Analysis Overview
SHA256
e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56
Threat Level: Known bad
The file e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
DcRat
DCRat payload
Dcrat family
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 22:07
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 22:07
Reported
2022-10-31 22:09
Platform
win10-20220812-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe
"C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\ShellExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 20.42.73.24:443 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2656-122-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-124-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-125-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-121-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-120-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-119-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-127-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-128-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-129-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-132-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-133-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-135-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-137-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-136-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-138-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-139-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-134-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-131-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-140-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-130-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-141-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-142-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-143-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-145-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-144-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-146-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-147-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-148-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-150-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-152-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-153-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-154-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-155-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-156-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-157-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-151-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-158-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-160-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-159-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-161-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-162-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-163-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-149-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-164-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-165-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-166-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-167-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-168-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-170-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-173-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-171-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-172-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-169-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-174-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-175-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-177-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-176-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-178-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-179-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-180-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-182-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/2656-181-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/4784-185-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/4784-184-0x0000000077770000-0x00000000778FE000-memory.dmp
memory/4784-183-0x0000000000000000-mapping.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
memory/1568-259-0x0000000000000000-mapping.dmp
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3472-285-0x0000000000270000-0x0000000000380000-memory.dmp
memory/3472-282-0x0000000000000000-mapping.dmp
memory/3472-286-0x0000000002460000-0x0000000002472000-memory.dmp
memory/3472-287-0x000000001ADD0000-0x000000001ADDC000-memory.dmp
memory/3472-288-0x000000001B8B0000-0x000000001B8BC000-memory.dmp
memory/3472-289-0x000000001ADE0000-0x000000001ADEC000-memory.dmp
memory/5044-290-0x0000000000000000-mapping.dmp
memory/4932-292-0x0000000000000000-mapping.dmp
memory/5020-291-0x0000000000000000-mapping.dmp
memory/4444-302-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5044-308-0x00000193E4760000-0x00000193E4782000-memory.dmp
memory/4444-309-0x0000000001060000-0x0000000001072000-memory.dmp
memory/4932-314-0x000002DC99A60000-0x000002DC99AD6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b8434b46a9fc311482dfa3ec2c6baf2f |
| SHA1 | ab925a9da43821ca31158f8ddbe682fbf4f96400 |
| SHA256 | 23fe0033babdfe0c502df6de36685a5cdc5613086e222edc57f97a266ced8149 |
| SHA512 | e6ff732fccc6a6444b298f68b6fc4045a6b2ecc73a40a171bac07224529615252a1a8fa4c50a29b1e6daabb34e14bac3845ad22f620e18ed7f684a54b6e3a1bc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 092012581b38cacd04073f0befea943a |
| SHA1 | 3ae45afb2d715f74dabd25d0c1036e2d1ab13d24 |
| SHA256 | e4f55f299bd74de0c8da82b4ed70a87053a89a785b84c694ed4008bcad0b7d43 |
| SHA512 | 4d305282639e627c7708b2fca9601d4c2436e213fe14a53452f76fc3407c12cc7590628e7ff2e589445ba9bd1cb03c4b210a52e320cbb6c123abff4115490873 |
memory/4716-401-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat
| MD5 | 0ea0d87ad435c307b8d9dd2b4d2cba51 |
| SHA1 | 7bd4afcca773d72eaec8f535fb3e68cf5e632a4c |
| SHA256 | 57251a912d8124f8f558e5ae490378ab906f691d01e050dcf46f09fe6654f6af |
| SHA512 | d60efca0a133fa6e14e0fc08cbcc7758a2cfbe645b668177bdd5d6ed2f71761db13beb54488904481107ed4b6b898b7fedbd683d19dff31f0249b812fd21b158 |
memory/2632-403-0x0000000000000000-mapping.dmp
memory/4736-404-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/3316-407-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat
| MD5 | 29bd0125796fde2ef8132f8eaa217fd5 |
| SHA1 | cc2fb831cce856f60686ddd3cfad627d6d66ab5a |
| SHA256 | afc15f23191d430539f609cbd398868e3e566708c6ea5b78a33ee2cedd22811c |
| SHA512 | 04d2037be4d85896697d7f82f467d84cb6ae23b2e6c45937062142f6eeba99b9c830b34b88eb6a2d4a5f5825e5ef520798cdb3ebc9f63218c73900b1131ff262 |
memory/2760-409-0x0000000000000000-mapping.dmp
memory/1292-410-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1292-412-0x0000000000D50000-0x0000000000D62000-memory.dmp
memory/4840-413-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat
| MD5 | 6c522770f0c79d069de1ef041a2964db |
| SHA1 | 8302f36bf0b5bea9dca1c2a5a50961e56ecb0bb9 |
| SHA256 | 5330e72eaf0a9be3b692900fcb82f271d9840ce64dd4bb9865edc749c2518a16 |
| SHA512 | 8a0615cf2fcb3a0b321a26aaf9f9fce4d98f02d32e4abb904581761c85d4776aad2dab96b525e00a035d2715942d4989e68c089ce7e5c658c6300e209bbb7397 |
memory/3892-415-0x0000000000000000-mapping.dmp
memory/376-416-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4764-418-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat
| MD5 | 053299379af7f320502094d4db361064 |
| SHA1 | fb52af0a338f97f6b027396761289af1c47b05d9 |
| SHA256 | b7e1d763d0da3815816fd79bb73aa384438802766c5e201cbe20d07d4146579b |
| SHA512 | 08fa30b721812ccd2a3311a91d538151e8d9b2fb738dcf4882f7879fc4488e0e2b5ce6aac5cadecc64c0c089d389013cfd703bc87be266a2e148a9685888764a |
memory/4908-420-0x0000000000000000-mapping.dmp
memory/4788-421-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4788-423-0x0000000000920000-0x0000000000932000-memory.dmp
memory/4320-424-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat
| MD5 | d70f90efaef46f3a65e8705ee25b41cb |
| SHA1 | 18a7cb2ec46583c1e2dfba33479e19fa15c7035c |
| SHA256 | 1ae98bbc1b48d226920d540af178858d844041e6bea6ad8e2cc3199cb8d5a8b0 |
| SHA512 | 972cc184972980fdc5aa119ca91cbf678a3eb35d2b719b032575ea2137dea86ee2af6b5569831ce74c77295de3c4762c3477469092f107e153db525f87e78754 |
memory/4568-426-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4308-427-0x0000000000000000-mapping.dmp
memory/4308-429-0x0000000000E20000-0x0000000000E32000-memory.dmp
memory/1868-430-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat
| MD5 | f08ede0c3722e29faa90ee33271baf31 |
| SHA1 | 187cf7178a9e86e74961dd5b7be0c6d304661453 |
| SHA256 | 5aab7437fccad7c0382313275a43dee9c7ebfac13ecfaa02ea7133355c217be3 |
| SHA512 | 260a22a20612fcd5f65bcbee0a5fddab647750df83f7a89bc43706d58d8ea701bc1f7c1d19531b884578084d1ccb4491efa9b533f38628692664bb23cb97cc16 |
memory/872-432-0x0000000000000000-mapping.dmp
memory/4456-433-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/220-435-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat
| MD5 | 7521031780c8016c32a493702821cffb |
| SHA1 | e68fe9f5735b775d225628c47dafff53607d5f54 |
| SHA256 | 79d31363a5391f9379cdf62a97638a429387f99e36f7f599de3b52c434e420e6 |
| SHA512 | f5d4305a3ad6367499b929cf9246bc8d97af8f3dabe7d2888b5694c3bce43d220914663a599186e1d97dd518f30a67d4c2956068940454061e44e75d285f2b19 |
memory/2180-437-0x0000000000000000-mapping.dmp
memory/1040-438-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1040-440-0x00000000011E0000-0x00000000011F2000-memory.dmp
memory/2132-441-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat
| MD5 | 29bd0125796fde2ef8132f8eaa217fd5 |
| SHA1 | cc2fb831cce856f60686ddd3cfad627d6d66ab5a |
| SHA256 | afc15f23191d430539f609cbd398868e3e566708c6ea5b78a33ee2cedd22811c |
| SHA512 | 04d2037be4d85896697d7f82f467d84cb6ae23b2e6c45937062142f6eeba99b9c830b34b88eb6a2d4a5f5825e5ef520798cdb3ebc9f63218c73900b1131ff262 |
memory/2392-443-0x0000000000000000-mapping.dmp
memory/4500-444-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1848-446-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat
| MD5 | b32e168ee4749de589617064dc2c61db |
| SHA1 | 946988d13b9bd7d1875409555c9afbf97320aeb4 |
| SHA256 | cf6521a7b24a76ad5d9ac4909ec54b9a9a222d5aaa3f63196b5c3bcc23df21df |
| SHA512 | 3c9081b2cd5817d34ba5af66a0808dbb3115c0b50b672dd36f3ef120003fd5f33ae37bf87d95a45e146d0112e1b95102647ffec1408b06e996e9f819cc42a78d |
memory/4340-448-0x0000000000000000-mapping.dmp
memory/4356-449-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4356-451-0x0000000000A80000-0x0000000000A92000-memory.dmp
memory/1216-452-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat
| MD5 | 6c522770f0c79d069de1ef041a2964db |
| SHA1 | 8302f36bf0b5bea9dca1c2a5a50961e56ecb0bb9 |
| SHA256 | 5330e72eaf0a9be3b692900fcb82f271d9840ce64dd4bb9865edc749c2518a16 |
| SHA512 | 8a0615cf2fcb3a0b321a26aaf9f9fce4d98f02d32e4abb904581761c85d4776aad2dab96b525e00a035d2715942d4989e68c089ce7e5c658c6300e209bbb7397 |
memory/3820-454-0x0000000000000000-mapping.dmp
memory/4744-455-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4740-457-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat
| MD5 | 427255b2c8ddf096e6fddeadf31deb46 |
| SHA1 | 42b5ae31fe33ff1e425a52b3f6f41a486028ba79 |
| SHA256 | 1061f887ef79ad9264b63f7dc2a9a8f43e43ca9d5ae0e72fdeca55fca67c3b5b |
| SHA512 | 0aeab5b4f2ee270026bfbe5ba597004590daa7c357b702d6f2b97d3436eb299767ea412c94f00a43153f91211032f60c5b65acc844c031a631a6398a9cc82731 |
memory/4716-459-0x0000000000000000-mapping.dmp
memory/2668-460-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3896-462-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat
| MD5 | dd60a0b180866a8990e9ce5e71e92014 |
| SHA1 | 3426c79c42ce1955a807a8db0e7384367530e626 |
| SHA256 | 251cdcb3fd8495edc3ccfa0e8032cbce872c9f88a1112cdab48cb869f7968fa9 |
| SHA512 | df86fb1d2429a8c93a31cdc780c74c0e73b24fc12c43832afbccfab04e076686ef75eca186d048deaed35b7c262b414d2059595f54c236db30203fd711784e48 |
memory/2748-464-0x0000000000000000-mapping.dmp
memory/1400-465-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4224-467-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat
| MD5 | 1858f84b7b73cfc217a383938d8a8150 |
| SHA1 | f2d4f39c94b0536ce58c66de2907c4907d5bb56f |
| SHA256 | 605c285c4597920bdd8034383c15a5353364d6d196af343a454636d8f5963bdd |
| SHA512 | ab56ec1da589d522aa81592cbf78095f4eacdf4f327e7ed32af16595ab399680f08e604f59c4f6d2c43049e5dd7bef9184e443f8ab79b34c0437e268283218e7 |
memory/3912-469-0x0000000000000000-mapping.dmp