dcrat | b4103834242cc164c004c18caec7f96b9e21cd32e976a4c19777fea6c9039758

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/11/2022, 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4103834242cc164c004c18caec7f96b9e21cd32e976a4c19777fea6c9039758.exe
Size

1.3MB
MD5

77d60690345aa72408380bd49b086c4b
SHA1

303df3ad7dcd16c92db3e9a6c219ba68ae3b578a
SHA256

b4103834242cc164c004c18caec7f96b9e21cd32e976a4c19777fea6c9039758
SHA512

f2e316991353ca2822db5333a607d6be2b41c008af786bfa19d6e88be31579882be047bcc4b028c673edeac0b8c9b84d185de4b7da43a8dc1c26251a6e3e7fbe
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3348	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2012	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	2012	schtasks.exe	38

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0002000000022df6-137.dat	dcrat
behavioral1/files/0x0002000000022df6-138.dat	dcrat
behavioral1/memory/436-139-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/files/0x0001000000022e2a-210.dat	dcrat
behavioral1/files/0x0001000000022e2a-211.dat	dcrat
behavioral1/files/0x0001000000022e2a-219.dat	dcrat
behavioral1/files/0x0001000000022e2a-227.dat	dcrat
behavioral1/files/0x0001000000022e2a-234.dat	dcrat
behavioral1/files/0x0001000000022e2a-241.dat	dcrat
behavioral1/files/0x0001000000022e2a-248.dat	dcrat
behavioral1/files/0x0001000000022e2a-255.dat	dcrat
behavioral1/files/0x0001000000022e2a-262.dat	dcrat
behavioral1/files/0x0001000000022e2a-269.dat	dcrat

Executes dropped EXE 10 IoCs

pid	Process
436	DllCommonsvc.exe
5804	fontdrvhost.exe
6024	fontdrvhost.exe
3536	fontdrvhost.exe
1180	fontdrvhost.exe
4772	fontdrvhost.exe
1064	fontdrvhost.exe
384	fontdrvhost.exe
2112	fontdrvhost.exe
4908	fontdrvhost.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b4103834242cc164c004c18caec7f96b9e21cd32e976a4c19777fea6c9039758.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\ModifiableWindowsApps\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\SearchApp.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\38384e6a620884	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\24dbde2999530e	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\e6c9b481da804f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3324	schtasks.exe
4964	schtasks.exe
4668	schtasks.exe
3348	schtasks.exe
2304	schtasks.exe
2744	schtasks.exe
4748	schtasks.exe
1756	schtasks.exe
4812	schtasks.exe
5112	schtasks.exe
3728	schtasks.exe
4108	schtasks.exe
4320	schtasks.exe
4788	schtasks.exe
5060	schtasks.exe
2876	schtasks.exe
3516	schtasks.exe
2116	schtasks.exe
4840	schtasks.exe
2336	schtasks.exe
3216	schtasks.exe
1512	schtasks.exe
408	schtasks.exe
1404	schtasks.exe
4944	schtasks.exe
4920	schtasks.exe
5080	schtasks.exe
1012	schtasks.exe
3468	schtasks.exe
1388	schtasks.exe
3336	schtasks.exe
4364	schtasks.exe
748	schtasks.exe
1132	schtasks.exe
1736	schtasks.exe
2452	schtasks.exe
840	schtasks.exe
3132	schtasks.exe
780	schtasks.exe
4524	schtasks.exe
2516	schtasks.exe
4068	schtasks.exe
1072	schtasks.exe
4908	schtasks.exe
4508	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	b4103834242cc164c004c18caec7f96b9e21cd32e976a4c19777fea6c9039758.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
436	DllCommonsvc.exe
4116	powershell.exe
4116	powershell.exe
2396	powershell.exe
2396	powershell.exe
4256	powershell.exe
4256	powershell.exe
1884	powershell.exe
1884	powershell.exe
1124	powershell.exe
1124	powershell.exe
2036	powershell.exe
2036	powershell.exe
4312	powershell.exe
4312	powershell.exe
4396	powershell.exe
4396	powershell.exe
3436	powershell.exe
3436	powershell.exe
2600	powershell.exe
2600	powershell.exe
4412	powershell.exe
4412	powershell.exe
648	powershell.exe
648	powershell.exe
1840	powershell.exe
1840	powershell.exe
3740	powershell.exe
3740	powershell.exe
3608	powershell.exe
3608	powershell.exe
3500	powershell.exe
3500	powershell.exe
4116	powershell.exe
4116	powershell.exe
4256	powershell.exe
4256	powershell.exe
2396	powershell.exe
2396	powershell.exe
1884	powershell.exe
1884	powershell.exe
1124	powershell.exe
1124	powershell.exe
2036	powershell.exe
4312	powershell.exe
2036	powershell.exe
4312	powershell.exe
4396	powershell.exe
4396	powershell.exe
3436	powershell.exe
3436	powershell.exe
648	powershell.exe
2600	powershell.exe
4412	powershell.exe
1840	powershell.exe
3740	powershell.exe
3608	powershell.exe
3500	powershell.exe
5804	fontdrvhost.exe
6024	fontdrvhost.exe
3536	fontdrvhost.exe
1180	fontdrvhost.exe
4772	fontdrvhost.exe
1064	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	DllCommonsvc.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	5804	fontdrvhost.exe
Token: SeDebugPrivilege	6024	fontdrvhost.exe
Token: SeDebugPrivilege	3536	fontdrvhost.exe
Token: SeDebugPrivilege	1180	fontdrvhost.exe
Token: SeDebugPrivilege	4772	fontdrvhost.exe
Token: SeDebugPrivilege	1064	fontdrvhost.exe
Token: SeDebugPrivilege	384	fontdrvhost.exe
Token: SeDebugPrivilege	2112	fontdrvhost.exe
Token: SeDebugPrivilege	4908	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 1660	2804	b4103834242cc164c004c18caec7f96b9e21cd32e976a4c19777fea6c9039758.exe	82
PID 2804 wrote to memory of 1660	2804	b4103834242cc164c004c18caec7f96b9e21cd32e976a4c19777fea6c9039758.exe	82
PID 2804 wrote to memory of 1660	2804	b4103834242cc164c004c18caec7f96b9e21cd32e976a4c19777fea6c9039758.exe	82
PID 1660 wrote to memory of 3652	1660	WScript.exe	86
PID 1660 wrote to memory of 3652	1660	WScript.exe	86
PID 1660 wrote to memory of 3652	1660	WScript.exe	86
PID 3652 wrote to memory of 436	3652	cmd.exe	88
PID 3652 wrote to memory of 436	3652	cmd.exe	88
PID 436 wrote to memory of 2396	436	DllCommonsvc.exe	135
PID 436 wrote to memory of 2396	436	DllCommonsvc.exe	135
PID 436 wrote to memory of 4256	436	DllCommonsvc.exe	137
PID 436 wrote to memory of 4256	436	DllCommonsvc.exe	137
PID 436 wrote to memory of 4116	436	DllCommonsvc.exe	138
PID 436 wrote to memory of 4116	436	DllCommonsvc.exe	138
PID 436 wrote to memory of 1124	436	DllCommonsvc.exe	141
PID 436 wrote to memory of 1124	436	DllCommonsvc.exe	141
PID 436 wrote to memory of 4312	436	DllCommonsvc.exe	142
PID 436 wrote to memory of 4312	436	DllCommonsvc.exe	142
PID 436 wrote to memory of 1884	436	DllCommonsvc.exe	143
PID 436 wrote to memory of 1884	436	DllCommonsvc.exe	143
PID 436 wrote to memory of 2036	436	DllCommonsvc.exe	168
PID 436 wrote to memory of 2036	436	DllCommonsvc.exe	168
PID 436 wrote to memory of 4396	436	DllCommonsvc.exe	146
PID 436 wrote to memory of 4396	436	DllCommonsvc.exe	146
PID 436 wrote to memory of 3436	436	DllCommonsvc.exe	149
PID 436 wrote to memory of 3436	436	DllCommonsvc.exe	149
PID 436 wrote to memory of 2600	436	DllCommonsvc.exe	161
PID 436 wrote to memory of 2600	436	DllCommonsvc.exe	161
PID 436 wrote to memory of 4412	436	DllCommonsvc.exe	153
PID 436 wrote to memory of 4412	436	DllCommonsvc.exe	153
PID 436 wrote to memory of 648	436	DllCommonsvc.exe	159
PID 436 wrote to memory of 648	436	DllCommonsvc.exe	159
PID 436 wrote to memory of 1840	436	DllCommonsvc.exe	155
PID 436 wrote to memory of 1840	436	DllCommonsvc.exe	155
PID 436 wrote to memory of 3740	436	DllCommonsvc.exe	156
PID 436 wrote to memory of 3740	436	DllCommonsvc.exe	156
PID 436 wrote to memory of 3608	436	DllCommonsvc.exe	166
PID 436 wrote to memory of 3608	436	DllCommonsvc.exe	166
PID 436 wrote to memory of 3500	436	DllCommonsvc.exe	163
PID 436 wrote to memory of 3500	436	DllCommonsvc.exe	163
PID 436 wrote to memory of 2992	436	DllCommonsvc.exe	169
PID 436 wrote to memory of 2992	436	DllCommonsvc.exe	169
PID 2992 wrote to memory of 5416	2992	cmd.exe	171
PID 2992 wrote to memory of 5416	2992	cmd.exe	171
PID 2992 wrote to memory of 5804	2992	cmd.exe	173
PID 2992 wrote to memory of 5804	2992	cmd.exe	173
PID 5804 wrote to memory of 5928	5804	fontdrvhost.exe	174
PID 5804 wrote to memory of 5928	5804	fontdrvhost.exe	174
PID 5928 wrote to memory of 5988	5928	cmd.exe	176
PID 5928 wrote to memory of 5988	5928	cmd.exe	176
PID 5928 wrote to memory of 6024	5928	cmd.exe	177
PID 5928 wrote to memory of 6024	5928	cmd.exe	177
PID 6024 wrote to memory of 2116	6024	fontdrvhost.exe	178
PID 6024 wrote to memory of 2116	6024	fontdrvhost.exe	178
PID 2116 wrote to memory of 3824	2116	cmd.exe	180
PID 2116 wrote to memory of 3824	2116	cmd.exe	180
PID 2116 wrote to memory of 3536	2116	cmd.exe	181
PID 2116 wrote to memory of 3536	2116	cmd.exe	181
PID 3536 wrote to memory of 5424	3536	fontdrvhost.exe	182
PID 3536 wrote to memory of 5424	3536	fontdrvhost.exe	182
PID 5424 wrote to memory of 492	5424	cmd.exe	184
PID 5424 wrote to memory of 492	5424	cmd.exe	184
PID 5424 wrote to memory of 1180	5424	cmd.exe	185
PID 5424 wrote to memory of 1180	5424	cmd.exe	185

C:\Users\Admin\AppData\Local\Temp\b4103834242cc164c004c18caec7f96b9e21cd32e976a4c19777fea6c9039758.exe
"C:\Users\Admin\AppData\Local\Temp\b4103834242cc164c004c18caec7f96b9e21cd32e976a4c19777fea6c9039758.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TrustedInstaller.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SearchApp.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mxczmenQs7.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5416
      - C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5988
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3824
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:492
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        13⤵
        
        PID:3312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3124
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        15⤵
        
        PID:232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3904
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
        17⤵
        
        PID:1208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3464
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
        19⤵
        
        PID:5592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3752
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
        21⤵
        
        PID:3516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:5308
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"
        23⤵
        
        PID:5260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\odt\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\providercommon\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\providercommon\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\providercommon\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Templates\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
198B

MD5
365d891dbe792ffba686e0c7c3aa539d

SHA1
15c983272baa976a93b37decffe7ba55b908e8a2

SHA256
0bbb68bb27402d34634a12a3b8a38eb9828d67b7c34b70f312e72730b2b3730d

SHA512
144f752b682c2c304df7df8c5879c359edfb03c8313b1f866f6a0a4d04ae19672d2fe157cde0781c4618b9c49fafa64dfda517bbbab915d59e49fd0a58d79e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
198B

MD5
365d891dbe792ffba686e0c7c3aa539d

SHA1
15c983272baa976a93b37decffe7ba55b908e8a2

SHA256
0bbb68bb27402d34634a12a3b8a38eb9828d67b7c34b70f312e72730b2b3730d

SHA512
144f752b682c2c304df7df8c5879c359edfb03c8313b1f866f6a0a4d04ae19672d2fe157cde0781c4618b9c49fafa64dfda517bbbab915d59e49fd0a58d79e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

Filesize
198B

MD5
c24ab5787f8789a4ef36b9f397841a43

SHA1
d89eeeb71a76364b63369b51162336fc7f496434

SHA256
d189f469d5f54ae12d74bdcb8caa7f782ecd46f7374317cbac6aadd54b8a22c4

SHA512
1ab2bc5608bb128f411bd32c14eaf828c28df660000720ddfa94fe0c9616b9b1e4e66b281f5ca2f6b9fac2c52ee244a6536a8b102de53f56d8a11f10693ecc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

Filesize
198B

MD5
1f22968f3cbe670ff039fa1dfb19cea1

SHA1
5164dcf7071c9e9d5c46d6f882fc6451275ea2b6

SHA256
2a1c90459fd183bc14909bb847ff9706d264c9932f42897a6c88c545e2c081f5

SHA512
f7fc3d201e8c576d3d681ca785a683131917c82b5b7bc67634d8f814ed859612c65dc83d8dae7bda0d41e9f1bcb8d6ffe49562f41e50791f02e8909e830b8bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
198B

MD5
2885f747e621572332453a14d15e7626

SHA1
af204d0126e74ce728a145b0b8ae065181c42c07

SHA256
1c0b2a2d16b63bfd4f942aa898db84140986902ed2ca6339be120f1934cbcc07

SHA512
c9650eaa3f2e11d7db97eaf3815c46f5c440cf119e2c366301727fbe75088581964aebbcfbc76fe91a5a69e84cf57fc60d64683c5f6de616d26c3906840b47f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

Filesize
198B

MD5
63008e5eab44a0c0e326e12b682a0f0a

SHA1
d10650a6d735ed89d2160745aa0567d6d3d0e582

SHA256
fb9425f2492d29ef625aede2b240de32fa282a38190ae05d238ee6a61a01b9bf

SHA512
1f8f486c768b2098cb37eced12e1684b6d7bae087963a3b13a4e1a7b55c1616cbd072f84ef474600e5b92df3ca45734ab474a6d8064c4dac47adb78dadf62bfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

Filesize
198B

MD5
8baa716884ad004c210f297afc5455ed

SHA1
2d307a8e1e7e2d3c9b54af81ce2a65b617bed161

SHA256
7f0d6189f3f2bbd07c6cfc86d7545f0a7bdeff0f6243eef8e9b5af993844057b

SHA512
d565a0334161bbe96922ded64fc8658b03f87aae9375faf93134445c4bdb65e64d70aec0ba388397225bb0a61d778f1dd5eba97a6e27d91714264feeca68f822

Download Submit
C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat

Filesize
198B

MD5
7aac389e7098aec152df281e5adb7542

SHA1
15609d4338d409c9f2e6fea7b5595e9289e006d3

SHA256
b18f5887953872b970cbf4148badbaa3cf1fa6128242cc21548eee4dc01a8f84

SHA512
9aa404480d13bf4741c87db3cbeb718b545e6a51b931c04d04c3816082ed1bf4fdd5045081da05d838a5d8459fac395101ba80f0c88e097fadbe61b89d03d47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxczmenQs7.bat

Filesize
198B

MD5
63f51e2c5d08189f9e6550ebb3a7d2a1

SHA1
b405d6b1e13e410b739bb3ba969f0ba4a818fd6f

SHA256
6fc422face249b8dad0baff3308e61daf54bd7a771f6c007110bca942839cb73

SHA512
670136c65a99a27a018ab55df116bbde2b09a7de56fb2263f2ba10694407f02c93209d9f1a03ad71de73a5085bf1a294d652c57fe00677547581ea78f8237132

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/384-256-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/384-260-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/436-165-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/436-140-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/436-139-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/648-195-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/648-170-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/1064-249-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/1064-253-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/1124-189-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/1124-162-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/1180-239-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/1180-235-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/1840-200-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/1840-174-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/1884-182-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/1884-163-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-166-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/2036-192-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/2112-265-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/2112-263-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/2396-157-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/2396-184-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/2600-198-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/2600-169-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/3436-168-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/3436-207-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-177-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-208-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/3536-232-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/3536-228-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-171-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/3608-205-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-176-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-204-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4116-160-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4116-154-0x000001837AD10000-0x000001837AD32000-memory.dmp

Filesize
136KB

Download
memory/4116-217-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4256-159-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4256-183-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-191-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4312-164-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4396-190-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4396-167-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4412-173-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4412-196-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-242-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-246-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/4908-270-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/5804-212-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/5804-216-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/6024-221-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download
memory/6024-225-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

Filesize
10.8MB

Download