Analysis Overview
SHA256
5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2
Threat Level: Known bad
The file 5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Dcrat family
DCRat payload
DcRat
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-10-31 22:03
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-31 22:03
Reported
2022-10-31 22:05
Platform
win10-20220812-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office\Office16\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office16\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\e6c9b481da804f | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SchCache\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\SchCache\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\Microsoft Office\Office16\dwm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2.exe
"C:\Users\Admin\AppData\Local\Temp\5562659e0a7fceea7f52048d19719f80763c0c833a5c705e02fec1d987661bc2.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchUI.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 6 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\OfficeClickToRun.exe'
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Microsoft Office\Office16\dwm.exe
"C:\Program Files\Microsoft Office\Office16\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| NL | 52.178.17.3:443 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| NL | 178.79.208.1:80 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| NL | 104.80.224.44:443 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/4248-119-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-120-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-121-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-122-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-124-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-125-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-127-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-128-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-129-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-130-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-131-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-132-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-133-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-134-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-135-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-136-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-137-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-138-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-140-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-139-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-141-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-143-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-142-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-144-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-145-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-146-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-147-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-148-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-149-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-150-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-151-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-152-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-153-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-154-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-155-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-156-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-157-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-158-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-159-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-160-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-161-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-162-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-163-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-164-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-165-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-166-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-167-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-168-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-169-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-170-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-171-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-172-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-173-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-174-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-176-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-175-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-177-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-178-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-179-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-180-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-181-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4248-182-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/3724-184-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/3724-183-0x0000000000000000-mapping.dmp
memory/3724-185-0x0000000076E80000-0x000000007700E000-memory.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/4736-259-0x0000000000000000-mapping.dmp
memory/4068-282-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4068-285-0x0000000000ED0000-0x0000000000FE0000-memory.dmp
memory/4068-286-0x00000000015E0000-0x00000000015F2000-memory.dmp
memory/4068-287-0x00000000018D0000-0x00000000018DC000-memory.dmp
memory/4068-288-0x0000000003040000-0x000000000304C000-memory.dmp
memory/4068-289-0x0000000003050000-0x000000000305C000-memory.dmp
memory/1192-292-0x0000000000000000-mapping.dmp
memory/3400-293-0x0000000000000000-mapping.dmp
memory/1048-291-0x0000000000000000-mapping.dmp
memory/2364-290-0x0000000000000000-mapping.dmp
memory/308-296-0x0000000000000000-mapping.dmp
memory/3356-295-0x0000000000000000-mapping.dmp
memory/3380-294-0x0000000000000000-mapping.dmp
memory/4980-302-0x0000000000000000-mapping.dmp
memory/2496-301-0x0000000000000000-mapping.dmp
memory/2464-298-0x0000000000000000-mapping.dmp
memory/2720-297-0x0000000000000000-mapping.dmp
memory/3868-314-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1048-348-0x000001F43CDB0000-0x000001F43CDD2000-memory.dmp
memory/1048-352-0x000001F456D50000-0x000001F456DC6000-memory.dmp
memory/3868-354-0x0000000000AC0000-0x0000000000AD2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0ac0d21828bc80e8b74a8b614ae2181a |
| SHA1 | 815ace2e24a56479a36e77b8f5fa73529828cd14 |
| SHA256 | c9446bf0fe1a5f8370cab40d82b98a645aebe34d3a1270f9b869f491897b8454 |
| SHA512 | 1eef5a4d7d04115fbc4b4b44a914155d675cb2deb0164751938ae9b01919e98e3548be20fdfeddff60134aa0a3bfcd7ec449731f43b5d16cd0ffbdd288926fb9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a6115a956c8fb8ceb21ae98a1a21122 |
| SHA1 | 2125de356a675f1361137d21125f0a806c935de7 |
| SHA256 | da7f6ecbcd2f0be3df7a095163660d875e90fb70ce4300908fe0c48f0b742ad3 |
| SHA512 | 60f56f492f5418fca4e7f849877b6b47d084a2d136681ae102c076dfb02a639fa242a79ba754c0cd6ba525669c03456edfc39268cb0df12bc681d895517fa54a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f4cebace363955b5fb79b606d1252b9e |
| SHA1 | f57eb08ca60074896c6d65c98e2f8b99450f7aee |
| SHA256 | ba0bf3227005c611f8d0d8ad6c73089c086e94019641f0fc14a303c760b6928a |
| SHA512 | 5d63af7b9754546535b86504494ffc6eb0ad79653f148ce4a2e9199badbdf582fac30c31dfeecf79b9d67b21b779d5e4132da8884e1d365c1ca380c719f1a52f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2424894e0df40c3f9d8b2bb410b24372 |
| SHA1 | 5c1063ec9c3db1bd7f1a6efaf82b4035407d0047 |
| SHA256 | e518402a5e3d13a5feb3c8b7661b06d7eed4d9d9d52b69c77402b12712a8f8fb |
| SHA512 | da88f28d4bbb966f8cda8e123b16dd76ab3e85c6e07e177d879f0eaa365aeffe013b56ea62659906bcbea2eaa41c03bff3ccb4cfe32b4ca33e39056212036bb2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2424894e0df40c3f9d8b2bb410b24372 |
| SHA1 | 5c1063ec9c3db1bd7f1a6efaf82b4035407d0047 |
| SHA256 | e518402a5e3d13a5feb3c8b7661b06d7eed4d9d9d52b69c77402b12712a8f8fb |
| SHA512 | da88f28d4bbb966f8cda8e123b16dd76ab3e85c6e07e177d879f0eaa365aeffe013b56ea62659906bcbea2eaa41c03bff3ccb4cfe32b4ca33e39056212036bb2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7340cf2954865be576a2aaba84f49378 |
| SHA1 | d8b8a6323826799bc54f67dd4955855ab5c8a56b |
| SHA256 | 53b3c77511641e1d0c62ccc9b1545a71b06b95532019ffc989033932d6c3a3a5 |
| SHA512 | c125b4b5c26086ce108da9a223a6a303b4bd990c5b52fa1ca10036bff623abf2b54ae71b9ace62edcbff9445a7618e3b8fe60e229c8403ab8c189076a803ab28 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 90efccf9231bfc0481a33b2b20464032 |
| SHA1 | 2491bc513c40e427a3da6ba4f4379a078b727ae6 |
| SHA256 | 3a466ef230cf129e1a05290dded96e382bd5365c2872fc80ed5a045ae442df1f |
| SHA512 | 07ac6ce3f218c6c4b50f0e19ef5acdc29b473a074e24ae04491bab00eb50fc650898218139da10a001758c0a6ea9ed680e8d33d26e56d60c60a70ba9b4d8c652 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a601bbc5f491c2365dbdd33c75cb3d40 |
| SHA1 | db3cf42c718215bab69fb75c5d5c1904da9d8caf |
| SHA256 | b38ab40ca42afcf1b8d08c1ef460d262c50aa3c9af9007417fbb7207e04c02fa |
| SHA512 | aa85d5784311059dede37243bef02c0bcb2c42eb889b1b6d68ad3782147561932696c0e60c102736084d8f53be3f9f6de64b2a1e93382de7468b97a71a757311 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 49f463126ea8f5fbf437da064127251b |
| SHA1 | 2c952a3123f62e02df30e88a093e4366bdffcc4b |
| SHA256 | 3f5f0443152d9a7da9eca9733b62ceaffb68ed1e01771885c9a7a4f9aa058cb9 |
| SHA512 | 5fb1df1378a1bed254c193ed1b32c62819d42a1012e17e1161264a3b08dd47bc51c9d7cbf4c8ec234a5ad3afeda3035c2fc010bdd2954acbb17145354c621d5e |
memory/2968-679-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 730e21edcd445302b788f0c3c21bcfe1 |
| SHA1 | c50466acad6ee1aaf92f1b13cd932299de0b07b6 |
| SHA256 | 2f4b002756fee6069ac19e6307a457c68a75011b83341468b4b46e1d3eaedb41 |
| SHA512 | 4cd837f925d0b5f56bd3e418a8fc88ddb153fe27e0e41434fd00aca912af2e5026b9fc30811376b50f6def1f9fbe39efb8222e21d486f41451766a2d785a6c42 |
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat
| MD5 | 1d429224c36a674a8013274684ae2159 |
| SHA1 | 754b831a23a01464d9f1af44dbef6f9d42640059 |
| SHA256 | d2bc01deb0a039bda1f639df0b6e40b7bf8d770d58ed028499ae1414d957d2f4 |
| SHA512 | 145f0b406550e3bdfd1b49ab361ba1d3503240cf0981cf3fc2258b3db0c6eb5ce60de6ef23d6f930f1f0a3a07ccbc39eae0085697100b4afe9792077094258af |
memory/1996-683-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3860-684-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/3860-687-0x0000000001420000-0x0000000001432000-memory.dmp
memory/2380-688-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat
| MD5 | 4895d78da64f726fa01aa98478276f34 |
| SHA1 | e0a106b1b4c6b00d357e90fb89c4ff27c12cc03f |
| SHA256 | 42ad4e28cb03acd14a3b76a076dc071d99925df617048b99693ee1974a0344c9 |
| SHA512 | 2073b3a16ed58a6b3f99096827f183b5b41f55fc3dcf12a20e49783721708034fbab4d2db05c2b8dda84320daf8adf224af33c3df3f54d225b1774da892907b2 |
memory/1740-690-0x0000000000000000-mapping.dmp
memory/1528-691-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4600-693-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat
| MD5 | 4f40380268be2c839eae02aaf01869cc |
| SHA1 | 46aeaa02d8f1e16cf30ce0dda686513e4e98460a |
| SHA256 | 6be02d425f570a261164f444d9a942da6f9839b6e9acbad97cf3b914b1a54b67 |
| SHA512 | e8c0226346e23c7a1921bc4b5ff48721d327efa80f5116e284c1e1da92decf1b4a39ff85af71be01446926b8bedadd90346a347b306bc9813c7815691ec2fbb1 |
memory/1352-695-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4688-696-0x0000000000000000-mapping.dmp
memory/4688-698-0x0000000000A60000-0x0000000000A72000-memory.dmp
memory/2316-699-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat
| MD5 | ecf7e51026ef2cf4b552b29d840d9384 |
| SHA1 | e8a867779a74358255c5dcdb155e6699c96b2304 |
| SHA256 | 8691013f802abc3db2a484d6c773855f7c4f79d98fad200469da1aaa26bc539d |
| SHA512 | 26d351417b5498b48b6ffa85b3582ff7e1b4b216536de7acadbc063cc5f3374128ce1821b898c72d7105aa1eabc114fd76f87ca1b7566ac4744714fab77eea41 |
memory/3684-701-0x0000000000000000-mapping.dmp
memory/4480-702-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4480-704-0x0000000000E50000-0x0000000000E62000-memory.dmp
memory/5044-705-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat
| MD5 | 33299661f688879fce4173b5240b234b |
| SHA1 | 0b30dbfd77f612caafe353e34a6b99d46f50c7c0 |
| SHA256 | 57eb29886b0f4df8f94180b35d2980476bcba1acff5daf5c1fc60dc20394feb0 |
| SHA512 | 36ef5166229266d17eb07f5e8ae5ec8f13888052d8476b6f3cc6bae0019c4e1729c4ed11fc6eb9bca834b8b70e4f575de3fd1490c26619d7ad22610633bc135d |
memory/4400-707-0x0000000000000000-mapping.dmp
memory/4024-708-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4072-710-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat
| MD5 | 494551f3fc071e845a7f9b83743c7322 |
| SHA1 | 1b2789aae46881097910310bb56dfa4bab64618e |
| SHA256 | 5f8b8a202dce7362610557565f48257256353c7ba46a84c0c87f473d15af9c2e |
| SHA512 | d5c33cf4335e69cc3cd670b35e13785ddf1dbc34958b52fe838bca31ad1349e9869b8c33d76b2b78182eb5ebf7f0bf0144aa3af773bd74d401cbcf67efb1ff05 |
memory/2876-712-0x0000000000000000-mapping.dmp
memory/364-713-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4736-715-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat
| MD5 | 0ef27021033d732527dd35e5040cec94 |
| SHA1 | 2023ae7e0f5312e8644ea580fb1a188d37bf8328 |
| SHA256 | a9d591bc38b631588f0356c0915122f4ad8fdd40f5a28073f05bbccca049d4f7 |
| SHA512 | 1ff1311740849b3ec00fdca5728647d7c7727adf4071ec8066685ceef3dfd0663e77665f267446dcb9e8d4357cb890e82667565535f9be9950b75ec5c8b6c241 |
memory/4940-717-0x0000000000000000-mapping.dmp
memory/5068-718-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1620-720-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat
| MD5 | 494551f3fc071e845a7f9b83743c7322 |
| SHA1 | 1b2789aae46881097910310bb56dfa4bab64618e |
| SHA256 | 5f8b8a202dce7362610557565f48257256353c7ba46a84c0c87f473d15af9c2e |
| SHA512 | d5c33cf4335e69cc3cd670b35e13785ddf1dbc34958b52fe838bca31ad1349e9869b8c33d76b2b78182eb5ebf7f0bf0144aa3af773bd74d401cbcf67efb1ff05 |
memory/2468-722-0x0000000000000000-mapping.dmp
memory/2496-723-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2496-725-0x0000000000EA0000-0x0000000000EB2000-memory.dmp
memory/4676-726-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat
| MD5 | 7f0a5c496fc4beb813ee224c2bb1f5d6 |
| SHA1 | c2f0600740976b8e40019248169bc77feae3b4d1 |
| SHA256 | cd8d486e512a4047f862fcbf15eb4c63e34b96e64bd8cbeda813661c6b9ae60e |
| SHA512 | 739d406b9a38307be967c0a018da7b6602bf677b1fa20000db2d7872a63fa36d35fac3d797c0545ddef7249b6603fcc95c6e87f1ead9eac2ed3f3f9d98cca34c |
memory/4068-728-0x0000000000000000-mapping.dmp
memory/4052-729-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5096-731-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat
| MD5 | 9efbd391c42fb31a049f05e7539431de |
| SHA1 | fd27654b93437e680919329b57624c328ac76297 |
| SHA256 | 618a9d2368ee8366d6c6eff9dc986df3f4ad654db78fa676de44d6e033b031b1 |
| SHA512 | 23ae80c7bbaa9ed9be81d8aafa4f6d461a4e7f026b7350d63719b363bdb07ab8632bf589c932172057c4554edce8ea1e3dcecc91127adff2348a3b2aaa30f2b3 |
memory/3820-733-0x0000000000000000-mapping.dmp
memory/4780-734-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4852-736-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat
| MD5 | 9c54e27457be84f4aa6697927c9634f8 |
| SHA1 | 62ec55b0e07f191e0e93ff00468426ef89213331 |
| SHA256 | 24aea579e2526d45bd2635dba6bf158345d83be5a5902ec6a8c23ca2f945e969 |
| SHA512 | 6624f800b0e851403d47c1f90ae4f9a375d7f705a2d57f35ef10c759996af662452c3b62f14763021872681be990ee99eaf2cb6dd4c9d4c2ec84e4f53a492149 |
memory/3580-738-0x0000000000000000-mapping.dmp
memory/3196-739-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3920-741-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat
| MD5 | 123df20c0306b5114cdeeef6ccc26bad |
| SHA1 | cccffa5ab170a8219a6ce002d1182025fa8af625 |
| SHA256 | d8bf7a31102c11a47d83844c37946bdfd6239d60e6d0fdf925fb529da084d793 |
| SHA512 | 1a821441c62e5ea339f5d707289ca15895c9be0126f5e5d532b102ff5843cec88329d0c4776d3e60683fd48cefd43d23cfb930b255ca024670f9e893998db473 |
memory/1940-743-0x0000000000000000-mapping.dmp
memory/5032-744-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft Office\Office16\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5032-746-0x0000000000820000-0x0000000000832000-memory.dmp
memory/4900-747-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat
| MD5 | 532b5301a9208c53f7f872a63a97ec57 |
| SHA1 | 2b9a35d9975820c0c9285a15ee6632ca63b26d83 |
| SHA256 | 37e51aec12ad6c2ed8aaf638d31a1b84063f7b1856912d604b1a5781c05f9059 |
| SHA512 | b53a3e0c70c5e6ef6d1353909374ca04ea2aa4394593ecf18b976a8497ec984162aab16a98fd20f7722067c1bf20b980e5647e7b4ab08a9e77694f68caf26209 |
memory/5004-749-0x0000000000000000-mapping.dmp