Analysis Overview
SHA256
c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4
Threat Level: Known bad
The file c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Process spawned unexpected child process
Dcrat family
DcRat
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 22:02
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 22:02
Reported
2022-10-31 22:04
Platform
win10-20220812-en
Max time kernel
147s
Max time network
145s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
| N/A | N/A | C:\Windows\Migration\WTR\wininit.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\6203df4a6bafc7 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Migration\WTR\56085415360792 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\en-US\Idle.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Cursors\lsass.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\schemas\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\schemas\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Migration\WTR\wininit.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\en-US\6ccacd8608530f | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Cursors\6203df4a6bafc7 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\088424020bedd6 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\Migration\WTR\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\Migration\WTR\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\Migration\WTR\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\Migration\WTR\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\Migration\WTR\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\Migration\WTR\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\Migration\WTR\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\Migration\WTR\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\Migration\WTR\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\Migration\WTR\wininit.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Windows\Migration\WTR\wininit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4.exe
"C:\Users\Admin\AppData\Local\Temp\c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\odt\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Music\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\schemas\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\schemas\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\odt\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jO69LB4byb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Migration\WTR\wininit.exe
"C:\Windows\Migration\WTR\wininit.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/3040-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4512-182-0x0000000000000000-mapping.dmp
memory/4512-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4512-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/4516-258-0x0000000000000000-mapping.dmp
memory/3248-281-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3248-284-0x00000000009C0000-0x0000000000AD0000-memory.dmp
memory/3248-285-0x0000000001220000-0x0000000001232000-memory.dmp
memory/3248-286-0x0000000001240000-0x000000000124C000-memory.dmp
memory/3248-287-0x000000001B620000-0x000000001B62C000-memory.dmp
memory/3248-288-0x000000001B630000-0x000000001B63C000-memory.dmp
memory/2428-293-0x0000000000000000-mapping.dmp
memory/848-292-0x0000000000000000-mapping.dmp
memory/3660-295-0x0000000000000000-mapping.dmp
memory/4812-301-0x0000000000000000-mapping.dmp
memory/4656-311-0x0000000000000000-mapping.dmp
memory/3512-307-0x0000000000000000-mapping.dmp
memory/2108-304-0x0000000000000000-mapping.dmp
memory/5084-299-0x0000000000000000-mapping.dmp
memory/2636-297-0x0000000000000000-mapping.dmp
memory/3120-291-0x0000000000000000-mapping.dmp
memory/2872-290-0x0000000000000000-mapping.dmp
memory/1544-289-0x0000000000000000-mapping.dmp
memory/3736-329-0x0000000000000000-mapping.dmp
memory/4176-324-0x0000000000000000-mapping.dmp
memory/3464-319-0x0000000000000000-mapping.dmp
memory/2028-316-0x0000000000000000-mapping.dmp
memory/3744-312-0x0000000000000000-mapping.dmp
memory/396-362-0x0000000000000000-mapping.dmp
memory/2872-365-0x000001B6B5410000-0x000001B6B5432000-memory.dmp
memory/848-384-0x00000214F2090000-0x00000214F2106000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jO69LB4byb.bat
| MD5 | 39a8291f55caa819a6a9145a266d0fcb |
| SHA1 | 4784b0c76f65b46daec46aee2eef060178068957 |
| SHA256 | 9c13bd79e82694b23a1d583accd5e8a82cf373f2d02c965dc20b0c66036da82f |
| SHA512 | a4748be408ce4722a1e849401c7a3ac19052697e2462175b39b497bbed8396937621044ede5315af0bd2995b105d8ccf9743531e9f65807e70b31a6731af181e |
memory/4744-421-0x0000000000000000-mapping.dmp
memory/3132-726-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3132-797-0x000000001B610000-0x000000001B622000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 974e7a417c80750e820ab36432a5c583 |
| SHA1 | 324f4a90ab0efa81490972025aeb2c15fb20042b |
| SHA256 | 9a51d0169723f6776bce7212f29a3e5519ab8edadcaf33f56f6ea23556196df7 |
| SHA512 | 45f05ebd6c606e668df3d55fbabe505bd9c0ff355f7d3e1e2d230705d0565e468d0ce770a169c45778e9e8339282245f7de1bbde0ba0e3bf4941beb1048b9471 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e18debd736ea845298d192aaeaf0c812 |
| SHA1 | 60d82322739b6e25452daf3f183fb078d35ccfc3 |
| SHA256 | 0d97bd4194cfddfac9c7430a685bdf99645ae27ddce0e65450e431bfa698705f |
| SHA512 | a1386fd234cc35c4180b99e59c48a41e4b7a229dcc3401e0244a862c1ebfdbbece2a23eb0cbb41d1bbe60c53f3116ad5fdb26d1ab98d4d59889ef1d0cf3798e4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e18debd736ea845298d192aaeaf0c812 |
| SHA1 | 60d82322739b6e25452daf3f183fb078d35ccfc3 |
| SHA256 | 0d97bd4194cfddfac9c7430a685bdf99645ae27ddce0e65450e431bfa698705f |
| SHA512 | a1386fd234cc35c4180b99e59c48a41e4b7a229dcc3401e0244a862c1ebfdbbece2a23eb0cbb41d1bbe60c53f3116ad5fdb26d1ab98d4d59889ef1d0cf3798e4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e18debd736ea845298d192aaeaf0c812 |
| SHA1 | 60d82322739b6e25452daf3f183fb078d35ccfc3 |
| SHA256 | 0d97bd4194cfddfac9c7430a685bdf99645ae27ddce0e65450e431bfa698705f |
| SHA512 | a1386fd234cc35c4180b99e59c48a41e4b7a229dcc3401e0244a862c1ebfdbbece2a23eb0cbb41d1bbe60c53f3116ad5fdb26d1ab98d4d59889ef1d0cf3798e4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e18debd736ea845298d192aaeaf0c812 |
| SHA1 | 60d82322739b6e25452daf3f183fb078d35ccfc3 |
| SHA256 | 0d97bd4194cfddfac9c7430a685bdf99645ae27ddce0e65450e431bfa698705f |
| SHA512 | a1386fd234cc35c4180b99e59c48a41e4b7a229dcc3401e0244a862c1ebfdbbece2a23eb0cbb41d1bbe60c53f3116ad5fdb26d1ab98d4d59889ef1d0cf3798e4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8193d82f77058e277f8343a3ebd61522 |
| SHA1 | 112dbb91cfabf6041e679810422c1abca36c98d0 |
| SHA256 | 70e3471d63ccf866999540e5760f4bb2d8bb958f8ac41b932c17d3754ddb4342 |
| SHA512 | 35c6fe8b6b1a697d8dd7454231ca008611333e5e9c232263982d29c2faafe9fc1b1a985ac5b089c7f836d81b7206595e60c1c203fd990968e13c347578a6bbf7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3057d5750de467747201f2093e138459 |
| SHA1 | 5db0f666b68bbb11e5e7db074a55a6e2149e1feb |
| SHA256 | f5eb2b199651f0d16a2bf4130ac2b9138ff94811fb113fad8337f5fabb303675 |
| SHA512 | cd0d01cbaa33edc277b348dfe65e3c18ad2fce07c034bd28d898880ce695cb34849f59e120c7f89b257d970df151246291fcd1ac73c527ad4888d303dcb68242 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8193d82f77058e277f8343a3ebd61522 |
| SHA1 | 112dbb91cfabf6041e679810422c1abca36c98d0 |
| SHA256 | 70e3471d63ccf866999540e5760f4bb2d8bb958f8ac41b932c17d3754ddb4342 |
| SHA512 | 35c6fe8b6b1a697d8dd7454231ca008611333e5e9c232263982d29c2faafe9fc1b1a985ac5b089c7f836d81b7206595e60c1c203fd990968e13c347578a6bbf7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f07b15944f65d810eac3a97efe1964f9 |
| SHA1 | 53d41cd0bf136e5d55757646233d0f0f0e9cdb67 |
| SHA256 | 5224df61b6d5760f56aecfc70c56c5b63d4a3ce64c431ded409cbb72b44234ca |
| SHA512 | b94b540ed85517ecce5558cb520850df5aafd8300ea757dbf93233dfceded1b3900d148b981c2192a68dd2e24b9fddbe659051cfb11d6e39b6fda57fb69273d9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 217a7987b4fbb91a7068bd530f66ba6b |
| SHA1 | e118397b759dc584d834222ac1b125225ef8db4a |
| SHA256 | 7158051eb17aa445a69ce1d11b2b280b7780cc9664e40c8e75392f01dff71b37 |
| SHA512 | 62a7bb9333669491fd1c53bdfcf94b68200cb62dff8b43aa1556c9e613941609f50f7444fab55d5a440430048802412e262b1b9bd7d336428b6d17ce6b4fab2d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3704cdfa88bec33251df4bb250702f57 |
| SHA1 | 836e9f32da8e8e328b0a9ca3660a3dc4defdb8a8 |
| SHA256 | 5cd4c899a7f346447b025991628f53f3ca3812c6340b9acd0a445ea2486bfef5 |
| SHA512 | e1ac068b72b5f8f57159f10de5f92e4ad2db2ec85309f828dd1b79855064e0bc14bf9a72c3258344b809489aa0a4778fa7dbd324004a7f1e638567082423e5e5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96e66d2d19b5c2093e85dcc098b3d63d |
| SHA1 | dc23592e06cfb458c4527c89fc77bcd800005c17 |
| SHA256 | 45e778cd95ca987363f3ffbb5b60c3ed3e6e5fd7eb1d8221178bd123a4767313 |
| SHA512 | 021c1d223fee83bafe4ed5b14e281da73cb3ed806ad72be2dbbf231d94c6c5eb855fda908da5b904b8bf58425106a038bdf07a074afddf9c98d556a366213813 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6028929ed911b32af3a43c254fcd98a0 |
| SHA1 | 904450ddc55eff07f2a63a9a77e9f3c005e99281 |
| SHA256 | 67b54c7c628bfb5f8687ba9d2854ca199d2544cc6876be4a0507aba35cf61b21 |
| SHA512 | 12572e695c07db96636c92754e8bab2049bcc55dfbbe3c2de571b88a8c6991a8653a19224cd5e51120689546f14f1769e4a097e83abfd0b57c71ce9579e66f4a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6028929ed911b32af3a43c254fcd98a0 |
| SHA1 | 904450ddc55eff07f2a63a9a77e9f3c005e99281 |
| SHA256 | 67b54c7c628bfb5f8687ba9d2854ca199d2544cc6876be4a0507aba35cf61b21 |
| SHA512 | 12572e695c07db96636c92754e8bab2049bcc55dfbbe3c2de571b88a8c6991a8653a19224cd5e51120689546f14f1769e4a097e83abfd0b57c71ce9579e66f4a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 331b22d599347668ebb39dee88700c58 |
| SHA1 | 9b94e20d18152bccb2a88e09ea416129e34e364b |
| SHA256 | a2fbd7aacd3cc9a30fabe77e25d713bea881b0b643f80c3d665f76ac0f0d4c35 |
| SHA512 | 66b0935ee10186f75302ff9271b7ed25f44d9b96764dc8a9fcd103f0348aafc62c1f65326a4603d6a61291ee21ffd7a825ac7b606cedd0b8a5fa3b0e929fc461 |
memory/5704-892-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat
| MD5 | fe6b43cd6e1601b6bdfc8e7a75c57e05 |
| SHA1 | b18d03cad6ac387bbc9d390469d5bf9225fcd180 |
| SHA256 | 01b6fabd766d1d3a03adf83ebc8169c9b9dee2552ce0689b1a3d8abc19596492 |
| SHA512 | 935afcd5357e714eb9474908c73e31d2aa6777248cea85eeaf7e0959130f2b999f79c9635df91a243602c58b7b60491053c2823b4b4bf634b899210c8c4eedf0 |
memory/5760-894-0x0000000000000000-mapping.dmp
memory/5780-895-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/5780-898-0x0000000000F70000-0x0000000000F82000-memory.dmp
memory/5892-899-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat
| MD5 | 81e5dd361d8b5354e5df87e3a3d80a61 |
| SHA1 | f99a8780681fa3ae9d047362012114010ec7433c |
| SHA256 | 51c9eb4a5478e3d45f81206ca0b9e3bb317eaa8ffe0a758a2d00ce98cc5cf2d9 |
| SHA512 | 84e026914962188dbe35968b44c04309a34d1499c6579ff9994d999b89bb2c2fdc8032246943db1f28b90a9303fbec4330bd1bffa984035a3af71f718c2a3b5a |
memory/5948-901-0x0000000000000000-mapping.dmp
memory/5968-902-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5968-904-0x0000000001240000-0x0000000001252000-memory.dmp
memory/6076-905-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat
| MD5 | 54ca0ec1ca3a8bedfaee0ac14ac08b95 |
| SHA1 | 392e43329cc3eaf001764802a85f87ab503aa7e8 |
| SHA256 | fa6af58009223e63eb91155c66e7bbf8b3392fe9db5529bcf28e329864dccbce |
| SHA512 | b04c9556f8ea58d2d6a0d63856d060de94dfe4a477d4b7899ee46bc6b2e281f8f826fcc5f423f4e3d1e4f6c0298232cfcc2fbb5adf3411d5600ea7331cadc6a0 |
memory/6132-907-0x0000000000000000-mapping.dmp
memory/5188-908-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5364-910-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat
| MD5 | d1930853be5809b621b17cd896e4a7a9 |
| SHA1 | 0225aac5446da24851f7bfcd4f9d4c77f233810e |
| SHA256 | cb624db2408db437704cef0946f047a67418183a1b9e3ad18ff52cf01e3997e3 |
| SHA512 | ec8ca931eb5cd27da6276efba81c8375401d0a47172beca1675639653a54cce33ae00b232d19e88c1d3ea0cfcf847e719dac8900022c08bd1e5740fe18d0195f |
memory/5464-912-0x0000000000000000-mapping.dmp
memory/4900-913-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4900-915-0x0000000000A10000-0x0000000000A22000-memory.dmp
memory/5076-916-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat
| MD5 | d1930853be5809b621b17cd896e4a7a9 |
| SHA1 | 0225aac5446da24851f7bfcd4f9d4c77f233810e |
| SHA256 | cb624db2408db437704cef0946f047a67418183a1b9e3ad18ff52cf01e3997e3 |
| SHA512 | ec8ca931eb5cd27da6276efba81c8375401d0a47172beca1675639653a54cce33ae00b232d19e88c1d3ea0cfcf847e719dac8900022c08bd1e5740fe18d0195f |
memory/5156-918-0x0000000000000000-mapping.dmp
memory/4964-919-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3708-921-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat
| MD5 | 85ab8a2923448c2cec22e8593bafae0b |
| SHA1 | 6f0c797f1a48a17cbd4ab975b0d8192f9a5873f3 |
| SHA256 | eafbeb5dcc62393a92c52df628c34eb647057ec8a0c2f3a17341541caf95e71e |
| SHA512 | 05368e6fc61eaaf5750e437d8fb6402b396134bbc5e916bf4bcb6601ca70412b9faad52df379d91cb5a404569d9ae7fc62f7b05b05eeba57e47031026151f751 |
memory/3860-923-0x0000000000000000-mapping.dmp
memory/2600-924-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2600-926-0x0000000002740000-0x0000000002752000-memory.dmp
memory/532-927-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat
| MD5 | 9217d96bb9740a750ed2e0dd4d689009 |
| SHA1 | cd4ec2f8d3ea9d8477945ea6157aac6d7cc08a79 |
| SHA256 | 23ff48c7f70d54cb37edec2dc21f0e1b81fb20a45f352f4babf37d3d6b883cde |
| SHA512 | c580f8821e38a9f5a981ce5d1fca6655e604f16adc9823b04e2a864314a37b7d2ee9f4d64cc249769dd7722426850b3bb03f4843bc0b6684ba2a60053f1e0bd8 |
memory/1480-929-0x0000000000000000-mapping.dmp
memory/2176-930-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/680-932-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat
| MD5 | 104f6c2ca62b635b0009d08048665fe2 |
| SHA1 | 9272612e3c5546d2332462b790f8a6ac67598389 |
| SHA256 | 7e552d0174ebc3abca44f084a4fce8ae108de43d2ce7263e4018c750e30332ce |
| SHA512 | c9ba99644f1c4ae8f3944363269d8cf3ef6722c3d44092c92f83401431910f54b51049144ca7d0258d56922de48c614115963627040e64dd5ed72a658ab14cfe |
memory/3856-934-0x0000000000000000-mapping.dmp
memory/1556-935-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4820-937-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat
| MD5 | 068020525f30437fb45c6dcb728ab0b0 |
| SHA1 | ab3a0d0dad1252353ea9d1e0be42491450460d13 |
| SHA256 | df9de09875f58d10533c42ba4a14b89c5a725db45fed7a1eb2bf443ab5be0064 |
| SHA512 | 6e980134064d9a266b8303fd2e3949cea07f545cca516a55033de807fda4f33494509205584d9c590f4d02e8a7d7112a8007b0370403a88756727cc17d365502 |
memory/5592-939-0x0000000000000000-mapping.dmp
memory/1848-940-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1560-942-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat
| MD5 | 85ab8a2923448c2cec22e8593bafae0b |
| SHA1 | 6f0c797f1a48a17cbd4ab975b0d8192f9a5873f3 |
| SHA256 | eafbeb5dcc62393a92c52df628c34eb647057ec8a0c2f3a17341541caf95e71e |
| SHA512 | 05368e6fc61eaaf5750e437d8fb6402b396134bbc5e916bf4bcb6601ca70412b9faad52df379d91cb5a404569d9ae7fc62f7b05b05eeba57e47031026151f751 |
memory/2248-944-0x0000000000000000-mapping.dmp
memory/3824-945-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3824-947-0x0000000001270000-0x0000000001282000-memory.dmp
memory/2432-948-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat
| MD5 | 951b5494445aac585c9c054f8558daf0 |
| SHA1 | aaddaef32d82c840d8ed1f1f470411f985743ae0 |
| SHA256 | 71322b9352a8f4aa238f22d31bdd856b75aecb7a5f89807d63d27f76fb8ec7d0 |
| SHA512 | 5ea8e6a0eacce618e7bda070bcafc3bcf49b7fecbca6629c09b0f27b4b60a480b219fdeddfc1d63186b98525fa23e724b233e72de0867afd3f2bebb7eba1fa74 |
memory/528-950-0x0000000000000000-mapping.dmp
memory/728-951-0x0000000000000000-mapping.dmp
C:\Windows\Migration\WTR\wininit.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |