Analysis Overview
SHA256
33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9
Threat Level: Known bad
The file 33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9 was found to be: Known bad.
Malicious Activity Summary
Dcrat family
Process spawned unexpected child process
DCRat payload
DcRat
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 10:38
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 10:38
Reported
2022-11-01 10:41
Platform
win10-20220812-en
Max time kernel
148s
Max time network
145s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Maps\font\services.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\6ccacd8608530f | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Cursors\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Cursors\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Resources\Maps\font\services.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Resources\Maps\font\c5b4cb5e9653cc | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\rescache\_merged\taskhostw.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\Resources\Maps\font\services.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe
"C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Maps\font\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\Maps\font\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Maps\font\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Maps\font\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mftNZ3WrbF.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat"
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\Resources\Maps\font\services.exe
"C:\Windows\Resources\Maps\font\services.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 20.189.173.2:443 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/3064-116-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-117-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-118-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-119-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-121-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-122-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-124-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-125-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-126-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-127-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-128-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-129-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-130-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-131-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-134-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-135-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-136-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-133-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-132-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-137-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-139-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-140-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-138-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-142-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-143-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-141-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-144-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-145-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-146-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-148-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-150-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-151-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-153-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-154-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-155-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-157-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-156-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-158-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-159-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-152-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-149-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-147-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-160-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-161-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-162-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-163-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-164-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-165-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-166-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-168-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-170-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-169-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-167-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-171-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-172-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-174-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-173-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-176-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-175-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-177-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-178-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/4296-181-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/4296-180-0x0000000000000000-mapping.dmp
memory/4296-182-0x0000000076FE0000-0x000000007716E000-memory.dmp
memory/3064-179-0x0000000076FE0000-0x000000007716E000-memory.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/3912-256-0x0000000000000000-mapping.dmp
memory/4868-279-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4868-282-0x0000000000640000-0x0000000000750000-memory.dmp
memory/4868-283-0x0000000000ED0000-0x0000000000EE2000-memory.dmp
memory/4868-284-0x0000000000EE0000-0x0000000000EEC000-memory.dmp
memory/4868-285-0x0000000000EF0000-0x0000000000EFC000-memory.dmp
memory/4868-286-0x0000000000F00000-0x0000000000F0C000-memory.dmp
memory/2148-287-0x0000000000000000-mapping.dmp
memory/812-290-0x0000000000000000-mapping.dmp
memory/1852-289-0x0000000000000000-mapping.dmp
memory/2108-288-0x0000000000000000-mapping.dmp
memory/784-291-0x0000000000000000-mapping.dmp
memory/2636-293-0x0000000000000000-mapping.dmp
memory/2708-292-0x0000000000000000-mapping.dmp
memory/428-294-0x0000000000000000-mapping.dmp
memory/2320-298-0x0000000000000000-mapping.dmp
memory/3784-296-0x0000000000000000-mapping.dmp
memory/2388-295-0x0000000000000000-mapping.dmp
memory/3244-307-0x0000000000000000-mapping.dmp
memory/2076-305-0x0000000000000000-mapping.dmp
memory/4500-300-0x0000000000000000-mapping.dmp
memory/2108-353-0x000002AF47020000-0x000002AF47042000-memory.dmp
memory/2108-361-0x000002AF47210000-0x000002AF47286000-memory.dmp
memory/3580-365-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mftNZ3WrbF.bat
| MD5 | c7b94de1d801ec9e81a054e5765a3f0d |
| SHA1 | 0010741fecfd25825084d0a354f4a94e144349b8 |
| SHA256 | 751f43ffc2415e7ca4f1854e18a2baf033f2ea58031a8ba750594e14c247ec02 |
| SHA512 | 108ed7e48b1ed01f659a93ff456455849d2362f01355bc35fef96b5558514b9fec3aed653a8df88d2cb04912516fbe225616eab3a4ca2a0f7f855a4510838cb9 |
memory/3324-417-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/780-682-0x0000000000000000-mapping.dmp
memory/780-699-0x00000000008A0000-0x00000000008B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 882942a81cb291b68e08ccef00457f7b |
| SHA1 | 654cb307f350c2649158828c3a4e6109d07ad711 |
| SHA256 | 2b94abb0dab627b79a0bad337876118f5198346175c6e4cee441442c78150479 |
| SHA512 | 74aa632e67135ee285e0f985d93da9b127b92e133cc51ff53895d810cc9c30ac2dd0c12f903f8d13b83c900fccc51af74368faf7d3e2d8e165bfff5d16060e44 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7b309ee2005ac3bfe743a84f15c85ef9 |
| SHA1 | 4d069ce352abe066896b0ad7e4a896da1cebaf98 |
| SHA256 | e8e550a75b8d03d87bd9b99c59db43b9c0e83becffc4c6b03427148e7afd509c |
| SHA512 | 0f5d002130d03735f7215895c1ae5d14fc027dcf8aa0a15b158e2c172a200d9886937b4329aba079c9f4a05ffe76104d33108b4743deaa281123481d0a2319d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7b309ee2005ac3bfe743a84f15c85ef9 |
| SHA1 | 4d069ce352abe066896b0ad7e4a896da1cebaf98 |
| SHA256 | e8e550a75b8d03d87bd9b99c59db43b9c0e83becffc4c6b03427148e7afd509c |
| SHA512 | 0f5d002130d03735f7215895c1ae5d14fc027dcf8aa0a15b158e2c172a200d9886937b4329aba079c9f4a05ffe76104d33108b4743deaa281123481d0a2319d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 81e014853763e4dc4c97825c1f7f7033 |
| SHA1 | 4f2c52c647b536dbeaa6a2acfc8f4ae93e3cc3c6 |
| SHA256 | a0feba5c6030cd830ea35568951d785815198a91493558462bbf02469ed0176f |
| SHA512 | abd748b02306de935e392c27eb02c1d3a099dc6d8e578b50c84e62ef84b23af490dd9760408eafd8bd0bf3dc9313566cfc0dfb6dc92696030e7411d890563517 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9ed7a1e8c9d3ee26fbb7c309f96c73c |
| SHA1 | af01799ba56d245dac47f0315ceb042a20b50e01 |
| SHA256 | ebdcdfca32e6b9be979ad92e7f98560bbbcde3c484748bdb117c8543cacf00a5 |
| SHA512 | 8b4b77ae926908c57c37ffd22334f91db079724025dc8ca88f9c71977dbfe626933e88fcd6ba2b42df688881f710378b86cc75718e8c9861a82b8f5ac54f3f5f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9ed7a1e8c9d3ee26fbb7c309f96c73c |
| SHA1 | af01799ba56d245dac47f0315ceb042a20b50e01 |
| SHA256 | ebdcdfca32e6b9be979ad92e7f98560bbbcde3c484748bdb117c8543cacf00a5 |
| SHA512 | 8b4b77ae926908c57c37ffd22334f91db079724025dc8ca88f9c71977dbfe626933e88fcd6ba2b42df688881f710378b86cc75718e8c9861a82b8f5ac54f3f5f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f57b73efbb60154b26af589eaccdd892 |
| SHA1 | f258580fad36acf26688934bbddec40c155e40f2 |
| SHA256 | de10e1a92d9d0e0457b4a070fbeaf34282c4e51d68f2bb3167bf62d3fa00dd22 |
| SHA512 | 9db06c69c661e57414efa28d2886465a48eca1f581ea8676e8c8b2ff2cc07d56be490dbe787bb65449eb2b335e7c53bf5b8e54db93b21ca478244def423462c1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 81e014853763e4dc4c97825c1f7f7033 |
| SHA1 | 4f2c52c647b536dbeaa6a2acfc8f4ae93e3cc3c6 |
| SHA256 | a0feba5c6030cd830ea35568951d785815198a91493558462bbf02469ed0176f |
| SHA512 | abd748b02306de935e392c27eb02c1d3a099dc6d8e578b50c84e62ef84b23af490dd9760408eafd8bd0bf3dc9313566cfc0dfb6dc92696030e7411d890563517 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ab51c32729e135f689b2e3fb0e0894f9 |
| SHA1 | bfe3f3d615793eaa66d5837b348cb63399d52726 |
| SHA256 | 090d59261898c70afe96d74592953f3f5d492c50c780eb120e6c813054e19130 |
| SHA512 | 307e7bc41f521db8dbb6d7ad53dcd4d16a3454ce63b9128652f20b5ceb0f59b4d721081da6e9e383f091341e038b6d86ae10e7f8bf456cfc27f0628b42941596 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ab51c32729e135f689b2e3fb0e0894f9 |
| SHA1 | bfe3f3d615793eaa66d5837b348cb63399d52726 |
| SHA256 | 090d59261898c70afe96d74592953f3f5d492c50c780eb120e6c813054e19130 |
| SHA512 | 307e7bc41f521db8dbb6d7ad53dcd4d16a3454ce63b9128652f20b5ceb0f59b4d721081da6e9e383f091341e038b6d86ae10e7f8bf456cfc27f0628b42941596 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 882942a81cb291b68e08ccef00457f7b |
| SHA1 | 654cb307f350c2649158828c3a4e6109d07ad711 |
| SHA256 | 2b94abb0dab627b79a0bad337876118f5198346175c6e4cee441442c78150479 |
| SHA512 | 74aa632e67135ee285e0f985d93da9b127b92e133cc51ff53895d810cc9c30ac2dd0c12f903f8d13b83c900fccc51af74368faf7d3e2d8e165bfff5d16060e44 |
memory/3628-753-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat
| MD5 | 6ad5ce5542450f5f3cf6b20b9b3a06ca |
| SHA1 | 3ce2d6f72b5eab6480160c7ba68bcb020336ffad |
| SHA256 | 138d1c15df8ff4d333b54c7affc5f57f49ba050e9838e58c2b91fed61cbb649a |
| SHA512 | 5ae9ff4083e9a4c1a3f89baf954de3a4d6cf52fb35140583f041ec84b24d51b1ccb439d1c9b0697e2e0717d97401fea4d4a2e67915c1f4c43566965e3b29574c |
memory/3480-751-0x0000000000000000-mapping.dmp
memory/2188-754-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/1368-757-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat
| MD5 | 8bda044dbb8a43431283ff4ec741cea1 |
| SHA1 | 3383299bc3e27dd8dd4ef2ac97eb52e55c315d54 |
| SHA256 | b62cf77f10ff514613892059352284df14709c3718def739eef9ddd4dbf166c5 |
| SHA512 | a486ad4ae2ed8115b00a7272ffc1835c2a80b48e1d84d1e856d85175de73e15e9c73cda6bb19349b9ea8af5b5ec23131c25ada07a371e22053ffc06c9f983f38 |
memory/4380-759-0x0000000000000000-mapping.dmp
memory/4960-760-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4572-762-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat
| MD5 | 7a1e2c0ff8d90f444af2b7339f0ec48e |
| SHA1 | e582a533f4fe7b9d4599d4ca582e3760f8f2f72e |
| SHA256 | fd324733b076dfaf685c8ff2b8063e3148846b36dae5b54f622765e31d0cb978 |
| SHA512 | 70afcd0bf2c25d25e1a16e34386b36bb83f6d02ca3721f98fc8597cdcb61dd1685f5c5b51a06dcdb6ab508624ec745debb7bf694498d513e3ab287fb9638eca6 |
memory/4368-764-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2396-765-0x0000000000000000-mapping.dmp
memory/2396-767-0x0000000000DE0000-0x0000000000DF2000-memory.dmp
memory/4824-768-0x0000000000000000-mapping.dmp
memory/3116-770-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat
| MD5 | cb0410ffad04a3dd96a35fef2ab0d097 |
| SHA1 | da934750b0b640a5d56daf30aa6e136ef1a620f6 |
| SHA256 | 40f270cb327b13a1de4b0ff08cbe3800fd46136a31ef58796a16f0f12e870ee6 |
| SHA512 | 76d6ea5f5bee41b15daecadf279541b6cac6376da3b5393a7dbe5184797bf50053fe055f37551dd65bbe248d21ad54b41073f483557579b11ba64339c59ff8ba |
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4244-771-0x0000000000000000-mapping.dmp
memory/4448-773-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat
| MD5 | 69810fb43d328d2a47788a29f0c7ea1f |
| SHA1 | 79cdc1a93dbabd6b6fa48f2b4ff79d4b09d1c528 |
| SHA256 | dffb09c7a6a3673c141e73f85ebfc6a4dcb0ccce74f65ff49dd2c7e777caaec4 |
| SHA512 | c3501bcb679f58f0eec5b8421afeaba06855df8ad8ca19ae5d11b8360bf545b3934571b205b2a4be2e8c847d696e06e54e1533ced90867a31bc95ddbe96b390a |
memory/5100-775-0x0000000000000000-mapping.dmp
memory/4876-776-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4876-778-0x00000000007D0000-0x00000000007E2000-memory.dmp
memory/4808-779-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat
| MD5 | ea0a095b68a30009b08b58b75c976afd |
| SHA1 | f6ec9b505b9f3c55f7abca24f2028bafeaa0a701 |
| SHA256 | 04e81ad3f4dd2748c0fe29d3360579fc0bbaa2883d37eb570c9a0b938bdb071c |
| SHA512 | 8732c20422723ff86e9748599f1f127feb45ad1954b9a1363553e303c8fbc71805d754eb15fec6871ba78b4da20ff9bbe8dc823725f1c2f8da0549afd79ecb22 |
memory/2704-781-0x0000000000000000-mapping.dmp
memory/4248-782-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3032-784-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat
| MD5 | 56e4518bc6a48002ab756291640a322e |
| SHA1 | a0f95428e1baced6ca084fb2716845b65f75f5be |
| SHA256 | 8ecb7ad08212b379c8f900203bc54b5e3d5562ce53655deaa02295e2b1bb80d6 |
| SHA512 | d22dfeff13760d8ab31d096786d6ce43cd74cf240d181464bf8d3b4c5fd987c03aeccbc97bf84f637ae3c76289719e374901a35bd64f2aeff38ad63121b65751 |
memory/3788-786-0x0000000000000000-mapping.dmp
memory/4780-787-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4780-789-0x00000000015F0000-0x0000000001602000-memory.dmp
memory/936-790-0x0000000000000000-mapping.dmp
memory/1236-792-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat
| MD5 | b145283042566f4c6d25c21e39fd91fe |
| SHA1 | 4d8569c8552d9c4e913cd1e8bd6b4c313d242bf3 |
| SHA256 | 808b2ca14a64a0806818dcd6979d70cef811151d6a2042c13af5da2167685025 |
| SHA512 | 705d912e42ed20398190dc6bb13bd13525ea3076ba85087ad561332b3c638ea623a000a6563961fffc0040a325ba54bbab91ea6d85177c00f6af3f5c706ff383 |
memory/1864-793-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3400-795-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat
| MD5 | 0d45e7acce0109888cf245b7f5a9bbc8 |
| SHA1 | a0abcfa2fb59807be06136ae95b445046860ff0d |
| SHA256 | 385d96851f0f07de5d6a82e668c7ca84a7fa9ab51bc8fad8b3bfc7b863a9b667 |
| SHA512 | 246112f7cda3ce28bf2a6213772c7f4718e073f6e83c9bf1f89a9a30a8eacc2885704628aba6e5cd65b231afca6c9a8781c8f8705996df1ab7a9430dae10dd28 |
memory/4736-797-0x0000000000000000-mapping.dmp
memory/3648-798-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4068-800-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat
| MD5 | c9a5fced6bfa2d6775976569b458b9d9 |
| SHA1 | 83362d4fcc507fa715ac6ae10a30be0c72f9a5a2 |
| SHA256 | 3d12f24c6cca4ef57738a40519ba95b2df677c07f53285bb77e8f598937e2823 |
| SHA512 | 8bd3ef15c38597055ac229aca59fe211188161bc5df1e3a28326882a4dd37bc93ea8a8914b9bc6ea53c271edb3ef156bb645d7c1a9b59bfbafeab81a1567a70a |
memory/4896-802-0x0000000000000000-mapping.dmp
memory/3732-803-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3732-805-0x0000000000FF0000-0x0000000001002000-memory.dmp
memory/4956-806-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat
| MD5 | 45ae6ceb150843934bce08ffc16b2000 |
| SHA1 | be067b3be757c1ecc66b4acfe98e030613dc52f0 |
| SHA256 | 368c6c38ee1a16a6db56c20a7d5a695bf2072bcf5a3dc5ebb52216462d7fcb2a |
| SHA512 | b77076c6ab897a40e26ef2e11dcafb793bf66e2eec7549f34d1807c873cc4f2194f51aa58fbc248848723511c21c48deae32c82da3dc8ad06690123777bdb738 |
memory/2148-808-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4740-809-0x0000000000000000-mapping.dmp
memory/4740-811-0x0000000001070000-0x0000000001082000-memory.dmp
memory/3384-812-0x0000000000000000-mapping.dmp
memory/3908-814-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat
| MD5 | 361780c4ca74a284d718f65b9f94e971 |
| SHA1 | d8b28381c51ac7656577e205f1b49b434ff9404f |
| SHA256 | 4d985076977d2099de24d396263248be3a6843df11d61c1a599201a67cbcffcd |
| SHA512 | a4f64c1fe20804950363e0030366f939a02e919b8306aea617ba554a00be5ec93c3c8091bc2e222e1a9be4277f7c8da7d7e083e35f73a4c344b8ffa4cf04f873 |
memory/2116-815-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4800-817-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat
| MD5 | 862773261cba9a05cdafe29331f1da62 |
| SHA1 | 6e95507aed1ab9d8378886284a03af3385007dcc |
| SHA256 | 0f38626ad11000e2c2b9984f9259fc09caf26adf9bef26480ba323e3660fda5b |
| SHA512 | 41398fd8ea84eb015411458fa3dce9ed52e4f32a3fd8d83bb0a38e595d0e7701a44f9d49d849d663ac0d0de1d586431408cd99f979acbab7af4fc2ef02e4aae9 |
memory/2108-819-0x0000000000000000-mapping.dmp
memory/1564-820-0x0000000000000000-mapping.dmp
C:\Windows\Resources\Maps\font\services.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |