dcrat | 1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5

Analysis

max time kernel
155s
max time network
155s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe
Size

1.3MB
MD5

479adce474d995761b5dd7cf15ee982b
SHA1

089521a9018dcb5abe009f549375e85054feef16
SHA256

1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5
SHA512

d852bfeb11f729f355627cfd466fca37cb6403016889d3d1a2dfe621632e4308e36c15c2b410d4980e61252d898ea7cf9029459b3b8a0a4564953d71667f7682
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	504	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	160	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	4240	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	4240	schtasks.exe	70

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001ac30-279.dat	dcrat
behavioral1/files/0x000700000001ac30-280.dat	dcrat
behavioral1/memory/4216-281-0x00000000005D0000-0x00000000006E0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac5b-359.dat	dcrat
behavioral1/files/0x000600000001ac5b-358.dat	dcrat
behavioral1/files/0x000600000001ac5b-939.dat	dcrat
behavioral1/files/0x000600000001ac5b-945.dat	dcrat
behavioral1/files/0x000600000001ac5b-951.dat	dcrat
behavioral1/files/0x000600000001ac5b-957.dat	dcrat
behavioral1/files/0x000600000001ac5b-962.dat	dcrat
behavioral1/files/0x000600000001ac5b-967.dat	dcrat
behavioral1/files/0x000600000001ac5b-972.dat	dcrat
behavioral1/files/0x000600000001ac5b-977.dat	dcrat
behavioral1/files/0x000600000001ac5b-982.dat	dcrat
behavioral1/files/0x000600000001ac5b-988.dat	dcrat
behavioral1/files/0x000600000001ac5b-994.dat	dcrat

Executes dropped EXE 13 IoCs

pid	Process
4216	DllCommonsvc.exe
4904	fontdrvhost.exe
5636	fontdrvhost.exe
5820	fontdrvhost.exe
6000	fontdrvhost.exe
5164	fontdrvhost.exe
4752	fontdrvhost.exe
1500	fontdrvhost.exe
1160	fontdrvhost.exe
2092	fontdrvhost.exe
4732	fontdrvhost.exe
1072	fontdrvhost.exe
1252	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Schema\dllhost.exe	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\it-IT\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\it-IT\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\en-US\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\it-IT\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\e6c9b481da804f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4884	schtasks.exe
660	schtasks.exe
304	schtasks.exe
160	schtasks.exe
1920	schtasks.exe
4176	schtasks.exe
3256	schtasks.exe
4004	schtasks.exe
388	schtasks.exe
4932	schtasks.exe
4980	schtasks.exe
1096	schtasks.exe
372	schtasks.exe
916	schtasks.exe
4516	schtasks.exe
3152	schtasks.exe
4824	schtasks.exe
920	schtasks.exe
1488	schtasks.exe
4168	schtasks.exe
4740	schtasks.exe
4776	schtasks.exe
416	schtasks.exe
1640	schtasks.exe
1892	schtasks.exe
2684	schtasks.exe
2968	schtasks.exe
4816	schtasks.exe
4756	schtasks.exe
764	schtasks.exe
3236	schtasks.exe
768	schtasks.exe
4728	schtasks.exe
3732	schtasks.exe
4700	schtasks.exe
4968	schtasks.exe
4984	schtasks.exe
4944	schtasks.exe
4544	schtasks.exe
1136	schtasks.exe
3156	schtasks.exe
4820	schtasks.exe
1808	schtasks.exe
2976	schtasks.exe
504	schtasks.exe
1960	schtasks.exe
1404	schtasks.exe
4084	schtasks.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4216	DllCommonsvc.exe
4216	DllCommonsvc.exe
4216	DllCommonsvc.exe
4216	DllCommonsvc.exe
4216	DllCommonsvc.exe
4216	DllCommonsvc.exe
4216	DllCommonsvc.exe
4216	DllCommonsvc.exe
4216	DllCommonsvc.exe
1320	powershell.exe
1320	powershell.exe
1368	powershell.exe
1368	powershell.exe
2656	powershell.exe
2656	powershell.exe
2052	powershell.exe
2052	powershell.exe
2396	powershell.exe
2396	powershell.exe
3944	powershell.exe
3944	powershell.exe
2820	powershell.exe
2820	powershell.exe
2052	powershell.exe
3820	powershell.exe
3820	powershell.exe
3816	powershell.exe
3816	powershell.exe
5032	powershell.exe
5032	powershell.exe
4788	powershell.exe
4788	powershell.exe
3908	powershell.exe
3908	powershell.exe
2656	powershell.exe
5052	powershell.exe
5052	powershell.exe
4148	powershell.exe
4148	powershell.exe
3944	powershell.exe
3624	powershell.exe
3624	powershell.exe
2844	powershell.exe
2844	powershell.exe
2864	powershell.exe
2864	powershell.exe
2052	powershell.exe
4904	fontdrvhost.exe
4904	fontdrvhost.exe
5052	powershell.exe
2844	powershell.exe
1320	powershell.exe
1368	powershell.exe
2656	powershell.exe
2396	powershell.exe
3944	powershell.exe
2820	powershell.exe
4788	powershell.exe
3816	powershell.exe
3820	powershell.exe
3908	powershell.exe
5032	powershell.exe
5052	powershell.exe
3624	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4216	DllCommonsvc.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	4904	fontdrvhost.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeIncreaseQuotaPrivilege	2052	powershell.exe
Token: SeSecurityPrivilege	2052	powershell.exe
Token: SeTakeOwnershipPrivilege	2052	powershell.exe
Token: SeLoadDriverPrivilege	2052	powershell.exe
Token: SeSystemProfilePrivilege	2052	powershell.exe
Token: SeSystemtimePrivilege	2052	powershell.exe
Token: SeProfSingleProcessPrivilege	2052	powershell.exe
Token: SeIncBasePriorityPrivilege	2052	powershell.exe
Token: SeCreatePagefilePrivilege	2052	powershell.exe
Token: SeBackupPrivilege	2052	powershell.exe
Token: SeRestorePrivilege	2052	powershell.exe
Token: SeShutdownPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeSystemEnvironmentPrivilege	2052	powershell.exe
Token: SeRemoteShutdownPrivilege	2052	powershell.exe
Token: SeUndockPrivilege	2052	powershell.exe
Token: SeManageVolumePrivilege	2052	powershell.exe
Token: 33	2052	powershell.exe
Token: 34	2052	powershell.exe
Token: 35	2052	powershell.exe
Token: 36	2052	powershell.exe
Token: SeIncreaseQuotaPrivilege	3944	powershell.exe
Token: SeSecurityPrivilege	3944	powershell.exe
Token: SeTakeOwnershipPrivilege	3944	powershell.exe
Token: SeLoadDriverPrivilege	3944	powershell.exe
Token: SeSystemProfilePrivilege	3944	powershell.exe
Token: SeSystemtimePrivilege	3944	powershell.exe
Token: SeProfSingleProcessPrivilege	3944	powershell.exe
Token: SeIncBasePriorityPrivilege	3944	powershell.exe
Token: SeCreatePagefilePrivilege	3944	powershell.exe
Token: SeBackupPrivilege	3944	powershell.exe
Token: SeRestorePrivilege	3944	powershell.exe
Token: SeShutdownPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeSystemEnvironmentPrivilege	3944	powershell.exe
Token: SeRemoteShutdownPrivilege	3944	powershell.exe
Token: SeUndockPrivilege	3944	powershell.exe
Token: SeManageVolumePrivilege	3944	powershell.exe
Token: 33	3944	powershell.exe
Token: 34	3944	powershell.exe
Token: 35	3944	powershell.exe
Token: 36	3944	powershell.exe
Token: SeIncreaseQuotaPrivilege	2656	powershell.exe
Token: SeSecurityPrivilege	2656	powershell.exe
Token: SeTakeOwnershipPrivilege	2656	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 5100	2476	1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe	66
PID 2476 wrote to memory of 5100	2476	1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe	66
PID 2476 wrote to memory of 5100	2476	1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe	66
PID 5100 wrote to memory of 4076	5100	WScript.exe	67
PID 5100 wrote to memory of 4076	5100	WScript.exe	67
PID 5100 wrote to memory of 4076	5100	WScript.exe	67
PID 4076 wrote to memory of 4216	4076	cmd.exe	69
PID 4076 wrote to memory of 4216	4076	cmd.exe	69
PID 4216 wrote to memory of 1320	4216	DllCommonsvc.exe	119
PID 4216 wrote to memory of 1320	4216	DllCommonsvc.exe	119
PID 4216 wrote to memory of 1368	4216	DllCommonsvc.exe	131
PID 4216 wrote to memory of 1368	4216	DllCommonsvc.exe	131
PID 4216 wrote to memory of 2656	4216	DllCommonsvc.exe	130
PID 4216 wrote to memory of 2656	4216	DllCommonsvc.exe	130
PID 4216 wrote to memory of 2396	4216	DllCommonsvc.exe	129
PID 4216 wrote to memory of 2396	4216	DllCommonsvc.exe	129
PID 4216 wrote to memory of 2052	4216	DllCommonsvc.exe	127
PID 4216 wrote to memory of 2052	4216	DllCommonsvc.exe	127
PID 4216 wrote to memory of 3944	4216	DllCommonsvc.exe	122
PID 4216 wrote to memory of 3944	4216	DllCommonsvc.exe	122
PID 4216 wrote to memory of 2820	4216	DllCommonsvc.exe	123
PID 4216 wrote to memory of 2820	4216	DllCommonsvc.exe	123
PID 4216 wrote to memory of 3816	4216	DllCommonsvc.exe	132
PID 4216 wrote to memory of 3816	4216	DllCommonsvc.exe	132
PID 4216 wrote to memory of 3820	4216	DllCommonsvc.exe	133
PID 4216 wrote to memory of 3820	4216	DllCommonsvc.exe	133
PID 4216 wrote to memory of 5032	4216	DllCommonsvc.exe	134
PID 4216 wrote to memory of 5032	4216	DllCommonsvc.exe	134
PID 4216 wrote to memory of 4788	4216	DllCommonsvc.exe	136
PID 4216 wrote to memory of 4788	4216	DllCommonsvc.exe	136
PID 4216 wrote to memory of 4148	4216	DllCommonsvc.exe	137
PID 4216 wrote to memory of 4148	4216	DllCommonsvc.exe	137
PID 4216 wrote to memory of 3908	4216	DllCommonsvc.exe	138
PID 4216 wrote to memory of 3908	4216	DllCommonsvc.exe	138
PID 4216 wrote to memory of 5052	4216	DllCommonsvc.exe	139
PID 4216 wrote to memory of 5052	4216	DllCommonsvc.exe	139
PID 4216 wrote to memory of 3624	4216	DllCommonsvc.exe	140
PID 4216 wrote to memory of 3624	4216	DllCommonsvc.exe	140
PID 4216 wrote to memory of 2844	4216	DllCommonsvc.exe	147
PID 4216 wrote to memory of 2844	4216	DllCommonsvc.exe	147
PID 4216 wrote to memory of 2864	4216	DllCommonsvc.exe	145
PID 4216 wrote to memory of 2864	4216	DllCommonsvc.exe	145
PID 4216 wrote to memory of 4904	4216	DllCommonsvc.exe	143
PID 4216 wrote to memory of 4904	4216	DllCommonsvc.exe	143
PID 4904 wrote to memory of 2668	4904	fontdrvhost.exe	155
PID 4904 wrote to memory of 2668	4904	fontdrvhost.exe	155
PID 2668 wrote to memory of 1460	2668	cmd.exe	157
PID 2668 wrote to memory of 1460	2668	cmd.exe	157
PID 2668 wrote to memory of 5636	2668	cmd.exe	158
PID 2668 wrote to memory of 5636	2668	cmd.exe	158
PID 5636 wrote to memory of 5744	5636	fontdrvhost.exe	159
PID 5636 wrote to memory of 5744	5636	fontdrvhost.exe	159
PID 5744 wrote to memory of 5800	5744	cmd.exe	161
PID 5744 wrote to memory of 5800	5744	cmd.exe	161
PID 5744 wrote to memory of 5820	5744	cmd.exe	162
PID 5744 wrote to memory of 5820	5744	cmd.exe	162
PID 5820 wrote to memory of 5924	5820	fontdrvhost.exe	163
PID 5820 wrote to memory of 5924	5820	fontdrvhost.exe	163
PID 5924 wrote to memory of 5980	5924	cmd.exe	165
PID 5924 wrote to memory of 5980	5924	cmd.exe	165
PID 5924 wrote to memory of 6000	5924	cmd.exe	166
PID 5924 wrote to memory of 6000	5924	cmd.exe	166
PID 6000 wrote to memory of 6104	6000	fontdrvhost.exe	167
PID 6000 wrote to memory of 6104	6000	fontdrvhost.exe	167

C:\Users\Admin\AppData\Local\Temp\1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe
"C:\Users\Admin\AppData\Local\Temp\1702ad666d39b8802ca30fdaf876f2c1ea070e0c7a9010e8a7a2b4d791512ac5.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\Idle.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Schema\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
    - - C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4904
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1460
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5800
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5980
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:6000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
        12⤵
        
        PID:6104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5132
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat"
        14⤵
        
        PID:4092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:5020
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"
        16⤵
        
        PID:4012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:5500
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"
        18⤵
        
        PID:5224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4812
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
        20⤵
        
        PID:3440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3632
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
        22⤵
        
        PID:5528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3112
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
        24⤵
        
        PID:4868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3096
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
        26⤵
        
        PID:2980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2124
        
        C:\odt\fontdrvhost.exe
        
        "C:\odt\fontdrvhost.exe"
        27⤵
        Executes dropped EXE
        
        PID:1252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\odt\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Schema\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eae05d42b5e10303a6a8ff9271c9f3ea

SHA1
f1db70800544ff57c5fd891c55965c117b9a5276

SHA256
b44bcd00507d2be4b86c527edae4f76b690efb7d984f30461749921a79596aa9

SHA512
d7143b35a3e9158b1c75c45deb005198e4ce9def7fab6b71afa4a5a6f2b3062f59c5de1815d6e0df04225d08f31f5efba3aa5d22f22e5f9fb4e4d00a38d4d336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eae05d42b5e10303a6a8ff9271c9f3ea

SHA1
f1db70800544ff57c5fd891c55965c117b9a5276

SHA256
b44bcd00507d2be4b86c527edae4f76b690efb7d984f30461749921a79596aa9

SHA512
d7143b35a3e9158b1c75c45deb005198e4ce9def7fab6b71afa4a5a6f2b3062f59c5de1815d6e0df04225d08f31f5efba3aa5d22f22e5f9fb4e4d00a38d4d336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eec1c2f882e8080a2d4880fffd8687a7

SHA1
ae9d76441435b58787e1545e368a388fd223bd96

SHA256
4d2747583f3ed099aca5ce72f139330dc6044f09b995d882a0a2028558236178

SHA512
594ce2df5a517ea497c1d8038fc5bad2c38b3c7e753ea960a0bdc2f6501ae56c82bd3439d694c04a3144e00e2a22cb97318697fbf65cd22280f52114a89130e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f8681423b065935d5c4c4d08a16b44f5

SHA1
d434c3397b6c609e215e1889d2fd90621314a393

SHA256
3fde214653d5687610f4fc9361dcac257c563f36dab30aca6f780bec7f910f1b

SHA512
fc00da24e4e36585e4b4d0b634e5c1dc5d6df2343dc7620d079128068e16e6b009c29bd5965747fc1e681974142bfe914f27aaf2876d2ed23a90340c536c3d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f8681423b065935d5c4c4d08a16b44f5

SHA1
d434c3397b6c609e215e1889d2fd90621314a393

SHA256
3fde214653d5687610f4fc9361dcac257c563f36dab30aca6f780bec7f910f1b

SHA512
fc00da24e4e36585e4b4d0b634e5c1dc5d6df2343dc7620d079128068e16e6b009c29bd5965747fc1e681974142bfe914f27aaf2876d2ed23a90340c536c3d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ec366d278e2170d2e45f45a0fa5fb45

SHA1
e71eec89f2c34afc2f8fbfb9f2facfb8d4306051

SHA256
3247872a37411fbf5275cd1c2868843af602af5099ec73b11a5f13e2cf26782d

SHA512
ac058158b24dfcb26a4f185e50e1eb1fb01ff3af5796f0615dc3483e6f3826ec25394233b48cb29426a11398af3b68cc5060dc88c7f450fd99eb43c154f359cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ec366d278e2170d2e45f45a0fa5fb45

SHA1
e71eec89f2c34afc2f8fbfb9f2facfb8d4306051

SHA256
3247872a37411fbf5275cd1c2868843af602af5099ec73b11a5f13e2cf26782d

SHA512
ac058158b24dfcb26a4f185e50e1eb1fb01ff3af5796f0615dc3483e6f3826ec25394233b48cb29426a11398af3b68cc5060dc88c7f450fd99eb43c154f359cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5edba1f0a60c1d509c5c331ad88b0e9f

SHA1
ee307cb06febfc6149e2f57816c2fda021d00ee5

SHA256
0af39659e50e52d672a044bd32f6278ef0efd0e5d4c5a873b466bfb74ef31ec1

SHA512
b11cccde9a5de005eec75eea0db265ca3c52f6ac9460eaae646fb0f7f684f54a692ce5686b3ee4355e8c6a80771c69d309c91b6809faa0dd0fa82372976475b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5edba1f0a60c1d509c5c331ad88b0e9f

SHA1
ee307cb06febfc6149e2f57816c2fda021d00ee5

SHA256
0af39659e50e52d672a044bd32f6278ef0efd0e5d4c5a873b466bfb74ef31ec1

SHA512
b11cccde9a5de005eec75eea0db265ca3c52f6ac9460eaae646fb0f7f684f54a692ce5686b3ee4355e8c6a80771c69d309c91b6809faa0dd0fa82372976475b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43997de571228bca663321240687de49

SHA1
f92c400a8c63a78fb7bd27e768ad3acc38fe1365

SHA256
56b0cdee31b99a7126986a033d0015102edfb00da0028c5f8f68a32c702061d7

SHA512
0b119b84030286c08435a203ba1659ba1b2511e1dbd70a29da6c6f4bb251977e68008d1c07b13727b88c2d64a6a131d207a34fcfff9a54bfa8b3c6545f333ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43997de571228bca663321240687de49

SHA1
f92c400a8c63a78fb7bd27e768ad3acc38fe1365

SHA256
56b0cdee31b99a7126986a033d0015102edfb00da0028c5f8f68a32c702061d7

SHA512
0b119b84030286c08435a203ba1659ba1b2511e1dbd70a29da6c6f4bb251977e68008d1c07b13727b88c2d64a6a131d207a34fcfff9a54bfa8b3c6545f333ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0162225b9a9f7ff099e153fd1c7cbf01

SHA1
46315cd0752fe05d56df223b72223bf35cfdb890

SHA256
cd561963a78b6afccf445dadcd1abf5d00370bf2fe1e4cdd6daa9605ff9c7b9f

SHA512
8bcdbb37640c5e8c7d060df85e1d2698ab4fdd26adcec2a208be0e9a18f269d3e58497467cf2fd81fa103c9a75da03d54aeda88d2c5cbaf7849989934456d84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0162225b9a9f7ff099e153fd1c7cbf01

SHA1
46315cd0752fe05d56df223b72223bf35cfdb890

SHA256
cd561963a78b6afccf445dadcd1abf5d00370bf2fe1e4cdd6daa9605ff9c7b9f

SHA512
8bcdbb37640c5e8c7d060df85e1d2698ab4fdd26adcec2a208be0e9a18f269d3e58497467cf2fd81fa103c9a75da03d54aeda88d2c5cbaf7849989934456d84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
303d16ec9974c061cff4ccfe0da6d9a4

SHA1
972219899d19dff313a7a9dc494c904ef9f3bf96

SHA256
1b61c3388ad26a997c8f83cd29bc63b5dee1c8168f490331ee0b0be962a1ac6c

SHA512
039f385e6fc4e4740a17ad7bdb837bc6c4563c3ab01575f9f5e3a168e9f8e7a6c41916e0e3a646908e5492069add9c9d0bf81000e3e6463a264b37399bb25f0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2897f75bae9283a44c1626faba158893

SHA1
fdb81cf08906756c4f5984d8220a9d03260c7af0

SHA256
083c34b7b7c40378d4a0c034f52c330d8c404a90e71ed1b1dca5408c88ee2cac

SHA512
4a08afcd4a5fa9e179ba643126932f1078cfc87d7c4b7748b757ea4a334959311ebc80f259f331cb56d84e4838015c9fabc96cab67a8d7427635809286045ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4a5408d0d1ef6ac686729bb7f307b049

SHA1
23c641cb53fa1d2f231016ccb0cc484955382c52

SHA256
f5ad106302931cd4b1eb69cea99a0c71ca1078f7f7b8aa69a05a3c80b7890687

SHA512
2d73e5bb30260f369ce80e3f4c130ef817fa32c75cf25c37f6b4b808fe291bbeb8bac003e4c0c4fcf7dfe51e164687fb2ec785c0d53a4b88524564a776fca844

Download Submit
C:\Users\Admin\AppData\Local\Temp\8tyQ25hERL.bat

Filesize
187B

MD5
d9bae514764b12564667e85933929cfd

SHA1
370ca9cd586585687891b0a73d4b9aa4bf4dcaae

SHA256
5bf95d45f7b9316331034976f49fe893df633622b8953909826be75f68ad0482

SHA512
abbf15fea8e2d3d27a0ec268f43e98fc6ccd734eb6bb9dd97f4a80dc451c512cd55920b5f163b84f712fa4629e8578b4da646c9fb958c2b64e6875e14c68991f

Download Submit
C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat

Filesize
187B

MD5
1c9e542b0bffad0f762b135a74ffdc29

SHA1
ac7d8482e80573e6cc570c0eaf45494212904c31

SHA256
e3cd6043a1e7c07f30a0744f54327166493f80b53fe0d5a1a6291f3365b16b43

SHA512
c5e9238af0224062d332416dbeefdc830d43dc9b53d6ee3afe51e362747949bc5a5b73c960a035ff58b753d8d1033596dd5985ef6826e4fdb3a62a532a96e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

Filesize
187B

MD5
a765cd93e9cf8289b5c1e3845e9fe58a

SHA1
4177120359d886a294b30941f1393baa8a5e6552

SHA256
9a8130e1361d3bdcf2979c49ba3b3d03c3917a1a629514e176a01d974d74e9e0

SHA512
587193cdd5a522727820421eb742b1c788193ef7b2c41853ce5627b68d402bc4de1c90b9bdfbb5a0eacde459a53146af6a0c8436caf11d4d13e7cdd204bb50a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

Filesize
187B

MD5
a4cac65936c2e0c95742239197467cb9

SHA1
07e83de1d3a2beb9b83de9a8244d70e60af15ed1

SHA256
487d036ee077213bb375afca49f12b0c2109a801020cf2edf9906af238dc16f1

SHA512
50b7cfe74ba5b7b79d0bb593d12f2c77d732959f3a692fdf93610dd8146a8d2f0a401d6f86f8e3200091f8dce6e086a6dc235fd9a566636c16e3edf9043f356c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

Filesize
187B

MD5
07c67d4c8ce12e980d5baf9342aac9a7

SHA1
c0a99ee3f983cf8a7afa5d5fbe39a4a510e6fc72

SHA256
1e221b573e6df62e819b47f3998b7f1cabbd87398b9bb5a59570deb43b63be2e

SHA512
999fc6464574a6213c3bf03e4e0ad81e85e08029fe306e77070e0b8fd3ea8931dc5e587b3fbba4fd98bb4a2398f076e9a4768b8dd34aec00ece0f4ae68beb468

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

Filesize
187B

MD5
486ab6ac0dd3c2fbb6127e94c131717a

SHA1
272ee9b81f854123a606e6005395365b2de0746b

SHA256
53fe1c8775e89524410b4d49c34040a52f40903d02fb97b7ca96096c7d30034c

SHA512
37c2f8a97e70f8cf5cf44fb5c8dfcf35d6858d188629c8016226e4b62ee3a143c8c10b3cae3fcfb7a53673f9a15dedf9b5b150e64c3be19880000dc886f0908c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat

Filesize
187B

MD5
42bd327b45fa7e7117e7ce0e54c72fa5

SHA1
7ca361d93ba59029c68ec75e89e56bb19436bfc5

SHA256
e068cee2eafe2e4f43e4e274615e386f57533754a2c4f568e66288e580920ff4

SHA512
3570a12ac0c236a4b3afb305ca9be39fdfde1d7325e9c50db1f91970789d14c2c976407d9a2c491566275152975babe0f936d9c1566b8b5d335d13e22cb5bfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat

Filesize
187B

MD5
29fa8f5c7775c42df9d216ce0841bddc

SHA1
d0457369b8d1e81c8e5f1201543015d1bea93c60

SHA256
151fc69eca92196adce2497ad256098bc6ba1449f337e0b4d3781d5189541922

SHA512
b80eb97767b7c3c648a3e57ee2542668d20cb821e08121fb5282ef6cfac79b82807079df6c19a67ce6b20a42ae8a3b63049f0cf0d32f1869cce91c28e5812a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat

Filesize
187B

MD5
5de0c4be35c730bbed95904bd88b3823

SHA1
d4440193d56c699e4badd48d84e14b08b252c9ea

SHA256
a2e35d62f01b5929f0b49776a42f09063d4a9d2b27a0bb97414e2ddd34e97865

SHA512
8026a46a50cf3578661e55cc6c623633ff97becc2f7882af920e168a7fde907c39a9c58117a0884132cfad74f7b52856996a879ae2e01de8deea3d9140e5d1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

Filesize
187B

MD5
66f213f5ad313fcc0ef05b2c43e1f6c8

SHA1
4a49c528cbbd2483c23aa848fc367e0d0296cf9b

SHA256
18eaee683a79d309499aa1d3cd897f16e83f0e305b78b38c79f504923207538c

SHA512
79e0759349a208c8d12f72ff06f416ebf0c914191ef8ae4d53fe6623d2323bbc77d828cd5178f10a234b2c0da7bc515b1f3d8fa0f887a584a37c373637b2f794

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat

Filesize
187B

MD5
66df9aa13c007c32100dbb06094e5d27

SHA1
bf8c35c1e34d26348c87dc2b85a49d76288513cf

SHA256
4d363bdbf703040d28e92f1f74908a71771768e32a3a21a8e2c4ed13ffe4296c

SHA512
4377c83cec9deefd767515acad7db0f95e87196a4e2743222385d0867c7618c33e5a3ef4b23bdd27d53559e697f34d6be620b4d06b50027a1e6c0ca4c7f97cf5

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1072-989-0x0000000002260000-0x0000000002272000-memory.dmp

Filesize
72KB

Download
memory/2052-395-0x000001D023920000-0x000001D023996000-memory.dmp

Filesize
472KB

Download
memory/2052-383-0x000001D023770000-0x000001D023792000-memory.dmp

Filesize
136KB

Download
memory/2476-149-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-144-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-166-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-165-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-177-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-164-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-163-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-162-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-161-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-160-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-159-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-158-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-157-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-156-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-155-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-154-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-176-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-175-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-116-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-174-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-153-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-173-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-172-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-152-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-151-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-150-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-168-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-115-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-148-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-147-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-171-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-146-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-145-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-178-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-143-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-117-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-170-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-169-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-118-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-142-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-167-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-141-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-140-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-139-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-138-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-137-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-136-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-135-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-134-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-133-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-132-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-131-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-130-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-129-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-128-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-127-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-126-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-125-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-124-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-123-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-121-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/2476-120-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/4216-284-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

Filesize
48KB

Download
memory/4216-285-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/4216-283-0x0000000000EB0000-0x0000000000EBC000-memory.dmp

Filesize
48KB

Download
memory/4216-281-0x00000000005D0000-0x00000000006E0000-memory.dmp

Filesize
1.1MB

Download
memory/4216-282-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/4732-983-0x0000000002D00000-0x0000000002D12000-memory.dmp

Filesize
72KB

Download
memory/5100-180-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5100-181-0x00000000777D0000-0x000000007795E000-memory.dmp

Filesize
1.6MB

Download
memory/5820-946-0x0000000001130000-0x0000000001142000-memory.dmp

Filesize
72KB

Download
memory/6000-952-0x00000000025B0000-0x00000000025C2000-memory.dmp

Filesize
72KB

Download