Analysis Overview
SHA256
bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f
Threat Level: Known bad
The file bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f was found to be: Known bad.
Malicious Activity Summary
Dcrat family
Process spawned unexpected child process
DCRat payload
DcRat
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 10:36
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 10:36
Reported
2022-11-01 10:39
Platform
win10-20220812-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\csrss.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\7-Zip\ea9f0e6c9e2dcd | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows NT\TableTextService\en-US\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\7-Zip\taskhostw.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\PolicyDefinitions\en-US\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\en-US\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\All Users\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f.exe
"C:\Users\Admin\AppData\Local\Temp\bc2a2580b0ffce4c0a2ae3cb4686209ff2d921a5dc0c69106eaba2e1ff4be41f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\odt\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\odt\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\en-US\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Searches\wininit.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OfficeClickToRun.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\en-US\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\wininit.exe'
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\taskhostw.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\en-US\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\odt\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat"
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\All Users\csrss.exe
"C:\Users\All Users\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/3040-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4512-182-0x0000000000000000-mapping.dmp
memory/4512-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/4512-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp
memory/3040-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
memory/4272-258-0x0000000000000000-mapping.dmp
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3200-284-0x0000000000B00000-0x0000000000C10000-memory.dmp
memory/3200-281-0x0000000000000000-mapping.dmp
memory/3200-285-0x0000000001120000-0x0000000001132000-memory.dmp
memory/3200-286-0x00000000011A0000-0x00000000011AC000-memory.dmp
memory/3200-288-0x0000000001190000-0x000000000119C000-memory.dmp
memory/3200-287-0x0000000001130000-0x000000000113C000-memory.dmp
memory/1456-308-0x0000000000000000-mapping.dmp
memory/2880-322-0x0000000000000000-mapping.dmp
memory/4192-327-0x0000000000000000-mapping.dmp
memory/4480-349-0x0000000000000000-mapping.dmp
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\All Users\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1556-317-0x0000000000000000-mapping.dmp
memory/1272-313-0x0000000000000000-mapping.dmp
memory/1856-375-0x000001F023460000-0x000001F023482000-memory.dmp
memory/4024-305-0x0000000000000000-mapping.dmp
memory/4632-302-0x0000000000000000-mapping.dmp
memory/2220-299-0x0000000000000000-mapping.dmp
memory/4384-298-0x0000000000000000-mapping.dmp
memory/2940-296-0x0000000000000000-mapping.dmp
memory/4720-295-0x0000000000000000-mapping.dmp
memory/3964-294-0x0000000000000000-mapping.dmp
memory/2432-293-0x0000000000000000-mapping.dmp
memory/2424-292-0x0000000000000000-mapping.dmp
memory/2656-291-0x0000000000000000-mapping.dmp
memory/2584-290-0x0000000000000000-mapping.dmp
memory/1856-289-0x0000000000000000-mapping.dmp
memory/4480-378-0x0000000000F20000-0x0000000000F32000-memory.dmp
memory/4720-385-0x000001956A020000-0x000001956A096000-memory.dmp
memory/4296-822-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat
| MD5 | d8436e603c13087316e53ab671b5893a |
| SHA1 | 3409396af56e0937041ede0820568170420ab7a6 |
| SHA256 | 0cfe15f3a58649400db0dc5b6b2bd0f2d3adfda1b217c2069aca1abec512be3e |
| SHA512 | 89be234f512df5287e2762706a762d5458f86998ea170c1e48bda202604df52e47990f556051e13363877142e02747b4c828ef17f9f2a6b806be615512af2bfb |
memory/5204-824-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 698e59ab096269a07e296f0b0a496e76 |
| SHA1 | e13d07f641653de5e5119d7aec540cccddc3ea08 |
| SHA256 | 3c2261e6a1d3975c5dc33278e5a2edcbd5cc572f706d35f15ffc9b4e28cd10b2 |
| SHA512 | c3a9791c897ccb3d75c5fd7c51e2a45c7b03e432305f8bada98fb04d916abf1ca813bd0b8575efc623120334259766057323c85ddd4052bbac047e97f8ab7da1 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1da862ba22475ca1536507f73dacb692 |
| SHA1 | f17e2b4cccd3646c3feed02c7f13837547fc2f22 |
| SHA256 | 19bb5d3d4af66439ebc33cab1b498e2ce1ff7a34aebc735070be1670881eeb1e |
| SHA512 | 62282301403661ba3f9b2980a561bc225cda7190e10ed7812d11def4f68ac51e6ff68a2306cb5152c2fab06f22f571f1f95d2b2a807d4dc0835fc9658ede130c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0bdfaa14d7814b541a77f4e97920dfd6 |
| SHA1 | c239720eee47db7f7136bb78e37c539b9e735c4c |
| SHA256 | 4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272 |
| SHA512 | dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0bdfaa14d7814b541a77f4e97920dfd6 |
| SHA1 | c239720eee47db7f7136bb78e37c539b9e735c4c |
| SHA256 | 4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272 |
| SHA512 | dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0bdfaa14d7814b541a77f4e97920dfd6 |
| SHA1 | c239720eee47db7f7136bb78e37c539b9e735c4c |
| SHA256 | 4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272 |
| SHA512 | dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b47618e8327408c2eb96aec02d9f245e |
| SHA1 | a055f9088f7673920930de0aa3fb0f824b3e2a7c |
| SHA256 | 08559caa6c886bfa38511e7e3e22f1fe442abf407986e0a472ab7da9f04a5bd8 |
| SHA512 | 26315346754f97cced7bd3df028f24f384de96ca05bc8f58ab2040337a64ca0a28e158ea07637bb8b93a3fe276354cf214965cf0391d85351ef1d0133816ff32 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b47618e8327408c2eb96aec02d9f245e |
| SHA1 | a055f9088f7673920930de0aa3fb0f824b3e2a7c |
| SHA256 | 08559caa6c886bfa38511e7e3e22f1fe442abf407986e0a472ab7da9f04a5bd8 |
| SHA512 | 26315346754f97cced7bd3df028f24f384de96ca05bc8f58ab2040337a64ca0a28e158ea07637bb8b93a3fe276354cf214965cf0391d85351ef1d0133816ff32 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5810dda934c3202f1d79f9681de38eb2 |
| SHA1 | b29043024eef221ad0b5f508325a7e3ac3ecb73d |
| SHA256 | dac3c0c6cecbbc01020ede2207398276ee59dca0020da50ca5b131724a528086 |
| SHA512 | 276d1051d0fd6b2d7897949d0f33f5ff76535fa16927896cf2e974afa0654eada4087a23bf987ed80de35fdf3c185cc9f956239405d00d1f6e8e2a946e5d4b4c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b47618e8327408c2eb96aec02d9f245e |
| SHA1 | a055f9088f7673920930de0aa3fb0f824b3e2a7c |
| SHA256 | 08559caa6c886bfa38511e7e3e22f1fe442abf407986e0a472ab7da9f04a5bd8 |
| SHA512 | 26315346754f97cced7bd3df028f24f384de96ca05bc8f58ab2040337a64ca0a28e158ea07637bb8b93a3fe276354cf214965cf0391d85351ef1d0133816ff32 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c56b052a640b53815754876f27acbbae |
| SHA1 | 5ac6bfd91c9f89c99c51e8704d6b0c4d6e290a7f |
| SHA256 | 5815d928040f07653c14eb83ccafd7f9d58342c52fecd6f9c6c565b4506a55e4 |
| SHA512 | 816ffc96846f7fda32351bb42410adceb797cba5c4f1559cde5549db0cfccd6ea03384862e85a7183532ca9d44187d5f93702a7dde648eee9f06100e11789707 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b2a5f8ad4cf63c7ec3d249873f04471d |
| SHA1 | a12785d6badef2e939375cb245bd78ab9f14ca21 |
| SHA256 | eb0e8a5a8ec4136db4e0c9e6649ed012c7bd18954f530ad2293a0678c6e68476 |
| SHA512 | 56902a74fc1c7458bdcb895f38d3cfb83e0e7f0b7326753b52a0f8c0acfaf0a885e0e1aa0e27e311477ffabfd857ed6b7cd80f5c90fd1d06a817885571821a87 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 45993efc2e7a9364ea82fe0e177126b3 |
| SHA1 | fe371fe6cc4396630beca58dc58ddba3a97309ed |
| SHA256 | a5732f6a1c95ebce5fbcde32d72f592dc76169138e7c74cd8798e60a5f2989cc |
| SHA512 | babb9cfd9377f023dcc818e59fee9733d1fecba73343a32b384e48de9795a94789aa8b8a2ad0d935e9a7a79689263ebfee3c2b24bb4d90cf5e6a6dc139787af0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 45993efc2e7a9364ea82fe0e177126b3 |
| SHA1 | fe371fe6cc4396630beca58dc58ddba3a97309ed |
| SHA256 | a5732f6a1c95ebce5fbcde32d72f592dc76169138e7c74cd8798e60a5f2989cc |
| SHA512 | babb9cfd9377f023dcc818e59fee9733d1fecba73343a32b384e48de9795a94789aa8b8a2ad0d935e9a7a79689263ebfee3c2b24bb4d90cf5e6a6dc139787af0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bbded89b2de33483fdb82a576dd87516 |
| SHA1 | 73849b4d89703e24dd3357655a37997aa42a1dfd |
| SHA256 | 2d48a16de458837ee98cc5868707a279502add89be530b6e9a08c0426c296559 |
| SHA512 | 2bd9f608455801322e3718fdfee0d522c7616258cfcb3edc9af2d924fca5291e4f043183af6fb1bfff476dcb157338df070ed7dd80de20e328a4927b8da82fa7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bbded89b2de33483fdb82a576dd87516 |
| SHA1 | 73849b4d89703e24dd3357655a37997aa42a1dfd |
| SHA256 | 2d48a16de458837ee98cc5868707a279502add89be530b6e9a08c0426c296559 |
| SHA512 | 2bd9f608455801322e3718fdfee0d522c7616258cfcb3edc9af2d924fca5291e4f043183af6fb1bfff476dcb157338df070ed7dd80de20e328a4927b8da82fa7 |
memory/5856-892-0x0000000000000000-mapping.dmp
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/5960-895-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat
| MD5 | 1eaa1d36c1815a87e26bea0f8de4c840 |
| SHA1 | 62769a9c874a5d094b4333981384992e24218952 |
| SHA256 | 76ed85ce2d522d32eb528e5f42a38ba6a97d62c1cab5468ba2d1ffa5c0ef0cd3 |
| SHA512 | 0f3807422eb60f3339b8107b49ff7812314c61fa4c66ae588b10c64dd86f2134e4f61dfaece039880652ea718518b8ac6c1ce65f12f0977b654d8acde8b43449 |
memory/6016-897-0x0000000000000000-mapping.dmp
memory/6036-898-0x0000000000000000-mapping.dmp
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/6140-900-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat
| MD5 | d8436e603c13087316e53ab671b5893a |
| SHA1 | 3409396af56e0937041ede0820568170420ab7a6 |
| SHA256 | 0cfe15f3a58649400db0dc5b6b2bd0f2d3adfda1b217c2069aca1abec512be3e |
| SHA512 | 89be234f512df5287e2762706a762d5458f86998ea170c1e48bda202604df52e47990f556051e13363877142e02747b4c828ef17f9f2a6b806be615512af2bfb |
memory/4880-902-0x0000000000000000-mapping.dmp
memory/1848-903-0x0000000000000000-mapping.dmp
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5456-905-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat
| MD5 | 9c3e866b6e48f0caf10f0d4b319a1bb8 |
| SHA1 | 016214373da362be65c7d16075dd0a332022d3d6 |
| SHA256 | 1b3e459d1e481f9ab74d3295c9ee26b476778306e8db3a1577f606738a8a287f |
| SHA512 | d854929706bcbd3b16e26779c3983b6f18efe88d0033b6843311709eb733ece3965bade60e19fdbf2294678e3369d914ef02ebd102d082a3f7d0a0ad73284d6b |
memory/5512-907-0x0000000000000000-mapping.dmp
memory/3144-908-0x0000000000000000-mapping.dmp
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3144-910-0x0000000001590000-0x00000000015A2000-memory.dmp
memory/4320-911-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat
| MD5 | bc52ad8e50178fed604143f8df646a48 |
| SHA1 | 0706d36d5389112d2d5d2ed101866f99ae8b60a7 |
| SHA256 | cefeaebf5f16bd7b1648967442cf0d9edcd08bbf276714074f05784f1dc4a464 |
| SHA512 | 28049b709ddb5910243af78f6d1ea830d33f75f82bb012ecb38dda469e15e0d3e53a1c46c4e57bd1541943b18d64d12cfedf8415e1b694433ee488adc791c686 |
memory/2176-913-0x0000000000000000-mapping.dmp
memory/5656-914-0x0000000000000000-mapping.dmp
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4520-916-0x0000000000000000-mapping.dmp
memory/2584-918-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat
| MD5 | a49a125336fe55b13bb6a7085e477c6a |
| SHA1 | a1ddebf5260f17b6d52139ee8d1b5bbebadb03c0 |
| SHA256 | 51b127f9636c0094f59a86943db0a8bbaa266dafaa59565cc15ec403b3771814 |
| SHA512 | e42d10331535d0e977dd3d3d00ed18da63f967418b970eea32f2370af0e076b47b96f511662fc9556b7c30481bb03f5c8b8d318530659466df5bc8cb4c3853f2 |
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3548-919-0x0000000000000000-mapping.dmp
memory/4612-923-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat
| MD5 | c8e31cc02b8071169fbf471e1b6d6a70 |
| SHA1 | b77177ac93f08c247ded529f49035b38c8f79d53 |
| SHA256 | 6fec3d93a524d3dbf331a7dd4921743e9449f7539fc0f086a8b7f1d4e013b559 |
| SHA512 | 95368ed4e5517bb257f2c7b6d615c95660da6a237ba3df7027366377cfeacd9c7f668d0969dd4299bd3066d0262b02a8efa86d96cb2c7b58ae31277cb0cf237a |
memory/3416-921-0x0000000000000000-mapping.dmp
memory/5616-924-0x0000000000000000-mapping.dmp
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5732-928-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat
| MD5 | 2702d12971298670ca83a570c40bbd33 |
| SHA1 | 6036aff5118d113f73355fba632e5139547e0407 |
| SHA256 | d3c00362da227874f5538b22363a0cf0f4bd37202aa5de026e259fdf86d438d4 |
| SHA512 | dc71ef40f2852407141b261ed61f7efa7ae1654039d8801891462a6c972651f408b93d22e078c4faffd27a0e4da5152c118679a6e9cd830b1fbd53c0fb24e61b |
memory/5668-926-0x0000000000000000-mapping.dmp
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2536-929-0x0000000000000000-mapping.dmp
memory/1272-931-0x0000000000000000-mapping.dmp
memory/4144-933-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat
| MD5 | db5583eb7a1843155f769705a1a2f121 |
| SHA1 | 8e698eb8dab8be9af5c0b3c60dc315cc925e85ac |
| SHA256 | 392d913501cb26441c83514a64f7d185d8c90b4cd004a889637140b22bf19208 |
| SHA512 | bb3cd2f4fb80adddf27ce81783bb3d77933aaa0469442a059872bea9de78d226fafbf2144874fd47d515e8bf8f8c11d7c311fa05f0a9d370d51b8c0169e063c9 |
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5032-934-0x0000000000000000-mapping.dmp
memory/4604-936-0x0000000000000000-mapping.dmp
memory/4804-938-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat
| MD5 | 7580ce7dea2d4efa34d1f43a03ac5b8c |
| SHA1 | 79af2e4db7f10056b1e7b5a8d86b4625a8f280c4 |
| SHA256 | b915e3e0185f14a29cdd2298960f074038cc1a7525688f052e7f06f7f3aa73b9 |
| SHA512 | 69dcd263c3a85ce97dd34c9b8f152cd6a88535830ead6e03bbc6cf43e8af1bce8ef380576c6bea1723c68b159470f4314f26d7f98eb06b3be06e2a5a7c3fd0af |
memory/5376-939-0x0000000000000000-mapping.dmp
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4564-941-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat
| MD5 | d461476fe82728a84172cc6c77780973 |
| SHA1 | 84aaab2e574ad653f779bb90b434cd39a86ffd30 |
| SHA256 | 1055a64283ef2d25a576c47bc6fe6f5a0be88cc79d7961baae644a6fd8cf9db6 |
| SHA512 | 3d9ada631d5365187f7879cb815a539f1b99071cf4771a19fe678d49e0214ff8423bf5497a862828c2f7f8a54175ed5c7a3bae7550e12548f02eb7b9c1ba3f72 |
memory/5100-943-0x0000000000000000-mapping.dmp
memory/5772-944-0x0000000000000000-mapping.dmp
C:\ProgramData\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5772-946-0x0000000000960000-0x0000000000972000-memory.dmp
memory/3448-947-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat
| MD5 | ac94ea105d8ea37547c4e1a7f4220593 |
| SHA1 | 25542f659f28e5fc6a5e9438d471e2ed4a5a017c |
| SHA256 | 579822e23cdfd543b74265f45c3bfa0264d5ddcd20053bce76d67140dea5f166 |
| SHA512 | ce08377cd06883237e626804c15c843b17bfc0772cd68aa6a75ce1c8367ebaffd99ebaa88de9040370e7b48a33aeaa080a0f90aff2128f29535cfdef25e5f572 |
memory/5592-949-0x0000000000000000-mapping.dmp