Analysis Overview
SHA256
b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24
Threat Level: Known bad
The file b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
DcRat
DCRat payload
Process spawned unexpected child process
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 11:43
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 11:43
Reported
2022-11-01 11:46
Platform
win10-20220812-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\security\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\security\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\Links\fontdrvhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24.exe
"C:\Users\Admin\AppData\Local\Temp\b37c1251dd690732dc9d6bb71148890e0f0d1fc442d32662d2dac4e14daf3c24.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Links\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\security\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\security\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\security\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\My Pictures\SearchUI.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Documents\My Pictures\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Pictures\SearchUI.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RDNeSBVcnB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat"
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\Links\fontdrvhost.exe
"C:\Users\Admin\Links\fontdrvhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2248-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/2248-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4512-182-0x0000000000000000-mapping.dmp
memory/4512-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4512-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/4272-258-0x0000000000000000-mapping.dmp
memory/3200-281-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3200-284-0x00000000004A0000-0x00000000005B0000-memory.dmp
memory/3200-285-0x0000000000EB0000-0x0000000000EC2000-memory.dmp
memory/3200-286-0x0000000000EC0000-0x0000000000ECC000-memory.dmp
memory/3200-287-0x000000001BA40000-0x000000001BA4C000-memory.dmp
memory/3200-288-0x0000000000ED0000-0x0000000000EDC000-memory.dmp
memory/4968-289-0x0000000000000000-mapping.dmp
memory/4288-290-0x0000000000000000-mapping.dmp
memory/4848-291-0x0000000000000000-mapping.dmp
memory/3328-292-0x0000000000000000-mapping.dmp
memory/4968-309-0x000001D762110000-0x000001D762132000-memory.dmp
memory/4288-318-0x0000025AB2C30000-0x0000025AB2CA6000-memory.dmp
memory/188-319-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RDNeSBVcnB.bat
| MD5 | 7f7d15ded93c2719e69f5192c859f239 |
| SHA1 | 03af27ef38d587d4f3bdad9fecb028852dac10e8 |
| SHA256 | fc8e47b6c996a23da8ba391b070a2165401f38dafc200d58b6de4acf78ffaf39 |
| SHA512 | 7d19e4a868fb19fa0920c62cf29d48dea08769c406d810ff90925bcc1f0330ea23b02dac9bdd6209d7fa2289016993b641ada9b76bd7ab6d41426cd24edb2c7d |
memory/728-337-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c492bc991bfad9c03febe497847113ac |
| SHA1 | 1de2ad71e1f0cbfdcf9b231c27ec003f2fd7c74d |
| SHA256 | 17f749f04c4f4e5f7b815f23ec0bca5a40d29a7420b5200bfc3a5ec704dc1c32 |
| SHA512 | bb648145d3f60091b6e08181b7f9d52682fd7519db13c4e46aeceba61ff366fae73d7dd8b082ec12d155142a23109128db995ecbbabbf225fdf7baa8e5e0a626 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6bae30481db65844ad0782d31b40f9ca |
| SHA1 | 21830d8da6cc62d82840f29e8bd3421c1945b128 |
| SHA256 | dbbb01236f3e58071375220d1c81b9e57e43bda57597633a5e4fd7428153d21c |
| SHA512 | 2e40d3d57a78b64b779420de7426b16dd8a45de8bb29ba22f1a139901d9f3a2d4f7bbe0dd1790332eb7883a8986ba12c2fc66122e8f580631bbcb72630b1788a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6bae30481db65844ad0782d31b40f9ca |
| SHA1 | 21830d8da6cc62d82840f29e8bd3421c1945b128 |
| SHA256 | dbbb01236f3e58071375220d1c81b9e57e43bda57597633a5e4fd7428153d21c |
| SHA512 | 2e40d3d57a78b64b779420de7426b16dd8a45de8bb29ba22f1a139901d9f3a2d4f7bbe0dd1790332eb7883a8986ba12c2fc66122e8f580631bbcb72630b1788a |
memory/1456-434-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3564-437-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fq9TqI16of.bat
| MD5 | 6028b1ace15c62873c978ac23ddf3748 |
| SHA1 | 394203161adde48a23f19db16341bedbd38ffd9d |
| SHA256 | 4ac46e3ac3ded33ca9b3a83eed80d260c5c45bc831d4934f0ee70f338c128f9d |
| SHA512 | 2a6ba12e8fcf64e110b9202af56164d1f0f043ef86db11ffdac935d8e8da02a5c4f7de0d89e595c2136c7ffb791e143fd5bb0ff9e31332984736e2092ca606b4 |
memory/3476-439-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4832-440-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/4832-443-0x00000000015D0000-0x00000000015E2000-memory.dmp
memory/4768-444-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat
| MD5 | 06441b9a4ec0adf9e87833216d699167 |
| SHA1 | 273a3bd77d1faa658b844865ee6b76014517be68 |
| SHA256 | b3440a3c7d02b9fcf4cbc6c9387eb9de25e3c690229e63a721332f197f7fbb99 |
| SHA512 | 30f89deedcb72f6703e4708e99c22f2a83bc51c0520469e925d5d1274537609e12f2ff23e848c15c64c53a290ec1fa11d5b1e0b6489c873cef0eb890ba0ab2bc |
memory/4136-446-0x0000000000000000-mapping.dmp
memory/3168-447-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3264-449-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat
| MD5 | 850c31b89766643e5101022f14592a26 |
| SHA1 | f85d6b11bfea758234662f3ebbabd5eb2f33f503 |
| SHA256 | bfd4af0f79749dfa4e3a0ccf60c583ff7146c768e8a8df823587bd2d6a9b07ca |
| SHA512 | d5055174072fbcdeb5fffaf084eab7c7385b301e17674156793fa9e6c7145805d2568c98d5bd745771e5a2faab74f68389d40abc377c4b49a047e92fd479b274 |
memory/692-451-0x0000000000000000-mapping.dmp
memory/3788-452-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3788-454-0x00000000029E0000-0x00000000029F2000-memory.dmp
memory/4984-455-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3fa1oyizme.bat
| MD5 | 6566c208f5ea3951164af4df99c9bdc4 |
| SHA1 | 08c2371707751840378fa276cc6895447af72f97 |
| SHA256 | ec89d6ad214a8662ef7d79ef3ec730310cf7de331690c9f9f9448c34a9f8b20d |
| SHA512 | d2f9a4240215d3ab6b27aa49145d2cdb9a165f284a6c13d9c769eaed908e1066f3904e155f7321eb66fbda4a17d7a2e7d9376e276620c0c1d84608a49124d6a1 |
memory/2232-457-0x0000000000000000-mapping.dmp
memory/732-458-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/732-460-0x0000000000E70000-0x0000000000E82000-memory.dmp
memory/1900-461-0x0000000000000000-mapping.dmp
memory/4596-463-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat
| MD5 | 5c1bfbf4f796153f9ef00da271e4fda0 |
| SHA1 | 80b8c9eff09d2b1fb5ce7d5e9d012916e859f768 |
| SHA256 | 123f5296b7289237929041af9851c550be9088b73231d0916bceed28fdfd0e7b |
| SHA512 | c1d24bb1dbceab382cfcf1ece14b569038e4d313bbb8533024c75475ed47ad529555d3fc1e7d1528882d0424b9c5254118478236a3130dcb769e96491eb737f2 |
memory/504-464-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2428-466-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat
| MD5 | d9343deb8843d38e3fa399c0fb7f3eee |
| SHA1 | a698e9c89e8c9b9c326fe8cca42c20e109f8c6e8 |
| SHA256 | 75417f34a760bf5a076f07e05c9d4a6f73e2a53f8d393990c893756c02d29e69 |
| SHA512 | ee6e14410cc59d1ff65d1518667a08af636f7b0934ed48cb6bf0bed72e73e2458ba29a10b3aee99bd36b6b4b3eb2be30508133d02b4477de609a9b10a3c0e043 |
memory/4032-468-0x0000000000000000-mapping.dmp
memory/3160-469-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4792-471-0x0000000000000000-mapping.dmp
memory/4632-473-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat
| MD5 | 06441b9a4ec0adf9e87833216d699167 |
| SHA1 | 273a3bd77d1faa658b844865ee6b76014517be68 |
| SHA256 | b3440a3c7d02b9fcf4cbc6c9387eb9de25e3c690229e63a721332f197f7fbb99 |
| SHA512 | 30f89deedcb72f6703e4708e99c22f2a83bc51c0520469e925d5d1274537609e12f2ff23e848c15c64c53a290ec1fa11d5b1e0b6489c873cef0eb890ba0ab2bc |
memory/3552-474-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4904-476-0x0000000000000000-mapping.dmp
memory/680-478-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat
| MD5 | dd6f35f287ebb578f9f1ac83cee41691 |
| SHA1 | 13e0d2489bb0bd0d5422fdd38a0811e36087078b |
| SHA256 | 31dddc072c9ae262e6f3061164f3254103e7281720ba05b8a449b01224b11cd4 |
| SHA512 | 1deef14a420c415e3746ac2b4ec3d3ab47c31f93891daaca76f0293b20b18fb5596239511090eb0d5c80e8c69f6174f48be5b124fba507c2d053c2c0e5db3b47 |
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1676-479-0x0000000000000000-mapping.dmp
memory/4384-481-0x0000000000000000-mapping.dmp
memory/4820-483-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat
| MD5 | 2718a5c8a37ce1a45f000554cb5eed1e |
| SHA1 | 708cf02945f7dd97582d3c1a94531e25febaa86d |
| SHA256 | 2084e37c6d5ed3bfee2a9f05bdc9c2a219c6f0c12ac242b5a6be79162cdd7c3c |
| SHA512 | 2c2bd480e44801aff51bf4c857a001f6b657b229c5f2d1c9743bdaeb88fef4875d122d735b3ccdfb3ec1d4b272db67a00e494bcd9c7be724165fc443755ad3a0 |
memory/1500-484-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3192-486-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat
| MD5 | f5b29a71d5401dc956e1173ac46fbbd6 |
| SHA1 | ae4c4f5e4b1e2d259f3f8adf007a885bfce8abdc |
| SHA256 | 759f18633ec7f561b4a5ec662656602ceace4f4fa0482bfe93ff94e37ee3c530 |
| SHA512 | f0ebfc38a5bfc5216d60bb10cd1714a972594760d9edd5ad53856a0be81968dea88c1880ca49fa1c2de54c33ffa108fe48f870fcbd7869d9ab94480d8a36ce3c |
memory/2776-488-0x0000000000000000-mapping.dmp
memory/2816-489-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4192-493-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat
| MD5 | a6108e45f850e336391dba35a7e8dd9d |
| SHA1 | 8674c2463bf0ac4263d3b2d03dbee201bbc204d4 |
| SHA256 | accfe021ac0d383639ea4979f4914ca36e9cd2ac8f7ce99ca4c3d1884c137b1b |
| SHA512 | cb927ce895b3cdbac9a9459809aa3ae8fa800141871c6d68df2ea0defba51e7fabc7cf680ecfaee3a96450925753c4bf9dd359633f5f2482f2a6d0ac1e0e9746 |
memory/1124-491-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4028-494-0x0000000000000000-mapping.dmp
memory/4216-496-0x0000000000000000-mapping.dmp
memory/4300-498-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat
| MD5 | 017c77fd2c587bbc3f01a312b1bb26bb |
| SHA1 | 8e9dae318cb7edc97deeb962184059b6eb129572 |
| SHA256 | d0e499515d44eb6eb923bc35b5001312d82c77bd7f8037fdd5786787312ff94c |
| SHA512 | 77231b551762dfb95b3cace7ba7f852f258b13f79a777711c71887e2b35c2d9cef91ab96753f2c37f18c78eb6486162697e2c02debdb79e6087793bb588f9313 |
memory/1388-499-0x0000000000000000-mapping.dmp
C:\Users\Admin\Links\fontdrvhost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1388-501-0x0000000001040000-0x0000000001052000-memory.dmp