dcrat | e2a786fa7797dd350639ec29f26b554bedf3c6f66b7e61bfb5baf7bd092b1fe2

Analysis

max time kernel
145s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2a786fa7797dd350639ec29f26b554bedf3c6f66b7e61bfb5baf7bd092b1fe2.exe
Size

1.3MB
MD5

91872ad29bda696ae43d27bdbad786c4
SHA1

ba9ae1ff9517a41c651de6eb1274dfb66a927a90
SHA256

e2a786fa7797dd350639ec29f26b554bedf3c6f66b7e61bfb5baf7bd092b1fe2
SHA512

e8b8d13898ee8a979108e268e7c15984fd0858ea49f46fb559c0573bbb7b8c9b525b7c4f98faba688b5d2486f2eb2affcfa891e0afb4edfe0f7e7dcc8e096df3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3500	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3924	schtasks.exe	46
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	3924	schtasks.exe	46

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0001000000022e03-137.dat	dcrat
behavioral1/files/0x0001000000022e03-138.dat	dcrat
behavioral1/memory/3032-139-0x00000000006A0000-0x00000000007B0000-memory.dmp	dcrat
behavioral1/files/0x0001000000022e0b-179.dat	dcrat
behavioral1/files/0x0001000000022e0b-180.dat	dcrat
behavioral1/files/0x0001000000022e0b-187.dat	dcrat
behavioral1/files/0x0001000000022e0b-195.dat	dcrat
behavioral1/files/0x0001000000022e0b-202.dat	dcrat
behavioral1/files/0x0001000000022e0b-209.dat	dcrat
behavioral1/files/0x0001000000022e0b-216.dat	dcrat
behavioral1/files/0x0001000000022e0b-223.dat	dcrat
behavioral1/files/0x0001000000022e0b-230.dat	dcrat
behavioral1/files/0x0001000000022e0b-237.dat	dcrat
behavioral1/files/0x0001000000022e0b-244.dat	dcrat
behavioral1/files/0x0001000000022e0b-251.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
3032	DllCommonsvc.exe
3112	fontdrvhost.exe
3556	fontdrvhost.exe
424	fontdrvhost.exe
3504	fontdrvhost.exe
1960	fontdrvhost.exe
3636	fontdrvhost.exe
4720	fontdrvhost.exe
2712	fontdrvhost.exe
2856	fontdrvhost.exe
4796	fontdrvhost.exe
4372	fontdrvhost.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e2a786fa7797dd350639ec29f26b554bedf3c6f66b7e61bfb5baf7bd092b1fe2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\Ole DB\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Policies\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4680	schtasks.exe
3548	schtasks.exe
1512	schtasks.exe
3136	schtasks.exe
4392	schtasks.exe
2372	schtasks.exe
1580	schtasks.exe
4708	schtasks.exe
4180	schtasks.exe
2276	schtasks.exe
2192	schtasks.exe
2784	schtasks.exe
1236	schtasks.exe
4576	schtasks.exe
4464	schtasks.exe
5088	schtasks.exe
3860	schtasks.exe
3500	schtasks.exe
4496	schtasks.exe
4208	schtasks.exe
3564	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	e2a786fa7797dd350639ec29f26b554bedf3c6f66b7e61bfb5baf7bd092b1fe2.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3032	DllCommonsvc.exe
3904	powershell.exe
3904	powershell.exe
952	powershell.exe
952	powershell.exe
2960	powershell.exe
2960	powershell.exe
2492	powershell.exe
2492	powershell.exe
1868	powershell.exe
1868	powershell.exe
2112	powershell.exe
2112	powershell.exe
3636	powershell.exe
3636	powershell.exe
1468	powershell.exe
1468	powershell.exe
952	powershell.exe
2960	powershell.exe
3904	powershell.exe
2492	powershell.exe
1868	powershell.exe
2112	powershell.exe
3636	powershell.exe
1468	powershell.exe
3112	fontdrvhost.exe
3556	fontdrvhost.exe
424	fontdrvhost.exe
3504	fontdrvhost.exe
1960	fontdrvhost.exe
3636	fontdrvhost.exe
4720	fontdrvhost.exe
2712	fontdrvhost.exe
2856	fontdrvhost.exe
4796	fontdrvhost.exe
4372	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	DllCommonsvc.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	3112	fontdrvhost.exe
Token: SeDebugPrivilege	3556	fontdrvhost.exe
Token: SeDebugPrivilege	424	fontdrvhost.exe
Token: SeDebugPrivilege	3504	fontdrvhost.exe
Token: SeDebugPrivilege	1960	fontdrvhost.exe
Token: SeDebugPrivilege	3636	fontdrvhost.exe
Token: SeDebugPrivilege	4720	fontdrvhost.exe
Token: SeDebugPrivilege	2712	fontdrvhost.exe
Token: SeDebugPrivilege	2856	fontdrvhost.exe
Token: SeDebugPrivilege	4796	fontdrvhost.exe
Token: SeDebugPrivilege	4372	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 452	3248	e2a786fa7797dd350639ec29f26b554bedf3c6f66b7e61bfb5baf7bd092b1fe2.exe	82
PID 3248 wrote to memory of 452	3248	e2a786fa7797dd350639ec29f26b554bedf3c6f66b7e61bfb5baf7bd092b1fe2.exe	82
PID 3248 wrote to memory of 452	3248	e2a786fa7797dd350639ec29f26b554bedf3c6f66b7e61bfb5baf7bd092b1fe2.exe	82
PID 452 wrote to memory of 3836	452	WScript.exe	86
PID 452 wrote to memory of 3836	452	WScript.exe	86
PID 452 wrote to memory of 3836	452	WScript.exe	86
PID 3836 wrote to memory of 3032	3836	cmd.exe	88
PID 3836 wrote to memory of 3032	3836	cmd.exe	88
PID 3032 wrote to memory of 3904	3032	DllCommonsvc.exe	111
PID 3032 wrote to memory of 3904	3032	DllCommonsvc.exe	111
PID 3032 wrote to memory of 2960	3032	DllCommonsvc.exe	112
PID 3032 wrote to memory of 2960	3032	DllCommonsvc.exe	112
PID 3032 wrote to memory of 952	3032	DllCommonsvc.exe	123
PID 3032 wrote to memory of 952	3032	DllCommonsvc.exe	123
PID 3032 wrote to memory of 1868	3032	DllCommonsvc.exe	113
PID 3032 wrote to memory of 1868	3032	DllCommonsvc.exe	113
PID 3032 wrote to memory of 2492	3032	DllCommonsvc.exe	114
PID 3032 wrote to memory of 2492	3032	DllCommonsvc.exe	114
PID 3032 wrote to memory of 2112	3032	DllCommonsvc.exe	116
PID 3032 wrote to memory of 2112	3032	DllCommonsvc.exe	116
PID 3032 wrote to memory of 3636	3032	DllCommonsvc.exe	117
PID 3032 wrote to memory of 3636	3032	DllCommonsvc.exe	117
PID 3032 wrote to memory of 1468	3032	DllCommonsvc.exe	118
PID 3032 wrote to memory of 1468	3032	DllCommonsvc.exe	118
PID 3032 wrote to memory of 4848	3032	DllCommonsvc.exe	128
PID 3032 wrote to memory of 4848	3032	DllCommonsvc.exe	128
PID 4848 wrote to memory of 4720	4848	cmd.exe	129
PID 4848 wrote to memory of 4720	4848	cmd.exe	129
PID 4848 wrote to memory of 3112	4848	cmd.exe	132
PID 4848 wrote to memory of 3112	4848	cmd.exe	132
PID 3112 wrote to memory of 4072	3112	fontdrvhost.exe	133
PID 3112 wrote to memory of 4072	3112	fontdrvhost.exe	133
PID 4072 wrote to memory of 1212	4072	cmd.exe	135
PID 4072 wrote to memory of 1212	4072	cmd.exe	135
PID 4072 wrote to memory of 3556	4072	cmd.exe	137
PID 4072 wrote to memory of 3556	4072	cmd.exe	137
PID 3556 wrote to memory of 3088	3556	fontdrvhost.exe	138
PID 3556 wrote to memory of 3088	3556	fontdrvhost.exe	138
PID 3088 wrote to memory of 3584	3088	cmd.exe	140
PID 3088 wrote to memory of 3584	3088	cmd.exe	140
PID 3088 wrote to memory of 424	3088	cmd.exe	141
PID 3088 wrote to memory of 424	3088	cmd.exe	141
PID 424 wrote to memory of 4860	424	fontdrvhost.exe	142
PID 424 wrote to memory of 4860	424	fontdrvhost.exe	142
PID 4860 wrote to memory of 2396	4860	cmd.exe	144
PID 4860 wrote to memory of 2396	4860	cmd.exe	144
PID 4860 wrote to memory of 3504	4860	cmd.exe	145
PID 4860 wrote to memory of 3504	4860	cmd.exe	145
PID 3504 wrote to memory of 2228	3504	fontdrvhost.exe	146
PID 3504 wrote to memory of 2228	3504	fontdrvhost.exe	146
PID 2228 wrote to memory of 2204	2228	cmd.exe	148
PID 2228 wrote to memory of 2204	2228	cmd.exe	148
PID 2228 wrote to memory of 1960	2228	cmd.exe	149
PID 2228 wrote to memory of 1960	2228	cmd.exe	149
PID 1960 wrote to memory of 3948	1960	fontdrvhost.exe	150
PID 1960 wrote to memory of 3948	1960	fontdrvhost.exe	150
PID 3948 wrote to memory of 1552	3948	cmd.exe	152
PID 3948 wrote to memory of 1552	3948	cmd.exe	152
PID 3948 wrote to memory of 3636	3948	cmd.exe	153
PID 3948 wrote to memory of 3636	3948	cmd.exe	153
PID 3636 wrote to memory of 3436	3636	fontdrvhost.exe	154
PID 3636 wrote to memory of 3436	3636	fontdrvhost.exe	154
PID 3436 wrote to memory of 4332	3436	cmd.exe	156
PID 3436 wrote to memory of 4332	3436	cmd.exe	156

C:\Users\Admin\AppData\Local\Temp\e2a786fa7797dd350639ec29f26b554bedf3c6f66b7e61bfb5baf7bd092b1fe2.exe
"C:\Users\Admin\AppData\Local\Temp\e2a786fa7797dd350639ec29f26b554bedf3c6f66b7e61bfb5baf7bd092b1fe2.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\Ole DB\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Policies\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LsQlNPpiOn.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4848
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4720
      - C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1212
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3584
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2396
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2204
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1552
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4332
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
        19⤵
        
        PID:4028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2656
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
        21⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3928
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        23⤵
        
        PID:4084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3432
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat"
        25⤵
        
        PID:3076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4188
        
        C:\Recovery\WindowsRE\fontdrvhost.exe
        
        "C:\Recovery\WindowsRE\fontdrvhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Policies\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Policies\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Recovery\WindowsRE\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat

Filesize
202B

MD5
ec41847b167ad3fc034f8649987d2da8

SHA1
6f53fc80a9a252e0280a2414466a8bc77fdf1fe6

SHA256
f61c7718e26bd12cee5761752462e2efa261e88c87521f68e75a0de35eb2ce6f

SHA512
c3770b3cca688e34253122d12156cb395e022517bb55fe132cc7965ffefa33544be1487dcdc4f400ded3ad7aaf9a6e689dc4a0fdcadcb65d97320d7b4e60dacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
202B

MD5
3c57dad915077beed1b9575a5c717c0e

SHA1
3c9f3d614c3408dff89cbb95069e18e4a1271930

SHA256
4cf6fbd66a3644b999e1e548dc97aa3baabcb9dc15c35609f03fcbdff0c17690

SHA512
7761ba215849ad48f42fc217987ca7f042734629b1979bb60fcabae94bdd62a1ac5984b9fdd5d0b2550382c6bf6b1dfa0269def7b988958016c8a075840c0f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

Filesize
202B

MD5
054bb4acf6815e7cb60ce6458bb9db2e

SHA1
5e90fedae99e634ac233a47092c4ba8b289454f4

SHA256
8017a03ba41bcd768ea0b6f4f6a10e430e4001b87ff84569c4bcf28c8e7ffe8d

SHA512
6df8fa920c4be9ab8238aa6364d793cca3738193d88698c53126e303151bdfb8f718d0f04e156b6aa54b05bc6570844c9a0a7ce85a92db5755eb065a4ec51f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsQlNPpiOn.bat

Filesize
202B

MD5
26449f7cd91696d29bdea758075390b0

SHA1
19fb658d6a14f40f922cdc149a3e1ef2ee2dc62f

SHA256
5cdd205694e2202a97bc47ce6f4278a2fe183621e00264bf2a7fb706bdf45ee9

SHA512
165bfda7baca9e75a02db4c6003db361dbf1ab2e95bc00e7eb6453bcc2d3d4cf2da50095d154202ef735524348e39ea61db35d808bd0a158dffdbf92b3ed045b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

Filesize
202B

MD5
bb39518a63e6f9e06648b4efc4bf04e9

SHA1
e4ac2eb5fb2a0b160d8320ef7fe1d2544e93513f

SHA256
de2b2e73396120df4a4a995eba3d057e2e9c80172e59932a74742bc96a2d8d5d

SHA512
c8abb2aae44c3a9c33d2a0ccc5e86171cdcbe2221f03c3bc44bbade8f1a606fca06f91b53d4c4b8954f13fd8cb75a99b5281914e8b6c0f4aa9260a0593436407

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

Filesize
202B

MD5
28973b193b80dd3411de3b7500ff6ac3

SHA1
a9e7e16900694eeb1c276e325019561fb92c5c89

SHA256
46fc2be6c5c3d1f6d3c412fc84dfbe46aa8efdf42ad9afda9732ecdcfa38f521

SHA512
96cd280954bdca8e3e807f380fe2bb2ce2a6e9d287dce805cd67f932b15940bc9903087f14797feb48e2830d7e448da1d3f6f9e72906de23ab94f79be06edb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XdxpZ3I66P.bat

Filesize
202B

MD5
e1728083e6b9f616b0ecec4446dc98d0

SHA1
5dd1f4387c9905e05011e64ddb22f1188207d414

SHA256
69186ea18f7e01d753246cb85298ea1541bb87860c3e99e281b951f0e9186e33

SHA512
96a65411184b661a046ff5ccc0f438fc4fb593112b6bc13a41c8814d08cb602e23461a3581bdd62fbf2678f988784a33715b5bf30f455aed90836a2e8ed8f854

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
202B

MD5
062db2a310821f558974b24f5858f051

SHA1
48092cb7e538ea534fdbc9b9c712d05f8b0ff1d8

SHA256
4c5178acb02c005f00aef4d6d6f0598cf94bc778f802e56c925ff9e2b011d83c

SHA512
24e85dd6e76577db968b9d5862506ac4c082035df94e5383b69e4eabec68d09c5b0a92c8462f0a2f06ad475d7f3f20ffc8c83bbd28a78d3e860619af681b300d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat

Filesize
202B

MD5
4caeb4ade4d886fe17fbf75e6965a05e

SHA1
741a2d1c6d300e5d8023f4783363614e069366f0

SHA256
457d34b873d231b7c21f06b22d002dd950e55c8ee37c11948a14fbd1a869b45c

SHA512
c6c27472eaee0532be05cccfcdf6799f7a99ea451904b92e0bfe4d218b31dd9e92af353282231a58371441ec1dad808774995adc9d6afdf22979171d456b154d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat

Filesize
202B

MD5
7eb0e69436d08602511c516f280fbb35

SHA1
cc3a9738ac58468793ae8654730a153c6a522a8c

SHA256
a5b84ef34211ac71028e893061c5c573eae9073a6581fad93fd538f8d4eb64f9

SHA512
a63ae1906983fdfc568f816f2551d5db54fdb18d0ef76aa8ad5b6dff64ec4a6997549cfb3264294c8d523a01870f3605a9c52372ad59ba54d07a2dabde3f8aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

Filesize
202B

MD5
60300ae328cc315c6c9a6f34b2d9fe0f

SHA1
fa61ce46b9265a481671c3d158a1d84fe4b09fbf

SHA256
269e932f21f241468d3c9f13c32ca450c838036569c0b659a2a158d173b46f46

SHA512
ae3f7d56d45acb51501d7008c158204a25e7b4d4c435b4296893d8a274843c0f2ab5b1d2cbf29600ee7abc3e63e61537027775cf80954013e9a4951f0e2e56b3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/424-196-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/424-200-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/952-165-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/952-154-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1468-161-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1468-176-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1868-158-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1868-172-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-210-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-214-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2112-159-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2112-177-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-173-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-155-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2712-235-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2712-231-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2856-238-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2856-242-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-149-0x00000194C5E10000-0x00000194C5E32000-memory.dmp

Filesize
136KB

Download
memory/2960-166-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/2960-152-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3032-139-0x00000000006A0000-0x00000000007B0000-memory.dmp

Filesize
1.1MB

Download
memory/3032-153-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3032-140-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3112-181-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3112-185-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-207-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3504-203-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3556-193-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3556-189-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-221-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-175-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-160-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-217-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3904-151-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/3904-167-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4372-252-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4720-224-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4720-228-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-245-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download
memory/4796-249-0x00007FF984420000-0x00007FF984EE1000-memory.dmp

Filesize
10.8MB

Download