dcrat | 0eee265aaed82774f8218eff8d1e1c2c8d5ade8eb9e8522cdb2b735f37f9d17f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
31-10-2022 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0eee265aaed82774f8218eff8d1e1c2c8d5ade8eb9e8522cdb2b735f37f9d17f.exe
Size

1.3MB
MD5

5c1aa1857c03ed166419128f249ed054
SHA1

0baa09c02db9de2ef3a6748249d5545ba3fc60ce
SHA256

0eee265aaed82774f8218eff8d1e1c2c8d5ade8eb9e8522cdb2b735f37f9d17f
SHA512

251e4797f56453d3e5764607936bc9b53f2206d6f04ad4f9ccc81dc68d084dd85ff3aa59d6f74cde4b9866e47ed001ec01fffac458ddaa6c4611953c2cc2f59d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4944	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	4944	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac1e-284.dat	dcrat
behavioral1/files/0x000800000001ac1e-285.dat	dcrat
behavioral1/memory/4236-286-0x0000000000650000-0x0000000000760000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac28-315.dat	dcrat
behavioral1/files/0x000600000001ac28-316.dat	dcrat
behavioral1/files/0x000600000001ac28-597.dat	dcrat
behavioral1/files/0x000600000001ac28-603.dat	dcrat
behavioral1/files/0x000600000001ac28-608.dat	dcrat
behavioral1/files/0x000600000001ac28-614.dat	dcrat
behavioral1/files/0x000600000001ac28-619.dat	dcrat
behavioral1/files/0x000600000001ac28-624.dat	dcrat
behavioral1/files/0x000600000001ac28-630.dat	dcrat
behavioral1/files/0x000600000001ac28-636.dat	dcrat
behavioral1/files/0x000600000001ac28-641.dat	dcrat
behavioral1/files/0x000600000001ac28-647.dat	dcrat
behavioral1/files/0x000600000001ac28-652.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
4236	DllCommonsvc.exe
872	fontdrvhost.exe
1380	fontdrvhost.exe
4204	fontdrvhost.exe
1008	fontdrvhost.exe
3220	fontdrvhost.exe
4484	fontdrvhost.exe
3824	fontdrvhost.exe
1692	fontdrvhost.exe
4660	fontdrvhost.exe
5048	fontdrvhost.exe
4560	fontdrvhost.exe
524	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\ShellExperienceHost.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\f8c8f1285d826b	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\diagnostics\sihost.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\conhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4124	schtasks.exe
5056	schtasks.exe
4728	schtasks.exe
4964	schtasks.exe
4968	schtasks.exe
664	schtasks.exe
1776	schtasks.exe
5104	schtasks.exe
5068	schtasks.exe
5116	schtasks.exe
5040	schtasks.exe
5052	schtasks.exe
3308	schtasks.exe
3332	schtasks.exe
4424	schtasks.exe
1756	schtasks.exe
4500	schtasks.exe
4128	schtasks.exe
5004	schtasks.exe
4996	schtasks.exe
5020	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	0eee265aaed82774f8218eff8d1e1c2c8d5ade8eb9e8522cdb2b735f37f9d17f.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
4236	DllCommonsvc.exe
532	powershell.exe
3692	powershell.exe
3784	powershell.exe
1184	powershell.exe
532	powershell.exe
1836	powershell.exe
1152	powershell.exe
392	powershell.exe
304	powershell.exe
1836	powershell.exe
872	fontdrvhost.exe
532	powershell.exe
3784	powershell.exe
3692	powershell.exe
1184	powershell.exe
304	powershell.exe
1152	powershell.exe
1836	powershell.exe
392	powershell.exe
3784	powershell.exe
3692	powershell.exe
392	powershell.exe
304	powershell.exe
1184	powershell.exe
1152	powershell.exe
1380	fontdrvhost.exe
4204	fontdrvhost.exe
1008	fontdrvhost.exe
3220	fontdrvhost.exe
4484	fontdrvhost.exe
3824	fontdrvhost.exe
1692	fontdrvhost.exe
4660	fontdrvhost.exe
5048	fontdrvhost.exe
4560	fontdrvhost.exe
524	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	DllCommonsvc.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	872	fontdrvhost.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeIncreaseQuotaPrivilege	532	powershell.exe
Token: SeSecurityPrivilege	532	powershell.exe
Token: SeTakeOwnershipPrivilege	532	powershell.exe
Token: SeLoadDriverPrivilege	532	powershell.exe
Token: SeSystemProfilePrivilege	532	powershell.exe
Token: SeSystemtimePrivilege	532	powershell.exe
Token: SeProfSingleProcessPrivilege	532	powershell.exe
Token: SeIncBasePriorityPrivilege	532	powershell.exe
Token: SeCreatePagefilePrivilege	532	powershell.exe
Token: SeBackupPrivilege	532	powershell.exe
Token: SeRestorePrivilege	532	powershell.exe
Token: SeShutdownPrivilege	532	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeSystemEnvironmentPrivilege	532	powershell.exe
Token: SeRemoteShutdownPrivilege	532	powershell.exe
Token: SeUndockPrivilege	532	powershell.exe
Token: SeManageVolumePrivilege	532	powershell.exe
Token: 33	532	powershell.exe
Token: 34	532	powershell.exe
Token: 35	532	powershell.exe
Token: 36	532	powershell.exe
Token: SeIncreaseQuotaPrivilege	1836	powershell.exe
Token: SeSecurityPrivilege	1836	powershell.exe
Token: SeTakeOwnershipPrivilege	1836	powershell.exe
Token: SeLoadDriverPrivilege	1836	powershell.exe
Token: SeSystemProfilePrivilege	1836	powershell.exe
Token: SeSystemtimePrivilege	1836	powershell.exe
Token: SeProfSingleProcessPrivilege	1836	powershell.exe
Token: SeIncBasePriorityPrivilege	1836	powershell.exe
Token: SeCreatePagefilePrivilege	1836	powershell.exe
Token: SeBackupPrivilege	1836	powershell.exe
Token: SeRestorePrivilege	1836	powershell.exe
Token: SeShutdownPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeSystemEnvironmentPrivilege	1836	powershell.exe
Token: SeRemoteShutdownPrivilege	1836	powershell.exe
Token: SeUndockPrivilege	1836	powershell.exe
Token: SeManageVolumePrivilege	1836	powershell.exe
Token: 33	1836	powershell.exe
Token: 34	1836	powershell.exe
Token: 35	1836	powershell.exe
Token: 36	1836	powershell.exe
Token: SeIncreaseQuotaPrivilege	3784	powershell.exe
Token: SeSecurityPrivilege	3784	powershell.exe
Token: SeTakeOwnershipPrivilege	3784	powershell.exe
Token: SeLoadDriverPrivilege	3784	powershell.exe
Token: SeSystemProfilePrivilege	3784	powershell.exe
Token: SeSystemtimePrivilege	3784	powershell.exe
Token: SeProfSingleProcessPrivilege	3784	powershell.exe
Token: SeIncBasePriorityPrivilege	3784	powershell.exe
Token: SeCreatePagefilePrivilege	3784	powershell.exe
Token: SeBackupPrivilege	3784	powershell.exe
Token: SeRestorePrivilege	3784	powershell.exe
Token: SeShutdownPrivilege	3784	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2632	2760	0eee265aaed82774f8218eff8d1e1c2c8d5ade8eb9e8522cdb2b735f37f9d17f.exe	66
PID 2760 wrote to memory of 2632	2760	0eee265aaed82774f8218eff8d1e1c2c8d5ade8eb9e8522cdb2b735f37f9d17f.exe	66
PID 2760 wrote to memory of 2632	2760	0eee265aaed82774f8218eff8d1e1c2c8d5ade8eb9e8522cdb2b735f37f9d17f.exe	66
PID 2632 wrote to memory of 4824	2632	WScript.exe	67
PID 2632 wrote to memory of 4824	2632	WScript.exe	67
PID 2632 wrote to memory of 4824	2632	WScript.exe	67
PID 4824 wrote to memory of 4236	4824	cmd.exe	69
PID 4824 wrote to memory of 4236	4824	cmd.exe	69
PID 4236 wrote to memory of 532	4236	DllCommonsvc.exe	92
PID 4236 wrote to memory of 532	4236	DllCommonsvc.exe	92
PID 4236 wrote to memory of 3692	4236	DllCommonsvc.exe	93
PID 4236 wrote to memory of 3692	4236	DllCommonsvc.exe	93
PID 4236 wrote to memory of 3784	4236	DllCommonsvc.exe	95
PID 4236 wrote to memory of 3784	4236	DllCommonsvc.exe	95
PID 4236 wrote to memory of 1184	4236	DllCommonsvc.exe	96
PID 4236 wrote to memory of 1184	4236	DllCommonsvc.exe	96
PID 4236 wrote to memory of 1836	4236	DllCommonsvc.exe	104
PID 4236 wrote to memory of 1836	4236	DllCommonsvc.exe	104
PID 4236 wrote to memory of 1152	4236	DllCommonsvc.exe	102
PID 4236 wrote to memory of 1152	4236	DllCommonsvc.exe	102
PID 4236 wrote to memory of 392	4236	DllCommonsvc.exe	97
PID 4236 wrote to memory of 392	4236	DllCommonsvc.exe	97
PID 4236 wrote to memory of 304	4236	DllCommonsvc.exe	98
PID 4236 wrote to memory of 304	4236	DllCommonsvc.exe	98
PID 4236 wrote to memory of 872	4236	DllCommonsvc.exe	108
PID 4236 wrote to memory of 872	4236	DllCommonsvc.exe	108
PID 872 wrote to memory of 3240	872	fontdrvhost.exe	110
PID 872 wrote to memory of 3240	872	fontdrvhost.exe	110
PID 3240 wrote to memory of 2776	3240	cmd.exe	112
PID 3240 wrote to memory of 2776	3240	cmd.exe	112
PID 3240 wrote to memory of 1380	3240	cmd.exe	113
PID 3240 wrote to memory of 1380	3240	cmd.exe	113
PID 1380 wrote to memory of 3236	1380	fontdrvhost.exe	114
PID 1380 wrote to memory of 3236	1380	fontdrvhost.exe	114
PID 3236 wrote to memory of 5036	3236	cmd.exe	116
PID 3236 wrote to memory of 5036	3236	cmd.exe	116
PID 3236 wrote to memory of 4204	3236	cmd.exe	117
PID 3236 wrote to memory of 4204	3236	cmd.exe	117
PID 4204 wrote to memory of 1612	4204	fontdrvhost.exe	118
PID 4204 wrote to memory of 1612	4204	fontdrvhost.exe	118
PID 1612 wrote to memory of 2704	1612	cmd.exe	120
PID 1612 wrote to memory of 2704	1612	cmd.exe	120
PID 1612 wrote to memory of 1008	1612	cmd.exe	121
PID 1612 wrote to memory of 1008	1612	cmd.exe	121
PID 1008 wrote to memory of 4644	1008	fontdrvhost.exe	122
PID 1008 wrote to memory of 4644	1008	fontdrvhost.exe	122
PID 4644 wrote to memory of 3092	4644	cmd.exe	124
PID 4644 wrote to memory of 3092	4644	cmd.exe	124
PID 4644 wrote to memory of 3220	4644	cmd.exe	125
PID 4644 wrote to memory of 3220	4644	cmd.exe	125
PID 3220 wrote to memory of 2752	3220	fontdrvhost.exe	126
PID 3220 wrote to memory of 2752	3220	fontdrvhost.exe	126
PID 2752 wrote to memory of 4928	2752	cmd.exe	128
PID 2752 wrote to memory of 4928	2752	cmd.exe	128
PID 2752 wrote to memory of 4484	2752	cmd.exe	129
PID 2752 wrote to memory of 4484	2752	cmd.exe	129
PID 4484 wrote to memory of 1304	4484	fontdrvhost.exe	130
PID 4484 wrote to memory of 1304	4484	fontdrvhost.exe	130
PID 1304 wrote to memory of 2204	1304	cmd.exe	132
PID 1304 wrote to memory of 2204	1304	cmd.exe	132
PID 1304 wrote to memory of 3824	1304	cmd.exe	133
PID 1304 wrote to memory of 3824	1304	cmd.exe	133
PID 3824 wrote to memory of 828	3824	fontdrvhost.exe	134
PID 3824 wrote to memory of 828	3824	fontdrvhost.exe	134

C:\Users\Admin\AppData\Local\Temp\0eee265aaed82774f8218eff8d1e1c2c8d5ade8eb9e8522cdb2b735f37f9d17f.exe
"C:\Users\Admin\AppData\Local\Temp\0eee265aaed82774f8218eff8d1e1c2c8d5ade8eb9e8522cdb2b735f37f9d17f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
    - - C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2776
        
        C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5036
        
        C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2704
        
        C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3092
        
        C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4928
        
        C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2204
        
        C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"
        18⤵
        
        PID:828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1756
        
        C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"
        20⤵
        
        PID:4016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2132
        
        C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"
        22⤵
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1856
        
        C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"
        24⤵
        
        PID:1216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3740
        
        C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        26⤵
        
        PID:4916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:636
        
        C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe
        
        "C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\SchCache\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Program Files (x86)\Windows Defender\it-IT\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2ae34a9e66ea27023c3b5ea4ecd5254

SHA1
24a20a2e6a258c7c1142ed3f157ee09b68d07aa0

SHA256
407285f763d6bfef0d4a046e008b035e9e567670668434c76f89de852dbf4dca

SHA512
81c7440db9a1f0754224252bab062cfea6c4072f1368685e9e60f983fa3c6d20132799c76f280350a3ce0fc38a993a60e7b5ce997654a6c7ecf7aa872164e282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2ae34a9e66ea27023c3b5ea4ecd5254

SHA1
24a20a2e6a258c7c1142ed3f157ee09b68d07aa0

SHA256
407285f763d6bfef0d4a046e008b035e9e567670668434c76f89de852dbf4dca

SHA512
81c7440db9a1f0754224252bab062cfea6c4072f1368685e9e60f983fa3c6d20132799c76f280350a3ce0fc38a993a60e7b5ce997654a6c7ecf7aa872164e282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
48c1cad316c326aba61b236600ea5501

SHA1
259346adef54e5228603572148aec6fc954c87db

SHA256
25318b64ea3d84e8e83af22a36753c168d62c811826597ef531fd7edbe8382f0

SHA512
d44dbb26adbb5e3dcd5e0bdb4ab46672f76a1b582f6669a0077828c6af425db0514c0fb49eba9ea3039dcb03e423be914379e0dfe2f0a1ea634ef942539718eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c6e1c5dc5e168fd42e34e7c705fb2490

SHA1
e370d156a5cd38e6651a39e6c599a8e4e6189b2c

SHA256
1ad9b4e57847089120a3dcff4a6f9965c638e41c361b6f2706006def4c533954

SHA512
b641f14bb0862331353ec2113975148d7192ffc72697d97b20fd64e33dc0b96ef7a09e95992fe4240e27cf8f61b13b7140c44713d3e7fe8b3aaa6bdf25e72d08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
33fad9ce921e0e884ecd9180e9f3b626

SHA1
823dcb3c1b590ef2e054b943e8232483189b1268

SHA256
790a0ce48cd8e047768b7776e18ddd66e31499111ba524739cdd4eadfdf37b97

SHA512
1959a9c83958e572b4e5b1b4df84d6712b2d23bb02acb08d61274304059f71474f213ceabcadde77250b0b9c4e2b86800bbfd58b33be22f0a95abfb9e4d071ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9b50bf845723f3143e335dd6f3419a90

SHA1
4a3f3550eb723d6cfdba4367066293d6a70c284d

SHA256
1187b8a1f7bc594f57fc8b9e8106c719f8849318b80decfec1eafcbf30123d7a

SHA512
672a2c7ed0aca0a8de0eadaac270e95e565d9025f840cf30aaad58ebf072264cc1c1c25b06652d6e9a8759c6062e05d914db3d747068a7c629405e5e225a6e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat

Filesize
226B

MD5
b3a4bd50d381799a3d0e996706e19071

SHA1
4301c8bf202cb577706564fe4cd61268298f6e01

SHA256
17d6d2b7cd3d444fc03c30ae6c951910d5ed99842444f0f73285f4b5282eed22

SHA512
ff5c2ba6ea24c26adc88f06fea4dd6fe3aa466884276a9f31418743584944c0773a366c8aab8ddfaf58a32d2b51f895181d18680ad6d5860ee0ca12bc6e94bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat

Filesize
226B

MD5
8bdd59e6b6ff328280476a199619b382

SHA1
8019694c9810d9195baa65f0ef6837ffccba1b71

SHA256
6da96665d7c76d95f692af590ca3d384939861c165f21dfbac15879955a47486

SHA512
e9bb56fbfa70279457b4a48001a12279a22778109ab7d46763da6d884218665c6843ebde3dbebfa87175c9e2ffddc0b7116bfa4cdb24fc255501e417253cc368

Download Submit
C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat

Filesize
226B

MD5
575b454af64555dce4325110e8945a00

SHA1
e315cb8c3875d1f28b74f5d51d175a142df05a01

SHA256
02cab2d385c73f21a28057a394f87171337df232ab992b045863dce15f19a8a8

SHA512
4bc75de7beef7df9194932e9ae2add0047cf8181ff022c3dae6244a67cdb81e887b4b483d7b7cc71c745dadd7a98b3ba9905808f177e87cbd44971bda0c2d634

Download Submit
C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

Filesize
226B

MD5
626501485744a6a387797eb9fad7a4e3

SHA1
c52465dcda17279cb2290f30707ad9b6b88618ea

SHA256
efb8d56b2ee3fcd2f8e1aa5c99118bbd8dbc99e01c8dcb20caa797c9fac7bccc

SHA512
f047211df202312c42c016f02e99b5f457b5cdb36223d5c97a8aa588003440809c2ce67de507c8f159fb4160f8c94b27a3d40a0bfdfc91a3e7b9ecf2f2f04a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat

Filesize
226B

MD5
fe87d4b5f5c1029d92e744b53f97b35e

SHA1
7dccfc4363486c360e4d7d9aefc3b712dd5d4511

SHA256
b58bc70558c95bcc850be9980283c46970fa58f24a616974b9e6ab4e9c54b272

SHA512
c4eda77c450a03836eebbe8370d8fa3775a86cf25aef67fd4509077aef8490ca488e116c766ed2044f3c4555bce75c6fbc48b2331e0c29c41a746fd954dd3a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
226B

MD5
acf979b872621a6d388173ca6b52f073

SHA1
a6e847b371581b8ac9c8c97646f99daebdf0b445

SHA256
b73f82161fba01d5d162736f5f67d5ef0bcf828c5206520d04184bebcd6f2f73

SHA512
47516e4301b36304ea1202c1cd271cb4fe73aec22c9368cef45994fc85a8881d2522c8a0d3c72fe0afecdec0b9440e516bda7a779f9ae95971573ad0ca515593

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
226B

MD5
acf979b872621a6d388173ca6b52f073

SHA1
a6e847b371581b8ac9c8c97646f99daebdf0b445

SHA256
b73f82161fba01d5d162736f5f67d5ef0bcf828c5206520d04184bebcd6f2f73

SHA512
47516e4301b36304ea1202c1cd271cb4fe73aec22c9368cef45994fc85a8881d2522c8a0d3c72fe0afecdec0b9440e516bda7a779f9ae95971573ad0ca515593

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

Filesize
226B

MD5
aeb11c8377d029cbbce7c944e420719e

SHA1
53c4aefb2505b09bc3a028aee8511757aae7cf6b

SHA256
48be994598740b495ac30bc72a4a4a14935dd6547ea9ad2ff309685f494d9456

SHA512
4d3b9dfb79aae07bd539d6b0ff3b1027c508b073b06880a809d8b1ba6eb78408ce01e692b088286a575868e8adc06aacffa9e23fefd0b650a0f907d5cf28462b

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat

Filesize
226B

MD5
65d55c3bd5865e276803d9166d8d077d

SHA1
90f91a8b3d64b3413af429a6d93787540053b115

SHA256
4a14fd2c99e320c1a177484f634505f6b65bbf7b4a2388e46d6de961424e66a4

SHA512
cca4d73e8369bccae3d1e12ae9d4c7c3da8f66224aad4f46f7634fc634a9b26d3a821908e7b1f838d4615e059481d41dc540abc8a2255bf35d49450bb23a766f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

Filesize
226B

MD5
e1fdc7f5266ec379b833a84f255356bb

SHA1
ace7cc0f5ed75803089c7794f989745a9abea90a

SHA256
03df46f1f2af2727f0f8a99e9ff750c8d5773bf7c2d7ea22676682af7ab3d429

SHA512
5c5f108685d747918b670f44140768f944723661319615bef505bae0e80957fb4a7049e416b502dab3b99248874989f2a37fba147ed35ce84801d7d885a72f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

Filesize
226B

MD5
53a171cd82d451f836bf32d7d3c0bcad

SHA1
95cceb2e9c592e0c17ee7f4bfa74506134b5765d

SHA256
c3a1872e3f5237c085962d26105727e1eff0721dcbe262c87af2539b9080629a

SHA512
0305ed80e70465c5be1eb43d3fb874bdc7cd20f39c18d1f35c21a28eed02917bbf20739099be31add42b81326c1b16cdcaf1ccc086b24f92a9c70d90bdcd3edb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/532-342-0x00000147FB670000-0x00000147FB692000-memory.dmp

Filesize
136KB

Download
memory/532-347-0x00000147FB7A0000-0x00000147FB816000-memory.dmp

Filesize
472KB

Download
memory/872-344-0x0000000000D70000-0x0000000000D82000-memory.dmp

Filesize
72KB

Download
memory/1008-609-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/1692-631-0x0000000000C60000-0x0000000000C72000-memory.dmp

Filesize
72KB

Download
memory/2632-185-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2632-186-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-148-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-174-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-121-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-157-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-156-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-161-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-162-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-122-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-123-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-125-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-158-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-159-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-155-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-120-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-183-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-182-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-163-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-126-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-181-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-154-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-153-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-180-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-179-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-178-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-128-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-152-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-164-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-151-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-150-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-149-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-160-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-147-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-146-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-145-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-144-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-143-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-177-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-129-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-165-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-142-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-130-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-141-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-176-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-140-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-175-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-166-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-139-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-172-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-132-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-167-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-138-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-168-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-137-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-173-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-136-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-131-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-169-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-135-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-171-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-134-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-170-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/2760-133-0x00000000771E0000-0x000000007736E000-memory.dmp

Filesize
1.6MB

Download
memory/3824-625-0x0000000000DB0000-0x0000000000DC2000-memory.dmp

Filesize
72KB

Download
memory/4236-290-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/4236-289-0x0000000002800000-0x000000000280C000-memory.dmp

Filesize
48KB

Download
memory/4236-286-0x0000000000650000-0x0000000000760000-memory.dmp

Filesize
1.1MB

Download
memory/4236-287-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/4236-288-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download
memory/5048-642-0x00000000016A0000-0x00000000016B2000-memory.dmp

Filesize
72KB

Download