Analysis Overview
SHA256
d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a
Threat Level: Known bad
The file d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a was found to be: Known bad.
Malicious Activity Summary
Dcrat family
Process spawned unexpected child process
DCRat payload
DcRat
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 10:41
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 10:41
Reported
2022-11-01 10:43
Platform
win10-20220901-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| N/A | N/A | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Media Player\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Security\BrowserCore\5b884080fd4f94 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\twain_32\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\twain_32\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\InfusedApps\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\appcompat\appraiser\Telemetry\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe
"C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| FR | 2.16.119.157:443 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 20.42.65.84:443 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/1460-120-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-121-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-122-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-123-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-125-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-126-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-128-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-129-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-130-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-131-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-132-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-133-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-134-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-135-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-136-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-137-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-138-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-139-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-140-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-141-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-142-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-143-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-144-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-145-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-146-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-147-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-148-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-149-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-150-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-151-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-152-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-153-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-154-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-155-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-156-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-157-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-158-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-159-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-160-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-161-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-162-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-163-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-164-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-165-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-166-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-167-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-168-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-169-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-171-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-170-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-172-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-173-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-174-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-175-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-176-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-177-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-178-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-179-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-180-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-181-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-182-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/1460-183-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/4512-184-0x0000000000000000-mapping.dmp
memory/4512-185-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
memory/4512-186-0x0000000077AA0000-0x0000000077C2E000-memory.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/4736-260-0x0000000000000000-mapping.dmp
memory/3104-283-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3104-286-0x00000000008D0000-0x00000000009E0000-memory.dmp
memory/3104-287-0x0000000002B30000-0x0000000002B42000-memory.dmp
memory/3104-288-0x0000000002B40000-0x0000000002B4C000-memory.dmp
memory/3104-289-0x0000000002B50000-0x0000000002B5C000-memory.dmp
memory/3104-290-0x0000000002B60000-0x0000000002B6C000-memory.dmp
memory/2248-291-0x0000000000000000-mapping.dmp
memory/2548-293-0x0000000000000000-mapping.dmp
memory/2472-292-0x0000000000000000-mapping.dmp
memory/4796-294-0x0000000000000000-mapping.dmp
memory/3912-295-0x0000000000000000-mapping.dmp
memory/4052-297-0x0000000000000000-mapping.dmp
memory/5112-296-0x0000000000000000-mapping.dmp
memory/4440-298-0x0000000000000000-mapping.dmp
memory/3624-302-0x0000000000000000-mapping.dmp
memory/3420-300-0x0000000000000000-mapping.dmp
memory/2772-305-0x0000000000000000-mapping.dmp
memory/3448-312-0x0000000000000000-mapping.dmp
memory/3640-308-0x0000000000000000-mapping.dmp
memory/4204-330-0x0000000000000000-mapping.dmp
memory/4144-325-0x0000000000000000-mapping.dmp
memory/4200-321-0x0000000000000000-mapping.dmp
memory/5108-318-0x0000000000000000-mapping.dmp
memory/376-350-0x0000000000000000-mapping.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2248-373-0x0000028DB7EB0000-0x0000028DB7ED2000-memory.dmp
memory/4796-382-0x000001D81D4B0000-0x000001D81D526000-memory.dmp
memory/376-385-0x00000000015A0000-0x00000000015B2000-memory.dmp
memory/5440-808-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat
| MD5 | 4a7162c87abef77d3ebe0cbf2c74583f |
| SHA1 | 1cc8da99f8f6433f319af7cf75def028da2fcad0 |
| SHA256 | e928cbb1fd187bf9eec0e87d502096c017e3f6583047417ac2313e30d009bc2f |
| SHA512 | a618822fbe4721e0b4d59e1af74d1d5e8051bc199f3749adaf94ea4a64deb1b1b1f8d6a2e51451914eceecb336cd507d41245e1aaec6c66998fe53c8719d334e |
memory/5668-840-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 976f9460c70c6152d51268c92047a9e4 |
| SHA1 | d6364332ef19040f010312179575875326c215c6 |
| SHA256 | 55bafe6cd2eaad40f35b53760b279da4c82ea3f01516db37345cd86cc098fd5a |
| SHA512 | b65de14b9dfb38fbd927b4ebeaa35155abdb956f90dc407e312abf396255a682af089ce84c6f40b95cdd37cb4243caadf5ead774d81258cf21f4b611ebda584c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 976f9460c70c6152d51268c92047a9e4 |
| SHA1 | d6364332ef19040f010312179575875326c215c6 |
| SHA256 | 55bafe6cd2eaad40f35b53760b279da4c82ea3f01516db37345cd86cc098fd5a |
| SHA512 | b65de14b9dfb38fbd927b4ebeaa35155abdb956f90dc407e312abf396255a682af089ce84c6f40b95cdd37cb4243caadf5ead774d81258cf21f4b611ebda584c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c2943e6810526c25038dd1a31befc379 |
| SHA1 | 87017f5ee9970737227f781c0c6b8bcf85008358 |
| SHA256 | ea410c57a98d3db8aba617008450a4edce3006e8e6862c9c00d603322c96294b |
| SHA512 | 9f718dc6507d522c35916629d2829e9b40e0652ee230f3ade282ecf93bdf016d33543358e9166402f47f1c47181a3e4dde014fe34742ba49cdb1e663dbfd5aa7 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 97b14663be775e32d0cc41d78134d6eb |
| SHA1 | d241a154331d5bfa64d7ccbfa2580d122d075402 |
| SHA256 | 69b0dc302c87db15b96c476b8d45eefd110d765551a131e66ffa2fffa4b16579 |
| SHA512 | 0d2c7dca6affbad1cac7f04d609ea41335c974fdb56e783c560cc69b9579248d20ad41ea55504f73cc645e755441bf71837c6e1e7058a841028573fa67f66108 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7ff35987e8cb655bbe1bd2e66a275ed7 |
| SHA1 | ec6d9c4a6e9bdf05dc90cc72822dc9b10fdc1a7d |
| SHA256 | 6563911ae23e0ffb69ed44b2fca3df0d7060568c7c891b47b83fa0d4fe8974ee |
| SHA512 | 70f2f830e56869932c387bd00c526e8fd073feb64de90e56a772fd87f269285f96c9d63991e3073ab62dd1687abfc0f1babc1b52a58896a6a92b517dd6343ea9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7ff35987e8cb655bbe1bd2e66a275ed7 |
| SHA1 | ec6d9c4a6e9bdf05dc90cc72822dc9b10fdc1a7d |
| SHA256 | 6563911ae23e0ffb69ed44b2fca3df0d7060568c7c891b47b83fa0d4fe8974ee |
| SHA512 | 70f2f830e56869932c387bd00c526e8fd073feb64de90e56a772fd87f269285f96c9d63991e3073ab62dd1687abfc0f1babc1b52a58896a6a92b517dd6343ea9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1488f354afb98ba2457d9dc864a365da |
| SHA1 | fccb09a5edf67b6578109cd9007d3750e689ae1e |
| SHA256 | 253b7961e7a52f9713810ebaee3f751953c48989dbb84f7202ebfb5496fc99c7 |
| SHA512 | 6d2b1b1c38c16507395c97d0a13f7a4020db702558a1a52e2d9f6a229e09d0d2acda3192406fc7a3646ef7a0a4fd63d8ab958376a89e3dd617b4115a4a19a06c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 728626f943ea1c38299fcb2c2d10f15a |
| SHA1 | 7fbc7446bde20ba67b6a71319eb873007c29258e |
| SHA256 | 35ea4443dea27b8dd62727eb5e1f63814fb955325ba02dedde435fcd0700b044 |
| SHA512 | 57b6caa34e7194459a981a2eba03a79ebc71edb2253ed5f9491d839c1a365dfa8b73db2cea0d669ea07c3375cd9927eb1643237505c71788b2a6db30a31ed3ef |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 728626f943ea1c38299fcb2c2d10f15a |
| SHA1 | 7fbc7446bde20ba67b6a71319eb873007c29258e |
| SHA256 | 35ea4443dea27b8dd62727eb5e1f63814fb955325ba02dedde435fcd0700b044 |
| SHA512 | 57b6caa34e7194459a981a2eba03a79ebc71edb2253ed5f9491d839c1a365dfa8b73db2cea0d669ea07c3375cd9927eb1643237505c71788b2a6db30a31ed3ef |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0671e061cef525069ed8bfb11348e499 |
| SHA1 | 53aa6cea45d79410643a419e8a9dbf71f2ffee6b |
| SHA256 | f9c1eb456165bce6650eb80f644b1f8ccd93d0fc0477cce4816ea7bee092fdd9 |
| SHA512 | d5436e48e262e09cb121e3d4322b0452f0e88052d6039956688e67097ca346d2a69245b69e597d94d6b97225814b859edfea10021839f9ddd50156eb8c7053fd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3dfac0307d8327e3d4167f3963144847 |
| SHA1 | beac2898d4dc2f80478a850e3bbdf8e3d3eb9a80 |
| SHA256 | abe9badb7e88a3e4694396520a2356f4c0b9f56a42bbd5b6b1064a454a7d08c3 |
| SHA512 | d2364cf53ff67598d056a76d1d5e2f6cf4bba5ac64900ec251d2cdda5387b88e263c4251debcce3f1db0e3297cb8e254938d05a9bb1944108f995b70d0bee39d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3dfac0307d8327e3d4167f3963144847 |
| SHA1 | beac2898d4dc2f80478a850e3bbdf8e3d3eb9a80 |
| SHA256 | abe9badb7e88a3e4694396520a2356f4c0b9f56a42bbd5b6b1064a454a7d08c3 |
| SHA512 | d2364cf53ff67598d056a76d1d5e2f6cf4bba5ac64900ec251d2cdda5387b88e263c4251debcce3f1db0e3297cb8e254938d05a9bb1944108f995b70d0bee39d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0671e061cef525069ed8bfb11348e499 |
| SHA1 | 53aa6cea45d79410643a419e8a9dbf71f2ffee6b |
| SHA256 | f9c1eb456165bce6650eb80f644b1f8ccd93d0fc0477cce4816ea7bee092fdd9 |
| SHA512 | d5436e48e262e09cb121e3d4322b0452f0e88052d6039956688e67097ca346d2a69245b69e597d94d6b97225814b859edfea10021839f9ddd50156eb8c7053fd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f4d443c7b4a9abe6ab3a6125e40614e5 |
| SHA1 | fa72c5c2196fd51ebecd1f79a4619cd3b53db094 |
| SHA256 | bc2a665f349bbda6d57a75f562ef8c3d2c518ac6802b130b94ba759b82e63659 |
| SHA512 | d938a0d27212cce0f342bda7ffd3e674a35abfd64b9647cd4437688939af603812b4685484b82d9367fb44da8673111294f0e0c8c1d85a09d181adaf5dfbf6ce |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f4d443c7b4a9abe6ab3a6125e40614e5 |
| SHA1 | fa72c5c2196fd51ebecd1f79a4619cd3b53db094 |
| SHA256 | bc2a665f349bbda6d57a75f562ef8c3d2c518ac6802b130b94ba759b82e63659 |
| SHA512 | d938a0d27212cce0f342bda7ffd3e674a35abfd64b9647cd4437688939af603812b4685484b82d9367fb44da8673111294f0e0c8c1d85a09d181adaf5dfbf6ce |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7cc9d0d8a92db6ee0dcf5b86e817b045 |
| SHA1 | 16f420f3c9e38e4eea9dc8c81ed247b607b321be |
| SHA256 | 3322b3acb6fe98777c4d1fe63d9fc57bf8104db3ec1ebc0be656bce983eedb2f |
| SHA512 | d4f1763fb78d7e005cf9968e5aad22d0aeb889ee94392c23309c07d0206cd23dae0b53a51872a6ac0de833c507f01a271622985aeb1f3b490e8babb52869a832 |
memory/6132-895-0x0000000000000000-mapping.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/6132-898-0x00000000013E0000-0x00000000013F2000-memory.dmp
memory/5148-899-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat
| MD5 | b1bfd3abafebdf2307c19462ecd2f37d |
| SHA1 | 40f92e29aabce2a465d18f3e967f60102816e3cb |
| SHA256 | 6d0176370e886f7b2a61f00884dffcace089b098eb8309e9f4c0104e24611f90 |
| SHA512 | bdc5f0a0d3320ff1bbe98e66949f85fb36bd4e80ba64785924b9ebfc209df6146b1249a80f2a0881573262807bfce0e5006e0769d2e27145d8b174d5819854bc |
memory/5204-901-0x0000000000000000-mapping.dmp
memory/5220-902-0x0000000000000000-mapping.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5344-904-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat
| MD5 | 989fd95c6c29ee3d58d6004ce1d8bdc4 |
| SHA1 | 560990b58082ca5506d6b86cb12e091d81b819a9 |
| SHA256 | 1215d04cdce43b980f3da80d70689ea148b9e31fa2cddabb0b07222d3f3a47b6 |
| SHA512 | 1b59a09992b3e8c8588afe273100725b60c8bbbf99d7046fea4bb958e6b3a520cf90f5415c7f98f5cdd6369e9c8b9211290e40d5921b353ffeec6164e2f50533 |
memory/5448-906-0x0000000000000000-mapping.dmp
memory/5460-907-0x0000000000000000-mapping.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5460-909-0x00000000008D0000-0x00000000008E2000-memory.dmp
memory/5284-910-0x0000000000000000-mapping.dmp
memory/5596-912-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat
| MD5 | 4de341373f31eacae325ac46ace20fb0 |
| SHA1 | 64336ad918fa2e00500d14f8074eef4bc3e1d6a9 |
| SHA256 | 69036e54d61b80510a59aa84823efcb15faa94a25b9840a3336e549cd44167ef |
| SHA512 | 027a27e1f567f28df045b643aacd8f444e93423527294fcc633e1e9b75c4b298145188ea166b4379afb1c6aa27c212f1492a931c88b64adfaaae57f564554eaa |
memory/5608-913-0x0000000000000000-mapping.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5820-915-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat
| MD5 | fdb53026d0e27f2bd0417b1ba90f0b94 |
| SHA1 | d224dd7ec31563b03e73f55893cebdb7e2592119 |
| SHA256 | ae16ead192c1094d57514b3ac38f6dcc0c5aa9b9f2661ebfd44a8f8dc37d8a2b |
| SHA512 | 76e6480820848df7d440da14610116726f2ef493ee7d9edf05284b3973dc02a6a75d9ef9ff511c949beac6b9fe829b322154f0af9babc0eeb3ccb2a474106b1d |
memory/5424-917-0x0000000000000000-mapping.dmp
memory/5916-918-0x0000000000000000-mapping.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3068-920-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat
| MD5 | 76ab68a8972cbbe844302bf8806de464 |
| SHA1 | d1913e1d71b1965c68b04cffe8818af7e3f8b07d |
| SHA256 | 43b175c63e7a89c77323de0cb7d99a4496514bbe768b79db963e3a426c01e9bd |
| SHA512 | 673b108b24e8912832385a86eece9b2fe8044ada1c41b693ad456309c79ef96b98d71be114e1977f1fe943a8e2dee31b05e897a23a6205d138081f6b6f954212 |
memory/4764-922-0x0000000000000000-mapping.dmp
memory/220-923-0x0000000000000000-mapping.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/220-925-0x0000000002380000-0x0000000002392000-memory.dmp
memory/3816-926-0x0000000000000000-mapping.dmp
memory/4440-928-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat
| MD5 | d409a80e87c162cbc3611d24b84685d4 |
| SHA1 | abac0c1c107a089131a47a63b14a6727f274becb |
| SHA256 | ce2c9b8c85bd2c75d2f3fce97ffc519584299988bcd55dfb648732ae53913c30 |
| SHA512 | 9db49e75a291b9732164c2fadfe1d5500aca95a02eafb297c1e4c6056c80fffffba892f174cc6f244a1a98f0aeedac7cce545b0ea087cff985e7386b8670c717 |
memory/5680-929-0x0000000000000000-mapping.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5680-931-0x00000000011A0000-0x00000000011B2000-memory.dmp
memory/5100-932-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat
| MD5 | cc08685f9e0d1623b4c4bb9d62d93317 |
| SHA1 | 3b346d89d0d1e3a679807c7150e982740e59896a |
| SHA256 | cf2a9b82832787e9a7babd802d1d19e8eb6d9ac075a004a5d384ec4870dba41d |
| SHA512 | 77f5203c0962c5868a485aa9b53558997ac32cc64fd683a5fae464acd9b25b44608dce72d3f615f5220cb9d6aee611cd92e5e94e723d3c851adda1054a7d58e1 |
memory/3540-934-0x0000000000000000-mapping.dmp
memory/4556-935-0x0000000000000000-mapping.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4556-937-0x0000000000F10000-0x0000000000F22000-memory.dmp
memory/4736-938-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat
| MD5 | 72b6f50c384447697b7eb99e69f48cb6 |
| SHA1 | 723a06f2b29e630b5498a2eeb9833e1fc09e9b01 |
| SHA256 | 31ca9bf092f06a1a3e5b9322076f21cbf896977a8080864363e11d268c6e773a |
| SHA512 | 66da06c93caac94fe7319f70a1fd783f1c43bb1d978cd329c616a638ecfd8035586cc1d3f1ec2150d8ec20277dacb4b940298a68b304a84bbeec7acdc314df68 |
memory/4236-940-0x0000000000000000-mapping.dmp
memory/4776-941-0x0000000000000000-mapping.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4776-943-0x0000000000AC0000-0x0000000000AD2000-memory.dmp
memory/4004-944-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat
| MD5 | 539940dcbc1dfb2a93f8dcb00a6c9abe |
| SHA1 | 8afafddc7ca0fccc1960ad2fc399c6cb0da34d07 |
| SHA256 | 8248d904521bfa884e595fc0dcdf2d5fd90e3f48457e54adad700ccd82ca0577 |
| SHA512 | e6f69d2af2485489c9192c2ba843c745bb37c1fc4e95ba6a6aec2eca699aa37ca64da955ce3497769aa69a08242977db50a35edefe232ee922ebc2e6da468de0 |
memory/5736-946-0x0000000000000000-mapping.dmp
memory/4704-947-0x0000000000000000-mapping.dmp
C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4704-949-0x0000000002840000-0x0000000002852000-memory.dmp
memory/4888-950-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat
| MD5 | e5e8ba84bd0ffb14d3c570089fa46597 |
| SHA1 | 5ef13dba9c4970c948994d485a60bb9983214d96 |
| SHA256 | d815aacea47f122c14ac370249f0b87d7b4a47610cc3d0112dec5a85d7b81b3c |
| SHA512 | 310257f4fdf9303914c6c111b321062c2bcf1c1849107960243dea1e4a802b4e7ca31a2da478b81a74b9fbf1bc7eab57d542d9593e70f0ba68c00c184ed79d55 |
memory/2804-952-0x0000000000000000-mapping.dmp