Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 12:31
Behavioral task
behavioral1
Sample
543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe
Resource
win10v2004-20221111-en
General
-
Target
543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe
-
Size
1.3MB
-
MD5
76ff81679168b8dfcc0ff5ef20c6d19e
-
SHA1
0f857cbe340295218548036c169b51a4e5c66ea2
-
SHA256
543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd
-
SHA512
4cab2a4f592444dcb128d7d79aaae101bc6b0d96a35a5d447921e2ba42cd864b679362eb6f75e9acd2efe2c2a44d0c64b22aeceb3c4c3361c9521cf762767b37
-
SSDEEP
24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 21 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2236 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3724 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5112 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5088 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3584 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1176 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4536 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2484 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5020 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3364 1220 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3540 1220 schtasks.exe -
Processes:
resource yara_rule C:\providercommon\DllCommonsvc.exe dcrat C:\providercommon\DllCommonsvc.exe dcrat behavioral1/memory/4908-139-0x0000000000860000-0x0000000000970000-memory.dmp dcrat C:\odt\fontdrvhost.exe dcrat C:\odt\fontdrvhost.exe dcrat C:\odt\fontdrvhost.exe dcrat C:\odt\fontdrvhost.exe dcrat C:\odt\fontdrvhost.exe dcrat C:\odt\fontdrvhost.exe dcrat C:\odt\fontdrvhost.exe dcrat C:\odt\fontdrvhost.exe dcrat C:\odt\fontdrvhost.exe dcrat C:\odt\fontdrvhost.exe dcrat C:\odt\fontdrvhost.exe dcrat -
Executes dropped EXE 11 IoCs
Processes:
DllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exepid process 4908 DllCommonsvc.exe 1976 fontdrvhost.exe 2708 fontdrvhost.exe 4708 fontdrvhost.exe 2456 fontdrvhost.exe 2016 fontdrvhost.exe 2368 fontdrvhost.exe 3492 fontdrvhost.exe 3392 fontdrvhost.exe 3172 fontdrvhost.exe 2240 fontdrvhost.exe -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
fontdrvhost.exefontdrvhost.exe543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exeDllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exeWScript.exefontdrvhost.exefontdrvhost.exefontdrvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation DllCommonsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fontdrvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation fontdrvhost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 2 IoCs
Processes:
DllCommonsvc.exedescription ioc process File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\6ccacd8608530f DllCommonsvc.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe DllCommonsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
DllCommonsvc.exedescription ioc process File created C:\Windows\ModemLogs\c82b8037eab33d DllCommonsvc.exe File created C:\Windows\ModemLogs\WaaSMedicAgent.exe DllCommonsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 21 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 5088 schtasks.exe 3192 schtasks.exe 4536 schtasks.exe 2276 schtasks.exe 3540 schtasks.exe 2236 schtasks.exe 2484 schtasks.exe 1300 schtasks.exe 4632 schtasks.exe 1520 schtasks.exe 3952 schtasks.exe 3364 schtasks.exe 5112 schtasks.exe 1900 schtasks.exe 5020 schtasks.exe 2516 schtasks.exe 1176 schtasks.exe 3584 schtasks.exe 2292 schtasks.exe 3636 schtasks.exe 3724 schtasks.exe -
Modifies registry class 12 IoCs
Processes:
543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exeDllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings 543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings DllCommonsvc.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings fontdrvhost.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings fontdrvhost.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exepid process 4908 DllCommonsvc.exe 4908 DllCommonsvc.exe 4908 DllCommonsvc.exe 528 powershell.exe 528 powershell.exe 4288 powershell.exe 4288 powershell.exe 4808 powershell.exe 4808 powershell.exe 1112 powershell.exe 1112 powershell.exe 4544 powershell.exe 4544 powershell.exe 908 powershell.exe 908 powershell.exe 4808 powershell.exe 4812 powershell.exe 4812 powershell.exe 3060 powershell.exe 3060 powershell.exe 4288 powershell.exe 528 powershell.exe 4544 powershell.exe 1112 powershell.exe 4812 powershell.exe 908 powershell.exe 3060 powershell.exe 1976 fontdrvhost.exe 2708 fontdrvhost.exe 4708 fontdrvhost.exe 2456 fontdrvhost.exe 2016 fontdrvhost.exe 2368 fontdrvhost.exe 3492 fontdrvhost.exe 3392 fontdrvhost.exe 3172 fontdrvhost.exe 2240 fontdrvhost.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exedescription pid process Token: SeDebugPrivilege 4908 DllCommonsvc.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeDebugPrivilege 1112 powershell.exe Token: SeDebugPrivilege 4544 powershell.exe Token: SeDebugPrivilege 908 powershell.exe Token: SeDebugPrivilege 4812 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 1976 fontdrvhost.exe Token: SeDebugPrivilege 2708 fontdrvhost.exe Token: SeDebugPrivilege 4708 fontdrvhost.exe Token: SeDebugPrivilege 2456 fontdrvhost.exe Token: SeDebugPrivilege 2016 fontdrvhost.exe Token: SeDebugPrivilege 2368 fontdrvhost.exe Token: SeDebugPrivilege 3492 fontdrvhost.exe Token: SeDebugPrivilege 3392 fontdrvhost.exe Token: SeDebugPrivilege 3172 fontdrvhost.exe Token: SeDebugPrivilege 2240 fontdrvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exeWScript.execmd.exeDllCommonsvc.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exedescription pid process target process PID 4892 wrote to memory of 1952 4892 543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe WScript.exe PID 4892 wrote to memory of 1952 4892 543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe WScript.exe PID 4892 wrote to memory of 1952 4892 543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe WScript.exe PID 1952 wrote to memory of 3440 1952 WScript.exe cmd.exe PID 1952 wrote to memory of 3440 1952 WScript.exe cmd.exe PID 1952 wrote to memory of 3440 1952 WScript.exe cmd.exe PID 3440 wrote to memory of 4908 3440 cmd.exe DllCommonsvc.exe PID 3440 wrote to memory of 4908 3440 cmd.exe DllCommonsvc.exe PID 4908 wrote to memory of 528 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 528 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 4808 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 4808 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 4288 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 4288 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 908 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 908 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 4544 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 4544 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 3060 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 3060 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 1112 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 1112 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 4812 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 4812 4908 DllCommonsvc.exe powershell.exe PID 4908 wrote to memory of 4348 4908 DllCommonsvc.exe cmd.exe PID 4908 wrote to memory of 4348 4908 DllCommonsvc.exe cmd.exe PID 4348 wrote to memory of 2540 4348 cmd.exe w32tm.exe PID 4348 wrote to memory of 2540 4348 cmd.exe w32tm.exe PID 4348 wrote to memory of 1976 4348 cmd.exe fontdrvhost.exe PID 4348 wrote to memory of 1976 4348 cmd.exe fontdrvhost.exe PID 1976 wrote to memory of 3416 1976 fontdrvhost.exe cmd.exe PID 1976 wrote to memory of 3416 1976 fontdrvhost.exe cmd.exe PID 3416 wrote to memory of 2056 3416 cmd.exe w32tm.exe PID 3416 wrote to memory of 2056 3416 cmd.exe w32tm.exe PID 3416 wrote to memory of 2708 3416 cmd.exe fontdrvhost.exe PID 3416 wrote to memory of 2708 3416 cmd.exe fontdrvhost.exe PID 2708 wrote to memory of 224 2708 fontdrvhost.exe cmd.exe PID 2708 wrote to memory of 224 2708 fontdrvhost.exe cmd.exe PID 224 wrote to memory of 4824 224 cmd.exe w32tm.exe PID 224 wrote to memory of 4824 224 cmd.exe w32tm.exe PID 224 wrote to memory of 4708 224 cmd.exe fontdrvhost.exe PID 224 wrote to memory of 4708 224 cmd.exe fontdrvhost.exe PID 4708 wrote to memory of 4240 4708 fontdrvhost.exe cmd.exe PID 4708 wrote to memory of 4240 4708 fontdrvhost.exe cmd.exe PID 4240 wrote to memory of 2436 4240 cmd.exe w32tm.exe PID 4240 wrote to memory of 2436 4240 cmd.exe w32tm.exe PID 4240 wrote to memory of 2456 4240 cmd.exe fontdrvhost.exe PID 4240 wrote to memory of 2456 4240 cmd.exe fontdrvhost.exe PID 2456 wrote to memory of 1672 2456 fontdrvhost.exe cmd.exe PID 2456 wrote to memory of 1672 2456 fontdrvhost.exe cmd.exe PID 1672 wrote to memory of 2024 1672 cmd.exe w32tm.exe PID 1672 wrote to memory of 2024 1672 cmd.exe w32tm.exe PID 1672 wrote to memory of 2016 1672 cmd.exe fontdrvhost.exe PID 1672 wrote to memory of 2016 1672 cmd.exe fontdrvhost.exe PID 2016 wrote to memory of 4528 2016 fontdrvhost.exe cmd.exe PID 2016 wrote to memory of 4528 2016 fontdrvhost.exe cmd.exe PID 4528 wrote to memory of 4368 4528 cmd.exe w32tm.exe PID 4528 wrote to memory of 4368 4528 cmd.exe w32tm.exe PID 4528 wrote to memory of 2368 4528 cmd.exe fontdrvhost.exe PID 4528 wrote to memory of 2368 4528 cmd.exe fontdrvhost.exe PID 2368 wrote to memory of 5088 2368 fontdrvhost.exe cmd.exe PID 2368 wrote to memory of 5088 2368 fontdrvhost.exe cmd.exe PID 5088 wrote to memory of 3780 5088 cmd.exe w32tm.exe PID 5088 wrote to memory of 3780 5088 cmd.exe w32tm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe"C:\Users\Admin\AppData\Local\Temp\543affcfc0188c85d0f55630d7144ce2632369f549731ef10979faf74c450fbd.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\providercommon\DllCommonsvc.exe"C:\providercommon\DllCommonsvc.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\WaaSMedicAgent.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goHUQDLY2m.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
C:\odt\fontdrvhost.exe"C:\odt\fontdrvhost.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
C:\odt\fontdrvhost.exe"C:\odt\fontdrvhost.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
C:\odt\fontdrvhost.exe"C:\odt\fontdrvhost.exe"10⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
C:\odt\fontdrvhost.exe"C:\odt\fontdrvhost.exe"12⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
C:\odt\fontdrvhost.exe"C:\odt\fontdrvhost.exe"14⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
C:\odt\fontdrvhost.exe"C:\odt\fontdrvhost.exe"16⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
C:\odt\fontdrvhost.exe"C:\odt\fontdrvhost.exe"18⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"19⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
C:\odt\fontdrvhost.exe"C:\odt\fontdrvhost.exe"20⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"21⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
C:\odt\fontdrvhost.exe"C:\odt\fontdrvhost.exe"22⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
C:\odt\fontdrvhost.exe"C:\odt\fontdrvhost.exe"24⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\odt\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\ModemLogs\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Windows\ModemLogs\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.logFilesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aaaac7c68d2b7997ed502c26fd9f65c2
SHA17c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA2568724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac
-
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.batFilesize
187B
MD562ed96486425f2d57555f7edf8acd6ad
SHA184dee11173000e5547370dd31ae1d8146b257d2d
SHA256aaf9fa1fd0ff6b6534286f4fb6ebca23a2d73e14d206b5ef5750622efcc563ec
SHA51240dc1f764aa3eb7086a8be723cbc094dea83fec604cb9254cc79e01f4f70896d1bd17c61e2036e7693c3b53fb453320e1401fcef0471ef52ea35f9c2f8838d6c
-
C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.batFilesize
187B
MD5e693b03418f9de934e9dd51ab08a5a0f
SHA16216f3756f037ff044548be3d66a4d6baff43f27
SHA256e5028a19c6884e649b1ca290e745659da67cce54848c83b5d877c238d883305e
SHA512fae4723548e1996655b324c2175be1223b54feeee05564523cb60129664f7904bab476365047785d3828e4cfc9f607739ff7c50eeac73129922c59958973bff2
-
C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.batFilesize
187B
MD5503e28b4986702a055fcf28aabb58bb9
SHA1d9dc8474d3fb8a55614449ed3a2659ba74cb4640
SHA2562626886382a02ce760d740ccb8aea5dc4602b77a90c0629f664fc50896039f47
SHA512feda2b220609492484bbc09cd16dba0750ff1be6512e0ecdcbbde067ec7b8e861509946005e836559524b96b18b5bf69220398d0b56c87dc4a66c3335a833e4d
-
C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.batFilesize
187B
MD519a3c3acf1f498c827ed486c45115710
SHA1b1a0f7e1a974900141a4e4b943158d36828a318c
SHA25620bc7cb9237d3004288d087454a47a16426bead6bcaddbae2601f29b27b2dc73
SHA512548ed61dd3809d0d7b611d21593423b8eb20464ca01a4802836f8864f8526eea37296deef5f7d5b41f89c05e89b17f56d0379afde0a0fa2b4e9fb3ed1cc0e6e4
-
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.batFilesize
187B
MD5d248e6be660870f86a766e80b7876b19
SHA199e01499e0109cb3f2004a10b24bb79f7c997a6c
SHA2564594b93c3f27f88bf6f2e9e70d7b57d82936c9db4a38cb2b6be3af1901019306
SHA51274b5b6d9bf410579c990f94f70dbe9b9d933bb74672b7a90a2c7281822052550365dc99f9a2ed49488db836bbdbac3c44fb34fb57d24c49d0116f53d8fd89a2a
-
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.batFilesize
187B
MD54b36d935ea77b973d53e5ccef300051e
SHA1d2abe38d7abd936c171e30898a5c481a261ae24c
SHA256388107b289dad7c208f76d544e458eda08094ee8efba6c8a10ad5f0e17e9cfc6
SHA512869965959f67f5ec8437d9c94868595f35ca0ada39c064f3afde9e002a725126881507936e1d19772ec4fb76003d0ac87ee8a21c09b45e7e52d05d434470deb1
-
C:\Users\Admin\AppData\Local\Temp\goHUQDLY2m.batFilesize
187B
MD5c3b16d95666bcccb0d03966a3ced627a
SHA1633c7c11b567d7117312d3ed846fb19655b7b479
SHA2563ca4435e326638f5fd200a9c77b30d5262e29c62d1fd59510ad5e562115923d2
SHA51266655e57fbbecb635291f52e3392241f395c0a030b9cd4307942473fe7fed099415f9ea8e760881c03237dd7082428c9553b3e5ea983974f796dc0ae1599f903
-
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.batFilesize
187B
MD5bc5840dc16fc2efc51495cab1c2910b2
SHA12cd9247b975cf89483d4d536346245ece149660e
SHA256fdcbe84796285373704df20abfeedf7dd0fe76a58f189cec21eef3a0c60c1763
SHA51218b4995fbfc868178b4de5dcddcc0fbbb8e40d8cffd3805405c0dc4b3a30f7fae38c64a85ef2b06c984a58b46e437afc3d752e1daafa6dc0f18d6f065c7a0053
-
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.batFilesize
187B
MD508ec16ba946d3f679eb48aaf1d17c8cc
SHA13f67a0eb425d8ea95caeb15cf180bd4e33f80ba2
SHA256d4e987e871bbfac6f0e87275dcf9aaa2797303e4a5833c20df67b9d2d5099577
SHA51298110a41dc186d511e33bee540eb519c1181d5b710488746c740113129aeb3d55290fa21f283348a489c3047136cec04560d6bcbacfb9d39d27547e217e20871
-
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.batFilesize
187B
MD5ee4b425f42d392975f25027d87b99f69
SHA1a36e62d4381cba89a7b84a72beef80ef08061a1f
SHA2561911b205466893e5e3e652b4e096af173839e7c74416cc67d7d03fe6b1e134af
SHA512a4fe784bbba4f04b4a8d03e38b5165e3927037dc85b299eec01b1f4a47403b969dd72d982e444c3d25fbc195af038cfd052f94d40797f8ff370f394134158fef
-
C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.batFilesize
187B
MD56a17dd4d081c8433ccbc44a1d67c061a
SHA174046e88b0ae65b0b2b9e3e678755cadc56cbdfc
SHA256fd52696468bd9ef3a08cf3da07879f3e5955299bf479196bd0ba77d58532e6c3
SHA51210988c1e9222f059bbc5a1c503df092003d8bcee1fb798516a8b6d858df64116692932bfb51029994e6cacef884dc230aa5d36b47df013df38053b4760167980
-
C:\odt\fontdrvhost.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\odt\fontdrvhost.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\odt\fontdrvhost.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\odt\fontdrvhost.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\odt\fontdrvhost.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\odt\fontdrvhost.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\odt\fontdrvhost.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\odt\fontdrvhost.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\odt\fontdrvhost.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\odt\fontdrvhost.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\odt\fontdrvhost.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\providercommon\1zu9dW.batFilesize
36B
MD56783c3ee07c7d151ceac57f1f9c8bed7
SHA117468f98f95bf504cc1f83c49e49a78526b3ea03
SHA2568ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8
-
C:\providercommon\DllCommonsvc.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\providercommon\DllCommonsvc.exeFilesize
1.0MB
MD5bd31e94b4143c4ce49c17d3af46bcad0
SHA1f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394
-
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbeFilesize
197B
MD58088241160261560a02c84025d107592
SHA1083121f7027557570994c9fc211df61730455bb5
SHA2562072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA51220d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478
-
memory/224-190-0x0000000000000000-mapping.dmp
-
memory/528-141-0x0000000000000000-mapping.dmp
-
memory/528-152-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/528-170-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/528-149-0x0000021CCDF00000-0x0000021CCDF22000-memory.dmpFilesize
136KB
-
memory/908-175-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/908-144-0x0000000000000000-mapping.dmp
-
memory/908-155-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/1112-147-0x0000000000000000-mapping.dmp
-
memory/1112-167-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/1112-159-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/1300-232-0x0000000000000000-mapping.dmp
-
memory/1476-248-0x0000000000000000-mapping.dmp
-
memory/1672-204-0x0000000000000000-mapping.dmp
-
memory/1952-132-0x0000000000000000-mapping.dmp
-
memory/1976-185-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/1976-181-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/1976-178-0x0000000000000000-mapping.dmp
-
memory/2016-210-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/2016-214-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/2016-208-0x0000000000000000-mapping.dmp
-
memory/2024-206-0x0000000000000000-mapping.dmp
-
memory/2056-184-0x0000000000000000-mapping.dmp
-
memory/2240-249-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/2240-243-0x0000000000000000-mapping.dmp
-
memory/2240-245-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/2368-215-0x0000000000000000-mapping.dmp
-
memory/2368-221-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/2368-217-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/2436-199-0x0000000000000000-mapping.dmp
-
memory/2456-207-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/2456-203-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/2456-201-0x0000000000000000-mapping.dmp
-
memory/2540-161-0x0000000000000000-mapping.dmp
-
memory/2708-189-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/2708-193-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/2708-186-0x0000000000000000-mapping.dmp
-
memory/3060-177-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/3060-146-0x0000000000000000-mapping.dmp
-
memory/3060-158-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/3172-238-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/3172-236-0x0000000000000000-mapping.dmp
-
memory/3172-242-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/3308-227-0x0000000000000000-mapping.dmp
-
memory/3392-235-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/3392-231-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/3392-229-0x0000000000000000-mapping.dmp
-
memory/3416-182-0x0000000000000000-mapping.dmp
-
memory/3440-135-0x0000000000000000-mapping.dmp
-
memory/3448-225-0x0000000000000000-mapping.dmp
-
memory/3492-222-0x0000000000000000-mapping.dmp
-
memory/3492-224-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/3492-228-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/3780-220-0x0000000000000000-mapping.dmp
-
memory/4240-197-0x0000000000000000-mapping.dmp
-
memory/4288-169-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4288-143-0x0000000000000000-mapping.dmp
-
memory/4288-153-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4348-150-0x0000000000000000-mapping.dmp
-
memory/4368-213-0x0000000000000000-mapping.dmp
-
memory/4468-241-0x0000000000000000-mapping.dmp
-
memory/4528-211-0x0000000000000000-mapping.dmp
-
memory/4544-157-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4544-173-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4544-145-0x0000000000000000-mapping.dmp
-
memory/4568-239-0x0000000000000000-mapping.dmp
-
memory/4708-200-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4708-196-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4708-194-0x0000000000000000-mapping.dmp
-
memory/4808-164-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4808-142-0x0000000000000000-mapping.dmp
-
memory/4808-154-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4812-174-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4812-160-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4812-148-0x0000000000000000-mapping.dmp
-
memory/4824-192-0x0000000000000000-mapping.dmp
-
memory/4872-246-0x0000000000000000-mapping.dmp
-
memory/4908-140-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4908-151-0x00007FFE49490000-0x00007FFE49F51000-memory.dmpFilesize
10.8MB
-
memory/4908-139-0x0000000000860000-0x0000000000970000-memory.dmpFilesize
1.1MB
-
memory/4908-136-0x0000000000000000-mapping.dmp
-
memory/4960-234-0x0000000000000000-mapping.dmp
-
memory/5088-218-0x0000000000000000-mapping.dmp