Analysis Overview
SHA256
155d7adccca53d3529fe62e66f9f3bc70d957e86bb5b92c93add72267ee88c21
Threat Level: Known bad
The file 155d7adccca53d3529fe62e66f9f3bc70d957e86bb5b92c93add72267ee88c21 was found to be: Known bad.
Malicious Activity Summary
DcRat
Dcrat family
DCRat payload
Process spawned unexpected child process
DCRat payload
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 10:37
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 10:37
Reported
2022-11-01 10:40
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| N/A | N/A | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\155d7adccca53d3529fe62e66f9f3bc70d957e86bb5b92c93add72267ee88c21.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jdk1.8.0_66\db\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Internet Explorer\24dbde2999530e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\27d1bcfc3c54e0 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Internet Explorer\WmiPrvSE.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\db\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\bcastdvr\fontdrvhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\bcastdvr\5b884080fd4f94 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-ui-search.resources_31bf3856ad364e35_10.0.19041.1_en-us_299a46570d801f23\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\155d7adccca53d3529fe62e66f9f3bc70d957e86bb5b92c93add72267ee88c21.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings | C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\155d7adccca53d3529fe62e66f9f3bc70d957e86bb5b92c93add72267ee88c21.exe
"C:\Users\Admin\AppData\Local\Temp\155d7adccca53d3529fe62e66f9f3bc70d957e86bb5b92c93add72267ee88c21.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\odt\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.8.0_66\db\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\db\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.8.0_66\db\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\dllhost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\db\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\dllhost.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SUCJ61dYxH.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\odt\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\providercommon\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\odt\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\providercommon\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Links\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\odt\taskhostw.exe'" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rPtAmVB8IZ.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\TrustedInstaller.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\lsass.exe'
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Registry.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\bcastdvr\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\providercommon\TrustedInstaller.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\providercommon\TrustedInstaller.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\providercommon\TrustedInstaller.exe'" /f
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
"C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.238.20.126:80 | tcp | |
| US | 13.89.179.8:443 | tcp | |
| US | 8.238.20.126:80 | tcp | |
| US | 8.238.20.126:80 | tcp | |
| US | 8.253.208.120:80 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2156-132-0x0000000000000000-mapping.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/5116-135-0x0000000000000000-mapping.dmp
memory/2016-136-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2016-139-0x0000000000DF0000-0x0000000000F00000-memory.dmp
memory/2016-140-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4632-141-0x0000000000000000-mapping.dmp
memory/2300-142-0x0000000000000000-mapping.dmp
memory/1256-143-0x0000000000000000-mapping.dmp
memory/4320-144-0x0000000000000000-mapping.dmp
memory/3552-146-0x0000000000000000-mapping.dmp
memory/1928-145-0x0000000000000000-mapping.dmp
memory/2672-148-0x0000000000000000-mapping.dmp
memory/3812-147-0x0000000000000000-mapping.dmp
memory/3272-149-0x0000000000000000-mapping.dmp
memory/5076-152-0x0000000000000000-mapping.dmp
memory/3932-151-0x0000000000000000-mapping.dmp
memory/4700-150-0x0000000000000000-mapping.dmp
memory/1256-153-0x0000023D434A0000-0x0000023D434C2000-memory.dmp
memory/2912-154-0x0000000000000000-mapping.dmp
memory/2016-155-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/1256-157-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SUCJ61dYxH.bat
| MD5 | 818c7f0b2276aadac3d4e49c2ef4f735 |
| SHA1 | b7647281d839948bc0f9b2afd51a642ca782ce8e |
| SHA256 | f83f1265fc99f79716529f061a2f0c60e1feac59afcf31889566422e82e54c1b |
| SHA512 | 8d06b5e52d1e756a014a5f836ce50f47172278447cbd4cd38c7b14dcc53dd278f39dc697bd3e8eb39cdfcc9f62eb56f3271f142c4cdf918ba05399ae05140675 |
memory/2300-158-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4320-159-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/1928-160-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/3552-162-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/3672-161-0x0000000000000000-mapping.dmp
memory/3812-163-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/2672-164-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4632-165-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/3272-166-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/3932-170-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a8e8360d573a4ff072dcc6f09d992c88 |
| SHA1 | 3446774433ceaf0b400073914facab11b98b6807 |
| SHA256 | bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b |
| SHA512 | 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/4632-181-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4320-180-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/1928-183-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/5076-188-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/3272-190-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
memory/4700-192-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/3552-189-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/3812-184-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/1256-182-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/5076-173-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/2672-176-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/2300-172-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/4700-169-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log
| MD5 | 7f3c0ae41f0d9ae10a8985a2c327b8fb |
| SHA1 | d58622bf6b5071beacf3b35bb505bde2000983e3 |
| SHA256 | 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900 |
| SHA512 | 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125 |
memory/964-193-0x0000000000000000-mapping.dmp
memory/964-196-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4564-204-0x0000000000000000-mapping.dmp
memory/1928-212-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4104-211-0x0000000000000000-mapping.dmp
memory/3988-215-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/3812-216-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4684-214-0x0000000000000000-mapping.dmp
memory/1468-218-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/964-217-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/2948-213-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/2416-210-0x0000000000000000-mapping.dmp
memory/2712-219-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e243a38635ff9a06c87c2a61a2200656 |
| SHA1 | ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc |
| SHA256 | af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f |
| SHA512 | 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4 |
memory/4436-221-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4456-209-0x0000000000000000-mapping.dmp
memory/2156-222-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4652-208-0x0000000000000000-mapping.dmp
memory/1104-207-0x0000000000000000-mapping.dmp
memory/1104-223-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/2156-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\rPtAmVB8IZ.bat
| MD5 | 7b8a5b3bf5c31f319eb68bbcdf36e571 |
| SHA1 | 3a0aec688d5d23c13b9a011aadc7e55f96035d0f |
| SHA256 | 70aa85ba869b24f11722d6e2829145d4f94fbbdc60bdc37984b6d90d00eaa539 |
| SHA512 | 0050b93e5ef5782b124fbd6480a820cd4dd34a5d74e47fe83f0b4ceaafdbc7fab9a9afb802a2da2f9a71c03ff779fcb385b56c5b7c973e468347aeee19629a1f |
memory/4784-226-0x0000000000000000-mapping.dmp
memory/2416-224-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4436-205-0x0000000000000000-mapping.dmp
memory/2712-203-0x0000000000000000-mapping.dmp
memory/1468-202-0x0000000000000000-mapping.dmp
memory/2836-201-0x0000000000000000-mapping.dmp
memory/3812-200-0x0000000000000000-mapping.dmp
memory/3988-199-0x0000000000000000-mapping.dmp
memory/2948-198-0x0000000000000000-mapping.dmp
memory/2836-227-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/1928-197-0x0000000000000000-mapping.dmp
memory/4564-228-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4652-229-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4456-230-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4104-231-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4652-233-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aba273eeba4876ea41ee0e64b4cbb51d |
| SHA1 | bef5f75b81cf27268dc0d0f30f00b022f9288db9 |
| SHA256 | 67fc3f5c3407858793c6fac6131b0f340667ffc567fa76b43245ecf2621322c9 |
| SHA512 | 23dc2f0cfc68194dcbf407a6528cf9f9a8aa89f4821be22413bde036ae5ca44144b568aa3160372b9741f3d0f5baa48dff8a8b582bdedc3ad3fb121af340c0ae |
memory/3988-246-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/1104-254-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4564-255-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/2416-258-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/4104-259-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0ba65aa52fa8ce41ab3c70d52101616d |
| SHA1 | fcc4a5db0a1efc4a6044f777f1328223a637e925 |
| SHA256 | deae2ab3ded0b0f4f46f47c40160e9d5c887ed923dc3870094579af4eb9bba6d |
| SHA512 | 6e0db2775282561c769636bb642df729c7b18c3f2d2e37eeaf54126b224043bdc143eb6db9266615790cacb231eda583a3f590a6411bea2965fa7c48caa9c8fe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ec28c65997d5e7e11bf9ebe94ab13877 |
| SHA1 | 2eb97f0ed8fc9098e5a5f9b22cc663b0614fe3c5 |
| SHA256 | b46bf3b17b6aaba2d1912ad952aa93f203aef41df2353c2a9b11493feb7416ca |
| SHA512 | 5a4768e37c2e9ef3b28042b2f0c1c43e648d623a31ac3e2188c9f05a15ee1c80b623fdaa1c9c29753d7d14286b8cf973dfc59c74006ece379a5e3f4ab6e12963 |
memory/3812-252-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ec28c65997d5e7e11bf9ebe94ab13877 |
| SHA1 | 2eb97f0ed8fc9098e5a5f9b22cc663b0614fe3c5 |
| SHA256 | b46bf3b17b6aaba2d1912ad952aa93f203aef41df2353c2a9b11493feb7416ca |
| SHA512 | 5a4768e37c2e9ef3b28042b2f0c1c43e648d623a31ac3e2188c9f05a15ee1c80b623fdaa1c9c29753d7d14286b8cf973dfc59c74006ece379a5e3f4ab6e12963 |
memory/4436-253-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/1468-250-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 630925fcb263391208c4cb81f82a74b8 |
| SHA1 | be53a2370a22b80fad876eb2239b88a3e901d481 |
| SHA256 | ff5c4ee0eeedd6f8c606e76832d7c1c8b53003fb8897fde6c7a018a9c4a53df6 |
| SHA512 | e0ece9f8ff55c30211f9955b777653e072b576d8b1349e7f259750471d9ed300ad08f71de8623b1dc3cbdb3679b0439c0b21bc78323ed998a7ee07df78ce6fac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ec28c65997d5e7e11bf9ebe94ab13877 |
| SHA1 | 2eb97f0ed8fc9098e5a5f9b22cc663b0614fe3c5 |
| SHA256 | b46bf3b17b6aaba2d1912ad952aa93f203aef41df2353c2a9b11493feb7416ca |
| SHA512 | 5a4768e37c2e9ef3b28042b2f0c1c43e648d623a31ac3e2188c9f05a15ee1c80b623fdaa1c9c29753d7d14286b8cf973dfc59c74006ece379a5e3f4ab6e12963 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 630925fcb263391208c4cb81f82a74b8 |
| SHA1 | be53a2370a22b80fad876eb2239b88a3e901d481 |
| SHA256 | ff5c4ee0eeedd6f8c606e76832d7c1c8b53003fb8897fde6c7a018a9c4a53df6 |
| SHA512 | e0ece9f8ff55c30211f9955b777653e072b576d8b1349e7f259750471d9ed300ad08f71de8623b1dc3cbdb3679b0439c0b21bc78323ed998a7ee07df78ce6fac |
memory/2948-244-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aba273eeba4876ea41ee0e64b4cbb51d |
| SHA1 | bef5f75b81cf27268dc0d0f30f00b022f9288db9 |
| SHA256 | 67fc3f5c3407858793c6fac6131b0f340667ffc567fa76b43245ecf2621322c9 |
| SHA512 | 23dc2f0cfc68194dcbf407a6528cf9f9a8aa89f4821be22413bde036ae5ca44144b568aa3160372b9741f3d0f5baa48dff8a8b582bdedc3ad3fb121af340c0ae |
memory/2712-242-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/1928-241-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 149933724aa3b17c33b309cc996eb07e |
| SHA1 | 78db01ad9a1a6ce0a20ad9f1c078f7f97f1745d4 |
| SHA256 | 3921729aa8237a43f9b321f09ca4634623ef293f8d47027ba9cef4ce93839e97 |
| SHA512 | a6e757c14437a57e35795cafb74238034f4525d57683b8001b123780b5bf66124160b3905c3f4849ec0c627f94c5b4ee0eb0b78cf29bec5cfa02ab0ef81aa11e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 149933724aa3b17c33b309cc996eb07e |
| SHA1 | 78db01ad9a1a6ce0a20ad9f1c078f7f97f1745d4 |
| SHA256 | 3921729aa8237a43f9b321f09ca4634623ef293f8d47027ba9cef4ce93839e97 |
| SHA512 | a6e757c14437a57e35795cafb74238034f4525d57683b8001b123780b5bf66124160b3905c3f4849ec0c627f94c5b4ee0eb0b78cf29bec5cfa02ab0ef81aa11e |
memory/4456-239-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 118d5649311b514db219f613211e13a9 |
| SHA1 | 485cc05e7072d26bf8226062ba1c578d7b30e1c4 |
| SHA256 | 4fff6897c69cc3e8b9ae3da4d3c221ecbf329a4112d85cb346a4d413b70581dd |
| SHA512 | b458d6703bde28f5d870542c852ad5990592a7a186eb7b4da83b475a94e2d2cdb1105b27d86414708dc613aad902937601d76cedad8304832c4d59ac1c088db4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 118d5649311b514db219f613211e13a9 |
| SHA1 | 485cc05e7072d26bf8226062ba1c578d7b30e1c4 |
| SHA256 | 4fff6897c69cc3e8b9ae3da4d3c221ecbf329a4112d85cb346a4d413b70581dd |
| SHA512 | b458d6703bde28f5d870542c852ad5990592a7a186eb7b4da83b475a94e2d2cdb1105b27d86414708dc613aad902937601d76cedad8304832c4d59ac1c088db4 |
memory/2836-235-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/2156-234-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 58d5391a088420e4f58d801ed9f217a6 |
| SHA1 | 3a9795e248a126b315449549980768729ac2d517 |
| SHA256 | 5bfe4b5e9492f71d0f90fd6db10ac170c0aaaa932ebc5da9a30b80ab47a6d51f |
| SHA512 | e650e3e9102f9200780215a596549b030fca83433d6fb2e5ecd6bdcc561826a673a83fa75694fb689a1dcd6b049d2fcae324b9dc9bfcd3fcced4f74326a04943 |
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5372-260-0x0000000000000000-mapping.dmp
memory/5372-263-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/5488-264-0x0000000000000000-mapping.dmp
memory/5372-267-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat
| MD5 | 4d2eecc29286f09caaa7c0c026076ffe |
| SHA1 | 8bb485e151ab0ad4906eaf42a8f453bb9ae95e78 |
| SHA256 | d9bc266e0ec04e7e39708b681d5e57bec314463e2e1907148b0d6507966678ab |
| SHA512 | f31953b99f8c1d5fd143aa11975db76b62b94690069451dc2b71f0d86e38e0cfd0efb3dfa489319441ca50d76cdb026964f3e62741ba91a8cb830f8aa18493a1 |
memory/5552-266-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5576-268-0x0000000000000000-mapping.dmp
memory/5576-271-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/5692-272-0x0000000000000000-mapping.dmp
memory/5756-274-0x0000000000000000-mapping.dmp
memory/5576-275-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat
| MD5 | df6616c87eb221021089c6a768b9349c |
| SHA1 | ccc1e5d81c79303507e7a9c9d07afe905024dda2 |
| SHA256 | 97d005b875ecfeb22900fac702b282004b88d1385afa021e9db4ce322859f1dc |
| SHA512 | a5039743e60ceb44be93811a1a69ac1d3f886af8699ed43d3d84d76afa365f117c73229a46d78b8d9dc6f08d35ad39ce01d885fdf43a6e69cc735514c13dcdb4 |
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5792-276-0x0000000000000000-mapping.dmp
memory/5792-278-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
memory/5916-279-0x0000000000000000-mapping.dmp
memory/5972-281-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat
| MD5 | 637b60667895b29aeef562103d5a3f5b |
| SHA1 | 2cccfbbffa9f13ceb8be875fb7b7edeb229b59eb |
| SHA256 | 9b02ea82e643b54f83c29242c66a3068263a7308ae7fcff6ed32bbecd0ab9661 |
| SHA512 | 7e8f4cd915effbd2e44188a1ef6428c956b5a7cfff2576e4fbe581159c7b92eb87c28bc0d3e24ed877428652eb2879aca18b18e0c69d5e56e511353423912c20 |
memory/6000-283-0x0000000000000000-mapping.dmp
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/6136-286-0x0000000000000000-mapping.dmp
memory/1896-288-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat
| MD5 | e82fc673235b242ec4a7111b74068e17 |
| SHA1 | 129f29015761e10123b8c108e18a4065361122aa |
| SHA256 | aff5e7c1891ac575c9eabab1adc85efd9ba6b10bf793d6d0252e24293560241a |
| SHA512 | 193829dca71de8550fc7d0ad6d5f46507ebedec2c93b456fbd9f777ee07351b17a2b44a28e74e2884b7dbd533411a33a36fffac05323e1a4259c3b1e760f9918 |
memory/4028-290-0x0000000000000000-mapping.dmp
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3964-293-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat
| MD5 | 1ff68092568d2e8b4b3bea6015c3b46c |
| SHA1 | 325f43c3e18c1bb468eb0501c11a4ec817d03ce5 |
| SHA256 | 9d3ed232a83830f37bb5aedaa080d58baa08d8b3a3fba4d5b3094cee117257f2 |
| SHA512 | cfe1c33ee0964dffe7c04d00919389fe84da2fa34b6a6852103ef7ec60a9a38fb75563c88e7e187de7ea73454ccfe132c84553743e51b089dd11a40fcdbbe564 |
memory/4156-295-0x0000000000000000-mapping.dmp
memory/5028-297-0x0000000000000000-mapping.dmp
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2836-300-0x0000000000000000-mapping.dmp
memory/2248-302-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat
| MD5 | ceab4cd700afff660de78716b15aec3f |
| SHA1 | 0fb20e89a7692efdf15b9f35c4479cace5bfe8a9 |
| SHA256 | 65932f011b9753d25d84e7107bdeb3857c1287263e23f10d7fbc3942b895d131 |
| SHA512 | bd8b9be1eec898dce2cd0349d127d8db1ff62259eb514868abc7f045d7adae6bc8fd86f4653084b5610397c24b561c1c103d3b0458079eeceed658bb96c4d7c9 |
memory/4404-304-0x0000000000000000-mapping.dmp
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3772-307-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat
| MD5 | 1b1870a20f0c23d464d30cc155004fb0 |
| SHA1 | 3644ba22c80c93ca64396d8946fc80933e0b1e8f |
| SHA256 | db13112686c50a50bbe81a4697ef971d53b67d79bb230e29fa83eb0355b51dc4 |
| SHA512 | 4c6f69920d9a285bfe51f4368800e800bf794773a2d022319be25b3847f7ee605ec82c20cf066388f28a5cc460cc841107e9cfae99a7dd1943c7fa525c6ac2d1 |
memory/1760-309-0x0000000000000000-mapping.dmp
memory/1864-311-0x0000000000000000-mapping.dmp
C:\Program Files\Windows Security\BrowserCore\en-US\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3944-314-0x0000000000000000-mapping.dmp
memory/3476-316-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat
| MD5 | ba57304e8081ce227b19092dd7475158 |
| SHA1 | 03f28d70877fefe885c30768598fc1ea52d97ec2 |
| SHA256 | 7325144a41f0bb804709df1971acb3d621e472ad9a98fec5730e7bea3a9e5372 |
| SHA512 | 00fd67a26d9fe9a5047331f3618dab582138f18aab096bb38d6ffcfc20e2e0f43f749b91bca376dd3da6e0967cc9a8c83454590e8725b6c51dca8eda24df3e59 |