Analysis Overview
SHA256
6f43180062b03deb767e9738a94e35a0dd01a67a614a96dbeffd1bbf4d97cb95
Threat Level: Known bad
The file 6f43180062b03deb767e9738a94e35a0dd01a67a614a96dbeffd1bbf4d97cb95 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Process spawned unexpected child process
DcRat
Dcrat family
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 11:40
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 11:40
Reported
2022-11-01 11:43
Platform
win10-20220812-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\fontdrvhost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\f8c8f1285d826b | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ShellExperienceHost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ShellExperienceHost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\6f43180062b03deb767e9738a94e35a0dd01a67a614a96dbeffd1bbf4d97cb95.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings | C:\Users\Admin\fontdrvhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6f43180062b03deb767e9738a94e35a0dd01a67a614a96dbeffd1bbf4d97cb95.exe
"C:\Users\Admin\AppData\Local\Temp\6f43180062b03deb767e9738a94e35a0dd01a67a614a96dbeffd1bbf4d97cb95.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ShellExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\odt\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\odt\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\Temp\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ShellExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ShellExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\fontdrvhost.exe'
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\fontdrvhost.exe
"C:\Users\Admin\fontdrvhost.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 13.69.109.131:443 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.252.118.126:80 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2500-117-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-118-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-119-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-120-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-122-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-123-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-125-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-126-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-127-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-128-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-129-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-130-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-131-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-132-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-133-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-134-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-135-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-136-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-137-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-138-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-139-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-140-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-141-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-142-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-143-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-144-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-145-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-146-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-147-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-148-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-149-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-150-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-151-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-152-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-153-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-154-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-155-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-156-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-157-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-158-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-159-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-160-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-161-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-162-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-163-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-164-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-165-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-166-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-168-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-167-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-169-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-170-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-171-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-172-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-173-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-174-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-175-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-176-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-177-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-178-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-179-0x0000000077580000-0x000000007770E000-memory.dmp
memory/2500-180-0x0000000077580000-0x000000007770E000-memory.dmp
memory/3380-181-0x0000000000000000-mapping.dmp
memory/3380-182-0x0000000077580000-0x000000007770E000-memory.dmp
memory/3380-183-0x0000000077580000-0x000000007770E000-memory.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/4532-257-0x0000000000000000-mapping.dmp
memory/3836-280-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3836-283-0x0000000000FA0000-0x00000000010B0000-memory.dmp
memory/3836-284-0x00000000030B0000-0x00000000030C2000-memory.dmp
memory/3836-285-0x00000000030C0000-0x00000000030CC000-memory.dmp
memory/3836-286-0x000000001BB00000-0x000000001BB0C000-memory.dmp
memory/3836-287-0x000000001BB10000-0x000000001BB1C000-memory.dmp
memory/4808-288-0x0000000000000000-mapping.dmp
memory/4800-289-0x0000000000000000-mapping.dmp
memory/4396-290-0x0000000000000000-mapping.dmp
memory/656-291-0x0000000000000000-mapping.dmp
memory/820-294-0x0000000000000000-mapping.dmp
memory/1160-293-0x0000000000000000-mapping.dmp
memory/68-292-0x0000000000000000-mapping.dmp
memory/1532-295-0x0000000000000000-mapping.dmp
memory/2912-319-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4800-331-0x00000111F3A40000-0x00000111F3A62000-memory.dmp
memory/4808-342-0x0000015E7A1A0000-0x0000015E7A216000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e7cb5d6ce7b008273ff00c9c975a3afd |
| SHA1 | 1c62f14fd2f1414fe4c1369c3f1cec520cc1fa77 |
| SHA256 | 034204483f1f833f4707c6d5d1e8100e810db0d3733ea4a04a41ba79ecf999a4 |
| SHA512 | 75010c9f9779c5c4223d5d64653936ef86e1524fc611fefad6ea0e3884d8565505a546cbd304340540d2f5699ba7c144c8cb7eb987327d2d128a4ce9d5efc4ac |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e7cb5d6ce7b008273ff00c9c975a3afd |
| SHA1 | 1c62f14fd2f1414fe4c1369c3f1cec520cc1fa77 |
| SHA256 | 034204483f1f833f4707c6d5d1e8100e810db0d3733ea4a04a41ba79ecf999a4 |
| SHA512 | 75010c9f9779c5c4223d5d64653936ef86e1524fc611fefad6ea0e3884d8565505a546cbd304340540d2f5699ba7c144c8cb7eb987327d2d128a4ce9d5efc4ac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e7cb5d6ce7b008273ff00c9c975a3afd |
| SHA1 | 1c62f14fd2f1414fe4c1369c3f1cec520cc1fa77 |
| SHA256 | 034204483f1f833f4707c6d5d1e8100e810db0d3733ea4a04a41ba79ecf999a4 |
| SHA512 | 75010c9f9779c5c4223d5d64653936ef86e1524fc611fefad6ea0e3884d8565505a546cbd304340540d2f5699ba7c144c8cb7eb987327d2d128a4ce9d5efc4ac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e77bc84d52d36cfd2154ef6c3d062035 |
| SHA1 | 52d2edf508dd3b7cf666c17342ba75c54a593caf |
| SHA256 | 4efaae8780254e9338a4b6b75c10956952894209063abd6dcb15a656608608bd |
| SHA512 | a1083867e734ae5b336d7463d428cea99a4e3521a9d90d2bbc2ec76705383ba06dcabbd2fb42dd8a45b92988d7a20ae1119240f29687c7ecf79d9ee4ce9d72f0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 754c29885a91889d54e37ff5501b2c64 |
| SHA1 | 4dc3c40717cd0fae4a04f53e54a5bd80f3bfc319 |
| SHA256 | 2f6b1a2b6ce7d300327567e9e1f1247a7b7a5c180b2c9ae4a4a55d2104ef9f64 |
| SHA512 | c754fd14dd55993c0ff29cb272a46b5c2b3168915c9a462da3c2fe2b99a9ae23c082f086ec5df95bc5f3b8a6f0db6a08414311b1c586e2d4b3e712298ff7057d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3df03b7292eeda72e97180e347b03cf3 |
| SHA1 | 6dcf07eba6cbefa06b5ca7cc458e2e87d18fb750 |
| SHA256 | a3b2aa06d843fcb2399f1d529737e59b2beeb20519bd80035c2033dac646a52f |
| SHA512 | 1d458b231c87f3a70031284430a63553e2739e9bd406d8a04a4f9d9b19ab4f97b4e785b41e2e530321767e8d7f6c12c2299078335491dfb205669f749ab29cb6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3df03b7292eeda72e97180e347b03cf3 |
| SHA1 | 6dcf07eba6cbefa06b5ca7cc458e2e87d18fb750 |
| SHA256 | a3b2aa06d843fcb2399f1d529737e59b2beeb20519bd80035c2033dac646a52f |
| SHA512 | 1d458b231c87f3a70031284430a63553e2739e9bd406d8a04a4f9d9b19ab4f97b4e785b41e2e530321767e8d7f6c12c2299078335491dfb205669f749ab29cb6 |
memory/2340-585-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat
| MD5 | 048943f4ebccaec9e3fa17cdf355f146 |
| SHA1 | b6d7591929a538f368df2fc3cd8c50131226fedd |
| SHA256 | 83b6cb4cfdd62f8c23b50a8c27168f31d0ca44c151a250e156d26c2fef032c29 |
| SHA512 | 77b920bd2c3a97d8f8ee917479bbb4e7f6b467a4888316ae285e10980bad472066c45851b76e9a0ad8260611182fe3d286ecd4b625eb0e7d356a6b93d22aa438 |
memory/5096-587-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5004-588-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/1920-591-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat
| MD5 | 2ceaaa4aefa748a558ab27b66826512d |
| SHA1 | 7fede956bffd64df0bc254557e7ebc5fcc12bdf8 |
| SHA256 | 328b6692a1d38a59633f6c7cfe7315fe47b74d34c2333cc8f992d94039f8a2b3 |
| SHA512 | 3b29c74d031b2ef6490b26205c5d7b7757c7157ed27e01e9cddff0f79c7e17d9cb9a8467f3fa5d18ef197d5437b78dfefe3eca050d4c6457001492835169a592 |
memory/4452-593-0x0000000000000000-mapping.dmp
memory/4740-594-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/868-596-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat
| MD5 | 15cb767099ea35ee65f7706912adbe21 |
| SHA1 | 8db106d8d154ecc1d63c5009e8b33d8e5260eb21 |
| SHA256 | 6fe475fc66033413d559129adec74d44a279ee7d876a818aa406c5cc3d06769f |
| SHA512 | b47d0c6f8c4dc9f7758996b3753cfff4ca8a0e8704bd0c3a3438a96cce2a934906c197c4122788e60d5a7f024d8f76196dfe2053de0fa8f85affb63e30dc7ec7 |
memory/3292-598-0x0000000000000000-mapping.dmp
memory/4844-599-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4496-601-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat
| MD5 | 456567c4aed40ec38bad5360f7a0e94a |
| SHA1 | d5135865ebc522c2053f2797debb475a66c4f0a8 |
| SHA256 | d8f3c4c5c9535a977811a98354837ab413f2f197f0ef8f4d72fe2bd6bf328dd4 |
| SHA512 | 9e26df0237f15fc81a79e26b355df63540b8d8afa13e22f8163f3099d354d054d9f3bc8618b6d99b7bb5a26b9c016b3a98c2d82793af2f5e61796e40c8b2cbbc |
memory/2768-603-0x0000000000000000-mapping.dmp
memory/2020-604-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2020-606-0x0000000000EF0000-0x0000000000F02000-memory.dmp
memory/3852-607-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat
| MD5 | 97d5b15349b2b69a8ebfbfb5c4c4841f |
| SHA1 | 9fae29dc40e8567709e8c915180f6c964d0bdedc |
| SHA256 | cb1c039283ed1950941c31e320eb598c2f63ea01cb9ea56bec76703d2e37c481 |
| SHA512 | c1976372880c7ca916c7e402c84fa0996f2d4203ef1e42f1b0b1137d54838b8ee494e6be23a4e310dd4aaf98674ab72d84c2cb0db6b9b77afa468cbbbdc05c82 |
memory/4604-609-0x0000000000000000-mapping.dmp
memory/2076-610-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2076-612-0x0000000001220000-0x0000000001232000-memory.dmp
memory/3328-613-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat
| MD5 | 33b68e33ee03de9c67a71531ad78aac5 |
| SHA1 | 125affd1c12bdba14e78d81f7ab5662e5110c104 |
| SHA256 | b98a0df42c48f002efb20c7ee08a2fddb3bc0ca90d2cadbc4f72f3427f729057 |
| SHA512 | bdccfb14dfd13e558101a462ad9da4c3815556f1a991e787a7e89b60e1f974f7329d7f21ce5b1b26ef262cad12333c19845cbcf9cb4a6d1ddd64231e696cae60 |
memory/68-615-0x0000000000000000-mapping.dmp
memory/4660-616-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4660-618-0x00000000009C0000-0x00000000009D2000-memory.dmp
memory/1264-619-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\yJyIm7wr5G.bat
| MD5 | 34d32afc0ad61998612193e00d25060d |
| SHA1 | b8405bd54469794f3d5b47173f0815b50fbb6a0e |
| SHA256 | fc423ac02e8769f9942956fdf312826366506f48ffbd5f1f6c83b989d841060b |
| SHA512 | f7a0739a99aceb2365b22d93272af0a471976e9a92ee132e3fd19012dfb84e3d535d35eae41ec16740b053077d5e7b7be28c359220d5ae02b6dcb7f165b18d89 |
memory/2264-621-0x0000000000000000-mapping.dmp
memory/2756-622-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2756-624-0x00000000009B0000-0x00000000009C2000-memory.dmp
memory/4880-625-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat
| MD5 | 37bdadcc07fc475b353a924b65111b27 |
| SHA1 | ed94136f889ae501876b5cb9b4ce47acfbfe1c63 |
| SHA256 | 6882e86e178b49ac3174a06342176d57b93ee7d3b0b8a64c60db533310f88f87 |
| SHA512 | 517861ab4c3e18713c2a7a936928cdfc35bff1a5bf1dbc9da3f39c416beabb5b4fe763e9b0aa1483c763f90931ddc7db4988c65ae528885b7edffe0cb55b9098 |
memory/32-627-0x0000000000000000-mapping.dmp
memory/2248-628-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/404-630-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat
| MD5 | 1d47ebd1c2ba674d7da6631aeca57a59 |
| SHA1 | 76061230b12d4646f8f1470c40d1177d34e93c5d |
| SHA256 | 105d5c61c566d895bb7b9eb5a2f6220748bc8e0c091713c8824355e74c75112b |
| SHA512 | 894d5fa80e4bfee633b6893cf1981357188db240ed80f2fdbeb8163b5f111c7f314f98d0aa6ea7862c6de8f4eb223819bb57ad26d2bd3e4b907d3f9a7b36206a |
memory/832-632-0x0000000000000000-mapping.dmp
memory/1540-633-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3228-635-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat
| MD5 | bdfcfb597b37bfe41792fcb83bc94ffb |
| SHA1 | 8628d1dfa26fa0468ffc530880b6dd89c226c8e0 |
| SHA256 | dd59325cb9280f32984c0b1753bb7e16976d47cda2034e7bb9920f75a234917c |
| SHA512 | 59527b619279d6f472108c2f7fd8b456081e14a5d1b702c3a7a6671a0af7c083bea775b910143a3f6228c1ab3b48ffa05500a9d0b0cd68baa6b025b0cbc76e52 |
memory/3924-637-0x0000000000000000-mapping.dmp
memory/992-638-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4564-640-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat
| MD5 | 3b2e73d38ce74cfa7e24d2ca12f3b001 |
| SHA1 | 168cf451b53c4bd8b53cb17098b2e36372b4b8f5 |
| SHA256 | b5d9274e9a6a42bd59569d831d5baeb49cecafd331411e7752b52898e67f625f |
| SHA512 | fe1f16de41b18f216b64a08c156abca28ea825a057093d14472352625c33033af5e7b38665c481846be181cf6ef02511c0c242715fda2aa480aed4b3f3c7f2b0 |
memory/1784-642-0x0000000000000000-mapping.dmp
memory/2544-643-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4436-645-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat
| MD5 | 1d47ebd1c2ba674d7da6631aeca57a59 |
| SHA1 | 76061230b12d4646f8f1470c40d1177d34e93c5d |
| SHA256 | 105d5c61c566d895bb7b9eb5a2f6220748bc8e0c091713c8824355e74c75112b |
| SHA512 | 894d5fa80e4bfee633b6893cf1981357188db240ed80f2fdbeb8163b5f111c7f314f98d0aa6ea7862c6de8f4eb223819bb57ad26d2bd3e4b907d3f9a7b36206a |
memory/4780-647-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4764-648-0x0000000000000000-mapping.dmp
memory/532-650-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat
| MD5 | 61d9f55658c1cdf0a4ac2e2be5312a89 |
| SHA1 | 61dc323786bc0a6a5c2e6fe79918be5d0bd53f1c |
| SHA256 | 759b8c636062b96124e25f23aa94783432516d6e555017237f3d26d6341447f3 |
| SHA512 | 2d4ca7ad839e9b96c172a9d897b353c09ef573e89bd249105cc001cf8019144e7365912a546c25e686308715a89baa528df41dfab7031e6b7a5af19f7e4a62f7 |
memory/3292-652-0x0000000000000000-mapping.dmp
memory/4004-653-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2188-655-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat
| MD5 | adaf610b4cc239cbebc5be28d7ff3123 |
| SHA1 | 1a9c722438ddc8e2694b4fbeb93095a481b46f0a |
| SHA256 | 330ba974e44c75507ea888f013d9ad000156505fc94ae4ddf5845b08b59f8051 |
| SHA512 | 17eea2be032c7a9e995cbc72986e0e07c9d8fd41bd2e3a8ce97972059cf471e7e940113f10c9f9348713470f8b34bb24cf02abd2f522a2ee3ac725aad3800713 |
memory/3956-657-0x0000000000000000-mapping.dmp
memory/524-658-0x0000000000000000-mapping.dmp
C:\Users\Admin\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |