dcrat | 543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe
Size

1.3MB
MD5

76ff81679168b8dfcc0ff5ef20c6d19e
SHA1

0f857cbe340295218548036c169b51a4e5c66ea2
SHA256

543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd
SHA512

4cab2a4f592444dcb128d7d79aaae101bc6b0d96a35a5d447921e2ba42cd864b679362eb6f75e9acd2efe2c2a44d0c64b22aeceb3c4c3361c9521cf762767b37
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	1220	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	1220	schtasks.exe

DCRat payload 14 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/4908-139-0x0000000000860000-0x0000000000970000-memory.dmp	dcrat
C:\odt\fontdrvhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat
C:\odt\fontdrvhost.exe	dcrat

Executes dropped EXE 11 IoCs

Processes:

DllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid	process
4908	DllCommonsvc.exe
1976	fontdrvhost.exe
2708	fontdrvhost.exe
4708	fontdrvhost.exe
2456	fontdrvhost.exe
2016	fontdrvhost.exe
2368	fontdrvhost.exe
3492	fontdrvhost.exe
3392	fontdrvhost.exe
3172	fontdrvhost.exe
2240	fontdrvhost.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fontdrvhost.exefontdrvhost.exe543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exeDllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exeWScript.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\ModemLogs\c82b8037eab33d	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\WaaSMedicAgent.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
5088	schtasks.exe
3192	schtasks.exe
4536	schtasks.exe
2276	schtasks.exe
3540	schtasks.exe
2236	schtasks.exe
2484	schtasks.exe
1300	schtasks.exe
4632	schtasks.exe
1520	schtasks.exe
3952	schtasks.exe
3364	schtasks.exe
5112	schtasks.exe
1900	schtasks.exe
5020	schtasks.exe
2516	schtasks.exe
1176	schtasks.exe
3584	schtasks.exe
2292	schtasks.exe
3636	schtasks.exe
3724	schtasks.exe

Modifies registry class 12 IoCs

Processes:

543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exeDllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid	process
4908	DllCommonsvc.exe
4908	DllCommonsvc.exe
4908	DllCommonsvc.exe
528	powershell.exe
528	powershell.exe
4288	powershell.exe
4288	powershell.exe
4808	powershell.exe
4808	powershell.exe
1112	powershell.exe
1112	powershell.exe
4544	powershell.exe
4544	powershell.exe
908	powershell.exe
908	powershell.exe
4808	powershell.exe
4812	powershell.exe
4812	powershell.exe
3060	powershell.exe
3060	powershell.exe
4288	powershell.exe
528	powershell.exe
4544	powershell.exe
1112	powershell.exe
4812	powershell.exe
908	powershell.exe
3060	powershell.exe
1976	fontdrvhost.exe
2708	fontdrvhost.exe
4708	fontdrvhost.exe
2456	fontdrvhost.exe
2016	fontdrvhost.exe
2368	fontdrvhost.exe
3492	fontdrvhost.exe
3392	fontdrvhost.exe
3172	fontdrvhost.exe
2240	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4908	DllCommonsvc.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1976	fontdrvhost.exe
Token: SeDebugPrivilege	2708	fontdrvhost.exe
Token: SeDebugPrivilege	4708	fontdrvhost.exe
Token: SeDebugPrivilege	2456	fontdrvhost.exe
Token: SeDebugPrivilege	2016	fontdrvhost.exe
Token: SeDebugPrivilege	2368	fontdrvhost.exe
Token: SeDebugPrivilege	3492	fontdrvhost.exe
Token: SeDebugPrivilege	3392	fontdrvhost.exe
Token: SeDebugPrivilege	3172	fontdrvhost.exe
Token: SeDebugPrivilege	2240	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exeWScript.execmd.exeDllCommonsvc.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exe

description	pid	process	target process
PID 4892 wrote to memory of 1952	4892	543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe	WScript.exe
PID 4892 wrote to memory of 1952	4892	543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe	WScript.exe
PID 4892 wrote to memory of 1952	4892	543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe	WScript.exe
PID 1952 wrote to memory of 3440	1952	WScript.exe	cmd.exe
PID 1952 wrote to memory of 3440	1952	WScript.exe	cmd.exe
PID 1952 wrote to memory of 3440	1952	WScript.exe	cmd.exe
PID 3440 wrote to memory of 4908	3440	cmd.exe	DllCommonsvc.exe
PID 3440 wrote to memory of 4908	3440	cmd.exe	DllCommonsvc.exe
PID 4908 wrote to memory of 528	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 528	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 4808	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 4808	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 4288	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 4288	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 908	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 908	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 4544	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 4544	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 3060	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 3060	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 1112	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 1112	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 4812	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 4812	4908	DllCommonsvc.exe	powershell.exe
PID 4908 wrote to memory of 4348	4908	DllCommonsvc.exe	cmd.exe
PID 4908 wrote to memory of 4348	4908	DllCommonsvc.exe	cmd.exe
PID 4348 wrote to memory of 2540	4348	cmd.exe	w32tm.exe
PID 4348 wrote to memory of 2540	4348	cmd.exe	w32tm.exe
PID 4348 wrote to memory of 1976	4348	cmd.exe	fontdrvhost.exe
PID 4348 wrote to memory of 1976	4348	cmd.exe	fontdrvhost.exe
PID 1976 wrote to memory of 3416	1976	fontdrvhost.exe	cmd.exe
PID 1976 wrote to memory of 3416	1976	fontdrvhost.exe	cmd.exe
PID 3416 wrote to memory of 2056	3416	cmd.exe	w32tm.exe
PID 3416 wrote to memory of 2056	3416	cmd.exe	w32tm.exe
PID 3416 wrote to memory of 2708	3416	cmd.exe	fontdrvhost.exe
PID 3416 wrote to memory of 2708	3416	cmd.exe	fontdrvhost.exe
PID 2708 wrote to memory of 224	2708	fontdrvhost.exe	cmd.exe
PID 2708 wrote to memory of 224	2708	fontdrvhost.exe	cmd.exe
PID 224 wrote to memory of 4824	224	cmd.exe	w32tm.exe
PID 224 wrote to memory of 4824	224	cmd.exe	w32tm.exe
PID 224 wrote to memory of 4708	224	cmd.exe	fontdrvhost.exe
PID 224 wrote to memory of 4708	224	cmd.exe	fontdrvhost.exe
PID 4708 wrote to memory of 4240	4708	fontdrvhost.exe	cmd.exe
PID 4708 wrote to memory of 4240	4708	fontdrvhost.exe	cmd.exe
PID 4240 wrote to memory of 2436	4240	cmd.exe	w32tm.exe
PID 4240 wrote to memory of 2436	4240	cmd.exe	w32tm.exe
PID 4240 wrote to memory of 2456	4240	cmd.exe	fontdrvhost.exe
PID 4240 wrote to memory of 2456	4240	cmd.exe	fontdrvhost.exe
PID 2456 wrote to memory of 1672	2456	fontdrvhost.exe	cmd.exe
PID 2456 wrote to memory of 1672	2456	fontdrvhost.exe	cmd.exe
PID 1672 wrote to memory of 2024	1672	cmd.exe	w32tm.exe
PID 1672 wrote to memory of 2024	1672	cmd.exe	w32tm.exe
PID 1672 wrote to memory of 2016	1672	cmd.exe	fontdrvhost.exe
PID 1672 wrote to memory of 2016	1672	cmd.exe	fontdrvhost.exe
PID 2016 wrote to memory of 4528	2016	fontdrvhost.exe	cmd.exe
PID 2016 wrote to memory of 4528	2016	fontdrvhost.exe	cmd.exe
PID 4528 wrote to memory of 4368	4528	cmd.exe	w32tm.exe
PID 4528 wrote to memory of 4368	4528	cmd.exe	w32tm.exe
PID 4528 wrote to memory of 2368	4528	cmd.exe	fontdrvhost.exe
PID 4528 wrote to memory of 2368	4528	cmd.exe	fontdrvhost.exe
PID 2368 wrote to memory of 5088	2368	fontdrvhost.exe	cmd.exe
PID 2368 wrote to memory of 5088	2368	fontdrvhost.exe	cmd.exe
PID 5088 wrote to memory of 3780	5088	cmd.exe	w32tm.exe
PID 5088 wrote to memory of 3780	5088	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe
"C:\Users\Admin\AppData\Local\Temp\543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3440

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\WaaSMedicAgent.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goHUQDLY2m.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
6⤵
PID:2540

C:\odt\fontdrvhost.exe
"C:\odt\fontdrvhost.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:2056

C:\odt\fontdrvhost.exe
"C:\odt\fontdrvhost.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:4824

C:\odt\fontdrvhost.exe
"C:\odt\fontdrvhost.exe"
10⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:2436

C:\odt\fontdrvhost.exe
"C:\odt\fontdrvhost.exe"
12⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
14⤵
PID:2024

C:\odt\fontdrvhost.exe
"C:\odt\fontdrvhost.exe"
14⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
15⤵
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
16⤵
PID:4368

C:\odt\fontdrvhost.exe
"C:\odt\fontdrvhost.exe"
16⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
17⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:3780

C:\odt\fontdrvhost.exe
"C:\odt\fontdrvhost.exe"
18⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"
19⤵
PID:3448

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:3308

C:\odt\fontdrvhost.exe
"C:\odt\fontdrvhost.exe"
20⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
21⤵
PID:1300

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
22⤵
PID:4960

C:\odt\fontdrvhost.exe
"C:\odt\fontdrvhost.exe"
22⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
23⤵
PID:4568

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
24⤵
PID:4468

C:\odt\fontdrvhost.exe
"C:\odt\fontdrvhost.exe"
24⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"
25⤵
PID:4872

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
26⤵
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\ModemLogs\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat
Filesize
187B

MD5
62ed96486425f2d57555f7edf8acd6ad

SHA1
84dee11173000e5547370dd31ae1d8146b257d2d

SHA256
aaf9fa1fd0ff6b6534286f4fb6ebca23a2d73e14d206b5ef5750622efcc563ec

SHA512
40dc1f764aa3eb7086a8be723cbc094dea83fec604cb9254cc79e01f4f70896d1bd17c61e2036e7693c3b53fb453320e1401fcef0471ef52ea35f9c2f8838d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat
Filesize
187B

MD5
e693b03418f9de934e9dd51ab08a5a0f

SHA1
6216f3756f037ff044548be3d66a4d6baff43f27

SHA256
e5028a19c6884e649b1ca290e745659da67cce54848c83b5d877c238d883305e

SHA512
fae4723548e1996655b324c2175be1223b54feeee05564523cb60129664f7904bab476365047785d3828e4cfc9f607739ff7c50eeac73129922c59958973bff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat
Filesize
187B

MD5
503e28b4986702a055fcf28aabb58bb9

SHA1
d9dc8474d3fb8a55614449ed3a2659ba74cb4640

SHA256
2626886382a02ce760d740ccb8aea5dc4602b77a90c0629f664fc50896039f47

SHA512
feda2b220609492484bbc09cd16dba0750ff1be6512e0ecdcbbde067ec7b8e861509946005e836559524b96b18b5bf69220398d0b56c87dc4a66c3335a833e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat
Filesize
187B

MD5
19a3c3acf1f498c827ed486c45115710

SHA1
b1a0f7e1a974900141a4e4b943158d36828a318c

SHA256
20bc7cb9237d3004288d087454a47a16426bead6bcaddbae2601f29b27b2dc73

SHA512
548ed61dd3809d0d7b611d21593423b8eb20464ca01a4802836f8864f8526eea37296deef5f7d5b41f89c05e89b17f56d0379afde0a0fa2b4e9fb3ed1cc0e6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat
Filesize
187B

MD5
d248e6be660870f86a766e80b7876b19

SHA1
99e01499e0109cb3f2004a10b24bb79f7c997a6c

SHA256
4594b93c3f27f88bf6f2e9e70d7b57d82936c9db4a38cb2b6be3af1901019306

SHA512
74b5b6d9bf410579c990f94f70dbe9b9d933bb74672b7a90a2c7281822052550365dc99f9a2ed49488db836bbdbac3c44fb34fb57d24c49d0116f53d8fd89a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat
Filesize
187B

MD5
4b36d935ea77b973d53e5ccef300051e

SHA1
d2abe38d7abd936c171e30898a5c481a261ae24c

SHA256
388107b289dad7c208f76d544e458eda08094ee8efba6c8a10ad5f0e17e9cfc6

SHA512
869965959f67f5ec8437d9c94868595f35ca0ada39c064f3afde9e002a725126881507936e1d19772ec4fb76003d0ac87ee8a21c09b45e7e52d05d434470deb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\goHUQDLY2m.bat
Filesize
187B

MD5
c3b16d95666bcccb0d03966a3ced627a

SHA1
633c7c11b567d7117312d3ed846fb19655b7b479

SHA256
3ca4435e326638f5fd200a9c77b30d5262e29c62d1fd59510ad5e562115923d2

SHA512
66655e57fbbecb635291f52e3392241f395c0a030b9cd4307942473fe7fed099415f9ea8e760881c03237dd7082428c9553b3e5ea983974f796dc0ae1599f903

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat
Filesize
187B

MD5
bc5840dc16fc2efc51495cab1c2910b2

SHA1
2cd9247b975cf89483d4d536346245ece149660e

SHA256
fdcbe84796285373704df20abfeedf7dd0fe76a58f189cec21eef3a0c60c1763

SHA512
18b4995fbfc868178b4de5dcddcc0fbbb8e40d8cffd3805405c0dc4b3a30f7fae38c64a85ef2b06c984a58b46e437afc3d752e1daafa6dc0f18d6f065c7a0053

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat
Filesize
187B

MD5
08ec16ba946d3f679eb48aaf1d17c8cc

SHA1
3f67a0eb425d8ea95caeb15cf180bd4e33f80ba2

SHA256
d4e987e871bbfac6f0e87275dcf9aaa2797303e4a5833c20df67b9d2d5099577

SHA512
98110a41dc186d511e33bee540eb519c1181d5b710488746c740113129aeb3d55290fa21f283348a489c3047136cec04560d6bcbacfb9d39d27547e217e20871

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat
Filesize
187B

MD5
ee4b425f42d392975f25027d87b99f69

SHA1
a36e62d4381cba89a7b84a72beef80ef08061a1f

SHA256
1911b205466893e5e3e652b4e096af173839e7c74416cc67d7d03fe6b1e134af

SHA512
a4fe784bbba4f04b4a8d03e38b5165e3927037dc85b299eec01b1f4a47403b969dd72d982e444c3d25fbc195af038cfd052f94d40797f8ff370f394134158fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat
Filesize
187B

MD5
6a17dd4d081c8433ccbc44a1d67c061a

SHA1
74046e88b0ae65b0b2b9e3e678755cadc56cbdfc

SHA256
fd52696468bd9ef3a08cf3da07879f3e5955299bf479196bd0ba77d58532e6c3

SHA512
10988c1e9222f059bbc5a1c503df092003d8bcee1fb798516a8b6d858df64116692932bfb51029994e6cacef884dc230aa5d36b47df013df38053b4760167980

Download Submit
C:\odt\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\odt\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/224-190-0x0000000000000000-mapping.dmp

Download
memory/528-141-0x0000000000000000-mapping.dmp

Download
memory/528-152-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/528-170-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/528-149-0x0000021CCDF00000-0x0000021CCDF22000-memory.dmp

Filesize
136KB

Download
memory/908-175-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/908-144-0x0000000000000000-mapping.dmp

Download
memory/908-155-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/1112-147-0x0000000000000000-mapping.dmp

Download
memory/1112-167-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/1112-159-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/1300-232-0x0000000000000000-mapping.dmp

Download
memory/1476-248-0x0000000000000000-mapping.dmp

Download
memory/1672-204-0x0000000000000000-mapping.dmp

Download
memory/1952-132-0x0000000000000000-mapping.dmp

Download
memory/1976-185-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/1976-181-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/1976-178-0x0000000000000000-mapping.dmp

Download
memory/2016-210-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/2016-214-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/2016-208-0x0000000000000000-mapping.dmp

Download
memory/2024-206-0x0000000000000000-mapping.dmp

Download
memory/2056-184-0x0000000000000000-mapping.dmp

Download
memory/2240-249-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/2240-243-0x0000000000000000-mapping.dmp

Download
memory/2240-245-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/2368-215-0x0000000000000000-mapping.dmp

Download
memory/2368-221-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/2368-217-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/2436-199-0x0000000000000000-mapping.dmp

Download
memory/2456-207-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/2456-203-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/2456-201-0x0000000000000000-mapping.dmp

Download
memory/2540-161-0x0000000000000000-mapping.dmp

Download
memory/2708-189-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/2708-193-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/2708-186-0x0000000000000000-mapping.dmp

Download
memory/3060-177-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/3060-146-0x0000000000000000-mapping.dmp

Download
memory/3060-158-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/3172-238-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/3172-236-0x0000000000000000-mapping.dmp

Download
memory/3172-242-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/3308-227-0x0000000000000000-mapping.dmp

Download
memory/3392-235-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/3392-231-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/3392-229-0x0000000000000000-mapping.dmp

Download
memory/3416-182-0x0000000000000000-mapping.dmp

Download
memory/3440-135-0x0000000000000000-mapping.dmp

Download
memory/3448-225-0x0000000000000000-mapping.dmp

Download
memory/3492-222-0x0000000000000000-mapping.dmp

Download
memory/3492-224-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/3492-228-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/3780-220-0x0000000000000000-mapping.dmp

Download
memory/4240-197-0x0000000000000000-mapping.dmp

Download
memory/4288-169-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4288-143-0x0000000000000000-mapping.dmp

Download
memory/4288-153-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4348-150-0x0000000000000000-mapping.dmp

Download
memory/4368-213-0x0000000000000000-mapping.dmp

Download
memory/4468-241-0x0000000000000000-mapping.dmp

Download
memory/4528-211-0x0000000000000000-mapping.dmp

Download
memory/4544-157-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4544-173-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4544-145-0x0000000000000000-mapping.dmp

Download
memory/4568-239-0x0000000000000000-mapping.dmp

Download
memory/4708-200-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4708-196-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4708-194-0x0000000000000000-mapping.dmp

Download
memory/4808-164-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4808-142-0x0000000000000000-mapping.dmp

Download
memory/4808-154-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4812-174-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4812-160-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4812-148-0x0000000000000000-mapping.dmp

Download
memory/4824-192-0x0000000000000000-mapping.dmp

Download
memory/4872-246-0x0000000000000000-mapping.dmp

Download
memory/4908-140-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4908-151-0x00007FFE49490000-0x00007FFE49F51000-memory.dmp

Filesize
10.8MB

Download
memory/4908-139-0x0000000000860000-0x0000000000970000-memory.dmp

Filesize
1.1MB

Download
memory/4908-136-0x0000000000000000-mapping.dmp

Download
memory/4960-234-0x0000000000000000-mapping.dmp

Download
memory/5088-218-0x0000000000000000-mapping.dmp

Download