dcrat | cdb72eda65ea4ecee1e8b3804d45eadcabfbe709204111c5316652b74612f5a0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cdb72eda65ea4ecee1e8b3804d45eadcabfbe709204111c5316652b74612f5a0.exe
Size

1.3MB
MD5

2b87e817761aa12e533f131488d60a24
SHA1

8846891b8bc70f042e5edb0cd101dd6a7234d32e
SHA256

cdb72eda65ea4ecee1e8b3804d45eadcabfbe709204111c5316652b74612f5a0
SHA512

f348c61ec8c956cd03a295aab707dbb1f8e1a2ce817daeb4e03183df97bdde3485d554c0b670d3fb8b774fca780c368912aee7df1300e2641e75fb680001fb00
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	3000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	3000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	3000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	3000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	3000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	3000	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	3000	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b7a-10.dat	dcrat
behavioral2/memory/3264-13-0x0000000000BA0000-0x0000000000CB0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5104	powershell.exe
2884	powershell.exe
3176	powershell.exe
3520	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_cdb72eda65ea4ecee1e8b3804d45eadcabfbe709204111c5316652b74612f5a0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe

Executes dropped EXE 16 IoCs

pid	Process
3264	DllCommonsvc.exe
1980	fontdrvhost.exe
1500	fontdrvhost.exe
1840	fontdrvhost.exe
404	fontdrvhost.exe
264	fontdrvhost.exe
3520	fontdrvhost.exe
2688	fontdrvhost.exe
2976	fontdrvhost.exe
976	fontdrvhost.exe
4952	fontdrvhost.exe
2444	fontdrvhost.exe
3176	fontdrvhost.exe
2716	fontdrvhost.exe
4992	fontdrvhost.exe
4504	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
54	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com
45	raw.githubusercontent.com
24	raw.githubusercontent.com
44	raw.githubusercontent.com
49	raw.githubusercontent.com
55	raw.githubusercontent.com
17	raw.githubusercontent.com
37	raw.githubusercontent.com
39	raw.githubusercontent.com
42	raw.githubusercontent.com
53	raw.githubusercontent.com
16	raw.githubusercontent.com
38	raw.githubusercontent.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\RuntimeBroker.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\addins\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\addins\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cdb72eda65ea4ecee1e8b3804d45eadcabfbe709204111c5316652b74612f5a0.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	JaffaCakes118_cdb72eda65ea4ecee1e8b3804d45eadcabfbe709204111c5316652b74612f5a0.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4444	schtasks.exe
2240	schtasks.exe
2328	schtasks.exe
832	schtasks.exe
2316	schtasks.exe
4876	schtasks.exe
1028	schtasks.exe
4164	schtasks.exe
2064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3264	DllCommonsvc.exe
3520	powershell.exe
2884	powershell.exe
5104	powershell.exe
2884	powershell.exe
3176	powershell.exe
3176	powershell.exe
3520	powershell.exe
5104	powershell.exe
1980	fontdrvhost.exe
1500	fontdrvhost.exe
1840	fontdrvhost.exe
404	fontdrvhost.exe
264	fontdrvhost.exe
3520	fontdrvhost.exe
2688	fontdrvhost.exe
2976	fontdrvhost.exe
976	fontdrvhost.exe
4952	fontdrvhost.exe
2444	fontdrvhost.exe
3176	fontdrvhost.exe
2716	fontdrvhost.exe
4992	fontdrvhost.exe
4504	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3264	DllCommonsvc.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	3176	powershell.exe
Token: SeDebugPrivilege	1980	fontdrvhost.exe
Token: SeDebugPrivilege	1500	fontdrvhost.exe
Token: SeDebugPrivilege	1840	fontdrvhost.exe
Token: SeDebugPrivilege	404	fontdrvhost.exe
Token: SeDebugPrivilege	264	fontdrvhost.exe
Token: SeDebugPrivilege	3520	fontdrvhost.exe
Token: SeDebugPrivilege	2688	fontdrvhost.exe
Token: SeDebugPrivilege	2976	fontdrvhost.exe
Token: SeDebugPrivilege	976	fontdrvhost.exe
Token: SeDebugPrivilege	4952	fontdrvhost.exe
Token: SeDebugPrivilege	2444	fontdrvhost.exe
Token: SeDebugPrivilege	3176	fontdrvhost.exe
Token: SeDebugPrivilege	2716	fontdrvhost.exe
Token: SeDebugPrivilege	4992	fontdrvhost.exe
Token: SeDebugPrivilege	4504	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2360	4504	JaffaCakes118_cdb72eda65ea4ecee1e8b3804d45eadcabfbe709204111c5316652b74612f5a0.exe	82
PID 4504 wrote to memory of 2360	4504	JaffaCakes118_cdb72eda65ea4ecee1e8b3804d45eadcabfbe709204111c5316652b74612f5a0.exe	82
PID 4504 wrote to memory of 2360	4504	JaffaCakes118_cdb72eda65ea4ecee1e8b3804d45eadcabfbe709204111c5316652b74612f5a0.exe	82
PID 2360 wrote to memory of 3924	2360	WScript.exe	83
PID 2360 wrote to memory of 3924	2360	WScript.exe	83
PID 2360 wrote to memory of 3924	2360	WScript.exe	83
PID 3924 wrote to memory of 3264	3924	cmd.exe	85
PID 3924 wrote to memory of 3264	3924	cmd.exe	85
PID 3264 wrote to memory of 2884	3264	DllCommonsvc.exe	96
PID 3264 wrote to memory of 2884	3264	DllCommonsvc.exe	96
PID 3264 wrote to memory of 5104	3264	DllCommonsvc.exe	97
PID 3264 wrote to memory of 5104	3264	DllCommonsvc.exe	97
PID 3264 wrote to memory of 3176	3264	DllCommonsvc.exe	98
PID 3264 wrote to memory of 3176	3264	DllCommonsvc.exe	98
PID 3264 wrote to memory of 3520	3264	DllCommonsvc.exe	99
PID 3264 wrote to memory of 3520	3264	DllCommonsvc.exe	99
PID 3264 wrote to memory of 2936	3264	DllCommonsvc.exe	104
PID 3264 wrote to memory of 2936	3264	DllCommonsvc.exe	104
PID 2936 wrote to memory of 4460	2936	cmd.exe	106
PID 2936 wrote to memory of 4460	2936	cmd.exe	106
PID 2936 wrote to memory of 1980	2936	cmd.exe	107
PID 2936 wrote to memory of 1980	2936	cmd.exe	107
PID 1980 wrote to memory of 3460	1980	fontdrvhost.exe	111
PID 1980 wrote to memory of 3460	1980	fontdrvhost.exe	111
PID 3460 wrote to memory of 1372	3460	cmd.exe	113
PID 3460 wrote to memory of 1372	3460	cmd.exe	113
PID 3460 wrote to memory of 1500	3460	cmd.exe	115
PID 3460 wrote to memory of 1500	3460	cmd.exe	115
PID 1500 wrote to memory of 1864	1500	fontdrvhost.exe	118
PID 1500 wrote to memory of 1864	1500	fontdrvhost.exe	118
PID 1864 wrote to memory of 552	1864	cmd.exe	120
PID 1864 wrote to memory of 552	1864	cmd.exe	120
PID 1864 wrote to memory of 1840	1864	cmd.exe	121
PID 1864 wrote to memory of 1840	1864	cmd.exe	121
PID 1840 wrote to memory of 4028	1840	fontdrvhost.exe	124
PID 1840 wrote to memory of 4028	1840	fontdrvhost.exe	124
PID 4028 wrote to memory of 680	4028	cmd.exe	126
PID 4028 wrote to memory of 680	4028	cmd.exe	126
PID 4028 wrote to memory of 404	4028	cmd.exe	127
PID 4028 wrote to memory of 404	4028	cmd.exe	127
PID 404 wrote to memory of 3972	404	fontdrvhost.exe	128
PID 404 wrote to memory of 3972	404	fontdrvhost.exe	128
PID 3972 wrote to memory of 3720	3972	cmd.exe	130
PID 3972 wrote to memory of 3720	3972	cmd.exe	130
PID 3972 wrote to memory of 264	3972	cmd.exe	131
PID 3972 wrote to memory of 264	3972	cmd.exe	131
PID 264 wrote to memory of 2324	264	fontdrvhost.exe	132
PID 264 wrote to memory of 2324	264	fontdrvhost.exe	132
PID 2324 wrote to memory of 1196	2324	cmd.exe	134
PID 2324 wrote to memory of 1196	2324	cmd.exe	134
PID 2324 wrote to memory of 3520	2324	cmd.exe	135
PID 2324 wrote to memory of 3520	2324	cmd.exe	135
PID 3520 wrote to memory of 3160	3520	fontdrvhost.exe	136
PID 3520 wrote to memory of 3160	3520	fontdrvhost.exe	136
PID 3160 wrote to memory of 2548	3160	cmd.exe	138
PID 3160 wrote to memory of 2548	3160	cmd.exe	138
PID 3160 wrote to memory of 2688	3160	cmd.exe	139
PID 3160 wrote to memory of 2688	3160	cmd.exe	139
PID 2688 wrote to memory of 2876	2688	fontdrvhost.exe	140
PID 2688 wrote to memory of 2876	2688	fontdrvhost.exe	140
PID 2876 wrote to memory of 5116	2876	cmd.exe	142
PID 2876 wrote to memory of 5116	2876	cmd.exe	142
PID 2876 wrote to memory of 2976	2876	cmd.exe	143
PID 2876 wrote to memory of 2976	2876	cmd.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cdb72eda65ea4ecee1e8b3804d45eadcabfbe709204111c5316652b74612f5a0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cdb72eda65ea4ecee1e8b3804d45eadcabfbe709204111c5316652b74612f5a0.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PN219sj1of.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4460
      - C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1372
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:552
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:680
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3720
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1196
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2548
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:5116
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"
        21⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3824
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
        23⤵
        
        PID:1824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1632
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"
        25⤵
        
        PID:3712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4560
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
        27⤵
        
        PID:60
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2808
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"
        29⤵
        
        PID:1296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:228
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
        31⤵
        
        PID:4544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4592
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
        33⤵
        
        PID:3460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:4336
        
        C:\providercommon\fontdrvhost.exe
        
        "C:\providercommon\fontdrvhost.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e4dd084b8637e6235830b70373291662

SHA1
8f2e0e4b0a1e1ad98329e38ed9168a3e53ca759a

SHA256
8a97d6d1e2487849bb19315d2c71ffde47180ab1f9e78e4b9106572a4c327e8f

SHA512
03fcb8a950170796f4214b1ab54d1291584492dfda9bf60d8e6ff27a8dff2b004e9f971339cafacf1e214d4fed45b9baea1636043b1c6f5f4d8e6ffe20cf0107

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat

Filesize
198B

MD5
4769e472f95fa5d05e00addd66cc233c

SHA1
9c88fa41088c372d2de5e6ce73106a9875ad0314

SHA256
1495a3463cee03a4e946df09606df53688e50c1ce2b609014be54997522c837c

SHA512
d8a3978d1e0760b9d02c7213820b5712816ed95b7681e3405e5eb468c5d3057117a51a1950bdcdd61893ac351fe16ef28acb17e65f700137d84d763c92eeeb87

Download Submit
C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat

Filesize
198B

MD5
b02dec09ebf23ab356e013f67c260875

SHA1
5bba4b84da239a2e4a9fcd42c6281ab82771ed93

SHA256
828aac7389d67c8e349a9a9823ed7de4face09f1150dd0ed59b05bc2685c82a1

SHA512
dee8355f3bbeb694e84d0506f75c6c00303c46235f11f51ecdb55338b1eeceb31867706ec10794e922af2bfa7c8b158da06e1cbcab9001f42b1a3378264179f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat

Filesize
198B

MD5
847cd85ea8f6b04477909b90fad52892

SHA1
64e0a600846107da3266c3d662b78fd29b80329c

SHA256
2a651185a7f491a5b0dd85bc5cfac669e81cd7f3a8647b9375a63513358b8c09

SHA512
8fc192721b18b6eecd7d546ea0b2a087c0b73e9b8edb6959709cdb2868765cdf551892a4c4db375e8361cff43c26f6de7749266b8a552a20808ee0f1f59487cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

Filesize
198B

MD5
6ba18f557513ec7e56189f0bb6b28406

SHA1
300420b2784f71a3fb871b9674aea805a595e3b8

SHA256
02bafb5806ca03bf51ba0a654b84d62a2726c53fda53dd1571581e258b37b0ca

SHA512
0e9732e5b15a64b497f794342cc74416f1e66889cf2ef73af99d50cbee3ae35a502460f0008abf5edff1ba319b03f2c6b999ac02f91a5598f902f1af63c28242

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

Filesize
198B

MD5
bd6487091ff8afe23226df24841efcc7

SHA1
1b16898c70adaf0045da564a9122c92dee3201f9

SHA256
6f70123323267cfe6db56453f36b5a7d1eb6f6dad24ef1028627b826ac22f61d

SHA512
7a1754f011c8ec5a66eb60d3082bde842b8192cbe2bd74f8b7dd41165af55f2444afce3b27e54d8ed092f68e4407b9e0be79258f7e0c05b0b3f3a67fea2284a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

Filesize
198B

MD5
6258aef0212b877f2c4e81a7b3cd9d26

SHA1
a0cbeb7ff0cffae35b4271d3d4533474c6f9562d

SHA256
cd0ca40bc14c31d49bdf8521734085927a89cb814f02b175947b8ba826dd9d0f

SHA512
dfe111a169a3cf5265fee49683ac8d85b142bc00f60e217980a399a49895348a97c5a20fa6e614e8deefe88d3b6aa140c1960ded03133e0dff4aa8cff6bc6909

Download Submit
C:\Users\Admin\AppData\Local\Temp\PN219sj1of.bat

Filesize
198B

MD5
119d5d1c0ba5bac84f1867b576624ee5

SHA1
651b5b21bfb31cc817ff2f57e1d0069b974f1e59

SHA256
baaef5ef914a75550a7ebce595de0b16533c9f166318fd1157102c36ef90a9b4

SHA512
db74ee370b7d8f421f1e301b4af05126dd924955f70630ddb6f5ec9495685b1ed2f87fdec2ba15f08f6b2c717f95ad3157a00a3708d54666b684aaadeed0c2ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

Filesize
198B

MD5
acd6bea74e11a87192e3cde58becc3ca

SHA1
6a3544b79ce49778af6ab0536aa289ad09bfcb20

SHA256
7bb7c9d252f82197f14ec9700f33dbb52a3b00b928472a4c2cb4004ec8cb6b2f

SHA512
23ca5284cc59943815fac24985c085883e75cadd487d4c201bfa60da5f0220fd8f36a0f7c2290b7264e170df3939b26cd00ccd9db3bb244344fe07f90c49f263

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
198B

MD5
47ecb7510eda6c36a54ca2d4bd12a291

SHA1
e9d93d2de6c9c163bb1354d85c7abbf23a1fa7ba

SHA256
b61920ca208b836263aefe5741f1d1e00cb136bb5cd044a0848d9219038e6ce4

SHA512
2f4a5c0740cc4cffcf34fda22787cb0172774870fbc96a84b0c89cda4cdf14591504547f825cf0609168fcb16f5e005011cad1534a0868c2b431a5dc84c53e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b1tggbzl.qno.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat

Filesize
198B

MD5
35c8ae838595173b58d73b9d1ea231c6

SHA1
765981cc4ecaf90abf3f8dd56d34653100139309

SHA256
ca9a4729dd6ab83d8d7721ee6547e6dc9f19c93450b3254e4e873072ef2dc2e4

SHA512
32b0aa0bc20b5a3ed7dfd683aa9825c4aa07a747e3850ffabd9c1b759bc349573bc57bd94680909d9655f2ddc94580783ee73c2fb8522cfcafef66aad4536b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

Filesize
198B

MD5
ae54c5dd14c209435ff150e6caad5b22

SHA1
1bb1e849dc8958ae5532e7c523449567971971eb

SHA256
cec10a4f9301eb73caad1c00a578cd93536895a43d20cbb3a65704e893d173f4

SHA512
0c0cd67f885e933cf0a17e393c74d8c89cbbe215a571ac033c73b7c4c984dcfcffefcaa8cf9b6fef83738fa2d6f06a68c2da239e8eca3944984ee76e2d11114a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat

Filesize
198B

MD5
69a30ea6e2db9d745c0dfbcc4364b4bf

SHA1
518c9f6c7de5baf3e943fdafc6e705a59fc11453

SHA256
293cf491631aad4c81a5b8bab61f8ad6582e1622e59191da0c07fa9d42a121e7

SHA512
f646129acfd331200512239ceaa77459af6f6b41ee7790391398ace6a175e0171a03fa3cb431b323e405137b5f3107cd1503a825604124cdd9e542303c8192b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

Filesize
198B

MD5
b9b56e3537be44cdc6922a21a9f797b4

SHA1
4a385d63d50dd6cdac19bba396f2eb3478054232

SHA256
59af211315563e618e41fac1655b4bde9e293b7970236a1394efb68d78ef725f

SHA512
2cb907d3a297bb19d09ac5d8d29631ec1584f89f7dfe253a7a7c674ba3473f6e885eac6ea285f6b0ec70292fcbe3238103b52cdef0dd9ee06bb03a8b2f83a4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

Filesize
198B

MD5
99ac3089cb65335a9f383a005ab61fd4

SHA1
c7bb2449fb3d548bd7c0458bf36f0afd45df1afe

SHA256
51f94e8364a3ee49287f2ba2d74c354d40d7a869eddabeef6fca26c23279f6aa

SHA512
af42855184c75369881ea3c4e043af0c88993d73ff6332ad0d5b6618c74d618dace1a208a4447683b229bbadf727c317dfcb42fce9253b2bae2c5f29add54e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

Filesize
198B

MD5
9bca6fe4f9c10159517d7dab26d625c0

SHA1
3b35d56ccec0f378eda2330a878d557234db7957

SHA256
c7051b308459da0d30c25d5588dc2c2d5956d7410d02db8f3f8624e62a0f960b

SHA512
79118bd024040100f0d030f93d67e220016ad39cdd26d23c280acaa0eeaebca4d2e73bfffd0efab0b870eebdc5be831bd7e8c949fcb29a57a8a83cd6cfa57e2a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/264-114-0x000000001BB20000-0x000000001BC22000-memory.dmp

Filesize
1.0MB

Download
memory/404-108-0x000000001C040000-0x000000001C142000-memory.dmp

Filesize
1.0MB

Download
memory/976-140-0x00000000027B0000-0x00000000027C2000-memory.dmp

Filesize
72KB

Download
memory/1500-94-0x000000001CA30000-0x000000001CBD9000-memory.dmp

Filesize
1.7MB

Download
memory/1500-88-0x0000000002FE0000-0x0000000002FF2000-memory.dmp

Filesize
72KB

Download
memory/1840-101-0x000000001B9B0000-0x000000001BAB2000-memory.dmp

Filesize
1.0MB

Download
memory/1980-84-0x000000001C4F0000-0x000000001C5F2000-memory.dmp

Filesize
1.0MB

Download
memory/2688-124-0x0000000003190000-0x00000000031A2000-memory.dmp

Filesize
72KB

Download
memory/2688-130-0x000000001C540000-0x000000001C642000-memory.dmp

Filesize
1.0MB

Download
memory/2884-28-0x000001F4A1A20000-0x000001F4A1A42000-memory.dmp

Filesize
136KB

Download
memory/2976-132-0x0000000001860000-0x0000000001872000-memory.dmp

Filesize
72KB

Download
memory/2976-137-0x000000001C430000-0x000000001C532000-memory.dmp

Filesize
1.0MB

Download
memory/3264-15-0x0000000002ED0000-0x0000000002EDC000-memory.dmp

Filesize
48KB

Download
memory/3264-16-0x0000000002EE0000-0x0000000002EEC000-memory.dmp

Filesize
48KB

Download
memory/3264-14-0x0000000002EC0000-0x0000000002ED2000-memory.dmp

Filesize
72KB

Download
memory/3264-17-0x0000000002EF0000-0x0000000002EFC000-memory.dmp

Filesize
48KB

Download
memory/3264-13-0x0000000000BA0000-0x0000000000CB0000-memory.dmp

Filesize
1.1MB

Download
memory/3264-12-0x00007FFCFCD53000-0x00007FFCFCD55000-memory.dmp

Filesize
8KB

Download
memory/3520-121-0x000000001C330000-0x000000001C432000-memory.dmp

Filesize
1.0MB

Download