:5844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Temp\powershell.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\powershell.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\powershell.exe'" /rl HIGHEST /f
1⤵
PID:924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\5b884080fd4f94

Filesize
299B

MD5
1af606957c889d9d39d5593aef038b44

SHA1
e1ba423257b7ebfe1f421a7c74338642dbce39df

SHA256
ff78d24f779ccddff3aeca05e0c11a9599b88d25189d53de4891f8db48135dcf

SHA512
4a16820afdeac2d62427c8b93e1b0042f5ad1e4eb7d9f759c1e292cafe6c421ca590881306aa1312c4e3e13376f54e39d45653af5a72a8a73fd485ebe8969191

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af76f41615ed7b552182260f203688bf

SHA1
18d35beb68d13f92518e64c01395301b83bd1aaa

SHA256
a92de98421417f3e77598152d83051f1199240572bd5c2744ef47874584a324f

SHA512
4b439eb483cf88966d1b439974e389d35747772624656296c7d716dab95dd2e9625ef6f334cc9c05f94c9111745450e231b62a576cf2e6bf608f43183cf404a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
32a26731e757ca97f350242cedca924e

SHA1
a9c0dc9a3aed0f2f7ab4bf87cf2216132c4b7083

SHA256
e2ec00b94636b6586460998ed45af5a36ff75a126158ebe46bb2a0f7490d4dff

SHA512
387ed7f666b9ca27ae2fc968ac5f5a3a1dcfc152084a51efeabcead6fc78713c764829a728feffd0e3cfdfd7f952e337c4c4a25a38da26463525d73b9b20523e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9c46cd7ee0560556cf258567c9d687a

SHA1
a420733aa8699df03c445df65d44c3ab680518bd

SHA256
fc67ddb86e500ce527a3e5d08d70e4bf9e2e35e0cba37b2bf06297bdf69e0745

SHA512
20a2c0bfe2a77b52704a187b1c5bcedaa5679c209f2428062f25ac54afd170e8871f10553f48f66b034f6341360bf46d8b385774325356e4097605f856539cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9c46cd7ee0560556cf258567c9d687a

SHA1
a420733aa8699df03c445df65d44c3ab680518bd

SHA256
fc67ddb86e500ce527a3e5d08d70e4bf9e2e35e0cba37b2bf06297bdf69e0745

SHA512
20a2c0bfe2a77b52704a187b1c5bcedaa5679c209f2428062f25ac54afd170e8871f10553f48f66b034f6341360bf46d8b385774325356e4097605f856539cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5196005384db4b734a03b450f6047291

SHA1
106345b898e57495b316a20abcde884bee37b106

SHA256
6f5418303893fff76195415f7011933c2aa83c421736d05e6698ff54652b72d4

SHA512
15158c38e7b1e8da10ebad4022e0e5b9daa39e516cefb988bdf9ba890af7bdd7dafae109ed8eabeffea55b35131f681d1fe36742ca5420ea497a042804aee082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d392fa5860dbf8c02b190119c5a71bfa

SHA1
aaeb2c22bbeb7c73749d919c0dba54c22d8d8101

SHA256
a9f82b5a58049d982948df79bf201dff679520d4298a822d7bd271f5ecd7d9bf

SHA512
047ae4dfa9bad0f25b82c6da94ae63ad415ff978ff26e9e7a24c1e2d4c42bbb611a8a3a8a0d73c428cc8c5cce3a12008075334288bfa43b9b3c38e9f72407072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d392fa5860dbf8c02b190119c5a71bfa

SHA1
aaeb2c22bbeb7c73749d919c0dba54c22d8d8101

SHA256
a9f82b5a58049d982948df79bf201dff679520d4298a822d7bd271f5ecd7d9bf

SHA512
047ae4dfa9bad0f25b82c6da94ae63ad415ff978ff26e9e7a24c1e2d4c42bbb611a8a3a8a0d73c428cc8c5cce3a12008075334288bfa43b9b3c38e9f72407072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64c7ae5ac58ecb9628fa54751d5371f3

SHA1
a6bcb94dd9fc65168cea91f9fd5ad713edd8843a

SHA256
126e351b05dfc1b5e76d745ba4d7b39c90d13dc2acd1b2ba4503b6736273a4a9

SHA512
e323855f6ec353c7f6472fc3f8021d93a69a90c22968ed080e565b3b63918e24ffbf248428c655d42d8c6fbd568edaf322d4608969ceb824d034566d3ebe0cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64c7ae5ac58ecb9628fa54751d5371f3

SHA1
a6bcb94dd9fc65168cea91f9fd5ad713edd8843a

SHA256
126e351b05dfc1b5e76d745ba4d7b39c90d13dc2acd1b2ba4503b6736273a4a9

SHA512
e323855f6ec353c7f6472fc3f8021d93a69a90c22968ed080e565b3b63918e24ffbf248428c655d42d8c6fbd568edaf322d4608969ceb824d034566d3ebe0cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5d5341a0a733b0a8d8207c4cfd5fa5d

SHA1
26941df6283ce5a8b41af391b9cdc858305a2421

SHA256
05c43ab787963d9297dc8b673aa5b86e414ae9862bcbca024a665ddcc9cdd2ba

SHA512
e591367de919250e990be7c15514730d0526c51aeace21bf4d4c6ad6a9d82d30c19ccc30f8e80337616157506f8a5ab05645c8859922fde9d175f35c21a67d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1bc5d32246d3612f440bc5fe8efe1851

SHA1
48d0b4d797fb2bce4d322e4b7bcf97a79d9fed9f

SHA256
28948f3cb7c9897efd726c4ce46e09ec9207078cbb7c520009e2c232bc305e84

SHA512
793e62979ac72f9d0c5ff76a154152ac802bc0702ebc5b7186452f8daae6e78af4ebe50a374ffdd6b170a61b961d69a3cea54986270f63b966ddedf46ca8b740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1bc5d32246d3612f440bc5fe8efe1851

SHA1
48d0b4d797fb2bce4d322e4b7bcf97a79d9fed9f

SHA256
28948f3cb7c9897efd726c4ce46e09ec9207078cbb7c520009e2c232bc305e84

SHA512
793e62979ac72f9d0c5ff76a154152ac802bc0702ebc5b7186452f8daae6e78af4ebe50a374ffdd6b170a61b961d69a3cea54986270f63b966ddedf46ca8b740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9fb8e485a202d28a1a374ba6af39b2fb

SHA1
15e1794a859fc5ff0ec022026a4ecc062df8f252

SHA256
61cfb6a71b2a98e8a4fad7af0d89955e206634f3eeb0bbf5005db1ce07c8805f

SHA512
daccd31f3bd8d09f668b29f05d253820048f3a4c48e4ba5c7dde7e6eab6072e2f4ff4ce88519d23b9ee682fbacdd893a13e21f6ee4f897838bdc1f9570eb6afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5d02ac901a6a2cfc64051b595f6446c

SHA1
3829404145be028dc63f8fee147a2c2483f129c7

SHA256
c457ab8d2c24106abf493afd2f95696826398da32f8afc8dbe959abb2db3816f

SHA512
618cecddda357c6937ccbccd9e838baf3eb0815536709e3fd3e5d5efc1d6d4b9ddc0dd7ad6bd6be9681a6f198db95a6372175ce86edd637cc475df3cce773fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5d02ac901a6a2cfc64051b595f6446c

SHA1
3829404145be028dc63f8fee147a2c2483f129c7

SHA256
c457ab8d2c24106abf493afd2f95696826398da32f8afc8dbe959abb2db3816f

SHA512
618cecddda357c6937ccbccd9e838baf3eb0815536709e3fd3e5d5efc1d6d4b9ddc0dd7ad6bd6be9681a6f198db95a6372175ce86edd637cc475df3cce773fb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1fd84f74f7517f2f144e032944e5b70f

SHA1
8fc70e124a85a3a8a30b9003ca81ff478fe1151d

SHA256
58cc5c4da5aa269a4ceebdc63235a01c57919b481f3e08286aad7f8d8d184839

SHA512
9eac6490271a50b7a8ff6a03afc726e82bfe03d14787aa666378a26ad43ca4e9f5fe3b3b96151b6e5fdb2beab131c7dfa1515c60fc1817d32955c0969d855a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4d3b5982630c255b5a44a5ddd6b348a6

SHA1
9ccce85156b954443e5e03508b7e6b8725be7bf0

SHA256
b8bdde2ff19dc29135dcde27174c69fc551d4e2ecf8532573c31a98e56d02ee5

SHA512
3ab070aaf5e18029ff1c9667aa77236b838bd6d86bc4009b3c023bd05093fb0d1321d2ef16b7e70d781422e4068a403023126c965900af3e68bbfeb7ae3b16e5

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\powershell.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/2072-379-0x000001F75DA30000-0x000001F75DA52000-memory.dmp

Filesize
136KB

Download
memory/2072-386-0x000001F775D60000-0x000001F775DD6000-memory.dmp

Filesize
472KB

Download
memory/2668-159-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-154-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-117-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-118-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-119-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-121-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-179-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-178-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-122-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-124-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-125-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-127-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-126-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-177-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-128-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-129-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-130-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-176-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-131-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-132-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-134-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-133-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-135-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-175-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-136-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-174-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-137-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-173-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-138-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-139-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-140-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-141-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-172-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-171-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-170-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-142-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-168-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-169-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-167-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-166-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-165-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-164-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-163-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-162-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-161-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-160-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-116-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-158-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-157-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-156-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-155-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-143-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-153-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-152-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-151-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-150-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-144-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-149-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-148-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-147-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-146-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2668-145-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-437-0x00000000015B0000-0x00000000015C2000-memory.dmp

Filesize
72KB

Download
memory/3936-285-0x0000000002A30000-0x0000000002A3C000-memory.dmp

Filesize
48KB

Download
memory/3936-282-0x00000000007F0000-0x0000000000900000-memory.dmp

Filesize
1.1MB

Download
memory/3936-286-0x0000000002A40000-0x0000000002A4C000-memory.dmp

Filesize
48KB

Download
memory/3936-284-0x0000000001070000-0x000000000107C000-memory.dmp

Filesize
48KB

Download
memory/3936-283-0x0000000001060000-0x0000000001072000-memory.dmp

Filesize
72KB

Download
memory/4768-182-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download
memory/4768-181-0x00000000779A0000-0x0000000077B2E000-memory.dmp

Filesize
1.6MB

Download