Analysis Overview
SHA256
8abb3f35851d869d727ddc4d6caeb4c21e799c5cb0294f417a644217f14281ec
Threat Level: Known bad
The file 8abb3f35851d869d727ddc4d6caeb4c21e799c5cb0294f417a644217f14281ec was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Dcrat family
DcRat
Process spawned unexpected child process
DCRat payload
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 10:41
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 10:41
Reported
2022-11-01 10:44
Platform
win10v2004-20220901-en
Max time kernel
151s
Max time network
153s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\winlogon.exe | N/A |
| N/A | N/A | C:\providercommon\winlogon.exe | N/A |
| N/A | N/A | C:\providercommon\winlogon.exe | N/A |
| N/A | N/A | C:\providercommon\winlogon.exe | N/A |
| N/A | N/A | C:\providercommon\winlogon.exe | N/A |
| N/A | N/A | C:\providercommon\winlogon.exe | N/A |
| N/A | N/A | C:\providercommon\winlogon.exe | N/A |
| N/A | N/A | C:\providercommon\winlogon.exe | N/A |
| N/A | N/A | C:\providercommon\winlogon.exe | N/A |
| N/A | N/A | C:\providercommon\winlogon.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\providercommon\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8abb3f35851d869d727ddc4d6caeb4c21e799c5cb0294f417a644217f14281ec.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\providercommon\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\providercommon\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\providercommon\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\providercommon\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\providercommon\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\providercommon\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\providercommon\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\providercommon\winlogon.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\providercommon\winlogon.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\upfc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\upfc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\ea1d8f6d871115 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\f3b6ecef712a24 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\SearchApp.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Fonts\38384e6a620884 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\providercommon\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\providercommon\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\providercommon\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\providercommon\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\providercommon\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\8abb3f35851d869d727ddc4d6caeb4c21e799c5cb0294f417a644217f14281ec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\providercommon\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\providercommon\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\providercommon\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\providercommon\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings | C:\providercommon\winlogon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8abb3f35851d869d727ddc4d6caeb4c21e799c5cb0294f417a644217f14281ec.exe
"C:\Users\Admin\AppData\Local\Temp\8abb3f35851d869d727ddc4d6caeb4c21e799c5cb0294f417a644217f14281ec.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Downloads\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\StartMenuExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\SearchApp.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AIE64VZ5NR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\winlogon.exe
"C:\providercommon\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\winlogon.exe
"C:\providercommon\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\winlogon.exe
"C:\providercommon\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\winlogon.exe
"C:\providercommon\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\winlogon.exe
"C:\providercommon\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\winlogon.exe
"C:\providercommon\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\winlogon.exe
"C:\providercommon\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\winlogon.exe
"C:\providercommon\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\winlogon.exe
"C:\providercommon\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\winlogon.exe
"C:\providercommon\winlogon.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| BE | 8.238.110.126:80 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/4924-133-0x0000000000000000-mapping.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/4380-136-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2256-137-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2256-140-0x00000000000F0000-0x0000000000200000-memory.dmp
memory/2256-141-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/4200-142-0x0000000000000000-mapping.dmp
memory/1004-143-0x0000000000000000-mapping.dmp
memory/1112-144-0x0000000000000000-mapping.dmp
memory/1164-147-0x0000000000000000-mapping.dmp
memory/984-146-0x0000000000000000-mapping.dmp
memory/2560-148-0x0000000000000000-mapping.dmp
memory/3728-145-0x0000000000000000-mapping.dmp
memory/1768-149-0x0000000000000000-mapping.dmp
memory/1956-150-0x0000000000000000-mapping.dmp
memory/4200-151-0x0000015D376A0000-0x0000015D376C2000-memory.dmp
memory/2256-152-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AIE64VZ5NR.bat
| MD5 | dfd47f511da69e5cb2ec33e419f3701d |
| SHA1 | 6c4526d16eafe3bdaf4805d4e5d50cacd8630c8e |
| SHA256 | bfe259a0b610bdceb19d58a28c2b16934c3c14d27e234a502b822696263793ba |
| SHA512 | 9e7594c7599a375ad26e28eb11a0027d905205ec0934090219aeb17fee38182d8d05e39618eb4b5a3f0e13f38b74a48fd7b4321d941c68e0beade02706d622ec |
memory/2104-154-0x0000000000000000-mapping.dmp
memory/4200-155-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/1004-156-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/1112-157-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/3728-158-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/984-159-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/1164-160-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/2560-161-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/1768-162-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 440cb38dbee06645cc8b74d51f6e5f71 |
| SHA1 | d7e61da91dc4502e9ae83281b88c1e48584edb7c |
| SHA256 | 8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe |
| SHA512 | 3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6 |
memory/1004-166-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/4200-167-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 13e5260e039b147eeccccd0e4e68df21 |
| SHA1 | 882c8bfc8205ce8d216f82e3346bd4f494a87219 |
| SHA256 | 053467d5fec0ae72ff57512e1ce5289843f999da4e6cc55fcf883637961688fd |
| SHA512 | 9f22f62a6c64c848c0ec588eb685b9bf26c9ca67c72870d56a7e38fa016b532ad3578347d2f5ba63addff547709db739fd2d1994b8c82e19575061d64d4c1c9a |
memory/1112-168-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 13e5260e039b147eeccccd0e4e68df21 |
| SHA1 | 882c8bfc8205ce8d216f82e3346bd4f494a87219 |
| SHA256 | 053467d5fec0ae72ff57512e1ce5289843f999da4e6cc55fcf883637961688fd |
| SHA512 | 9f22f62a6c64c848c0ec588eb685b9bf26c9ca67c72870d56a7e38fa016b532ad3578347d2f5ba63addff547709db739fd2d1994b8c82e19575061d64d4c1c9a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/1164-174-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/984-176-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/1768-177-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/2560-178-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/3728-175-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a6bad9528f8e23fb5c77fbd81fa28e8 |
| SHA1 | f127317c3bc6407f536c0f0600dcbcf1aabfba36 |
| SHA256 | 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05 |
| SHA512 | 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2 |
memory/256-179-0x0000000000000000-mapping.dmp
C:\providercommon\winlogon.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\winlogon.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/256-182-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/2808-183-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat
| MD5 | d58ccc3c2f640fc28b8f021bc392a00b |
| SHA1 | f80b56c72fe60ad87aa6436b3a086fcbb77f15d5 |
| SHA256 | 512cfc0da1cb774f836c763f9647b23ebc6ef6dbffed3794ce8b2883ce5be6a2 |
| SHA512 | 8516b17fd6386915e3ca53ee5b0842fab2f1033bbf730657dc6f3bf10463a0b6ba1066e57f1dc22a6adb770a6f5765f940288f5525e139c870c4cc8ccec2a9e5 |
memory/256-186-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/3764-185-0x0000000000000000-mapping.dmp
memory/1392-187-0x0000000000000000-mapping.dmp
C:\providercommon\winlogon.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
memory/1392-190-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/2724-191-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat
| MD5 | 39a1115652b4e638100ec5e710b9de69 |
| SHA1 | bf2e756d1730d763571762090326da48f73f9652 |
| SHA256 | c3699da18808ffc1254e711f821f5a47ba1cdc0f67bc0faf4407fd0911d4ab30 |
| SHA512 | fa31ea6bbf5b7bd38f9ff5a20bf658307dc9757225247a1e5e811077cf5f989e9c4293f95e1f3245208ae2fc1d295c3652e3145c17c93c9935e0b8d67e24d33a |
memory/4380-193-0x0000000000000000-mapping.dmp
memory/1392-194-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/3756-195-0x0000000000000000-mapping.dmp
C:\providercommon\winlogon.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3756-197-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/2128-198-0x0000000000000000-mapping.dmp
memory/4772-200-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat
| MD5 | a22cc7ba75679ee7f23342422aca0fd3 |
| SHA1 | 7d2372c9e57f6b34b7c5447d28ef0dcd90014f11 |
| SHA256 | ae7a364bff344b22d6a59f8608aefb1f4ccfffda9d0cb9c81ffd95ca23dae42e |
| SHA512 | 5bdcdc1d635d1eb784be57d495ed3fbfd97e6fb99e793d32654583a31818b9c17036ac20c33c2bb4e86fcdfac2b5df4b61a4041237bd7900e55f77d0a59fe35b |
memory/3756-201-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/1148-202-0x0000000000000000-mapping.dmp
C:\providercommon\winlogon.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1148-204-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/4924-205-0x0000000000000000-mapping.dmp
memory/2824-207-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat
| MD5 | 39a1115652b4e638100ec5e710b9de69 |
| SHA1 | bf2e756d1730d763571762090326da48f73f9652 |
| SHA256 | c3699da18808ffc1254e711f821f5a47ba1cdc0f67bc0faf4407fd0911d4ab30 |
| SHA512 | fa31ea6bbf5b7bd38f9ff5a20bf658307dc9757225247a1e5e811077cf5f989e9c4293f95e1f3245208ae2fc1d295c3652e3145c17c93c9935e0b8d67e24d33a |
memory/1148-208-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/5096-209-0x0000000000000000-mapping.dmp
C:\providercommon\winlogon.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5096-211-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/4932-212-0x0000000000000000-mapping.dmp
memory/1028-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat
| MD5 | 2c5c363f45eb2cea9e058b5edbfd0dde |
| SHA1 | 7142fa14c79f60939c468ab9ab4a57079dae0d27 |
| SHA256 | 36248fcd21e3adcd071112268110327eb5c9f44812fcec0c9cb177ae0e9d11e1 |
| SHA512 | 41e2c6b86a5bc6de52ba438bd59c8c260cbfccb533e052efd6bb537db25a6f9c4106c84020a42256b1f07c3d08690e97e83935529d2f9a1b8456f16278daf65c |
memory/5096-215-0x00007FFA06AB0000-0x00007FFA07571000-memory.dmp
memory/4288-216-0x0000000000000000-mapping.dmp
C:\providercommon\winlogon.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4288-218-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp
memory/3708-219-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat
| MD5 | e037277f642f4e9ccff2082b4e85eefc |
| SHA1 | 80d880fb731d048ffd2006636501de60334fdfde |
| SHA256 | 1ff104ee371a738c0ccc9b67547e3041c6faa828cd3819d7e98a20de5209f7b5 |
| SHA512 | fc2f3d4ecd41897f9e164b3b1fe6b852637b907bc4684218dec10a85a250fc1f582f96f572df44cfee65e4ff46b626bc7d1fd3705938d5fe2acd580a8ad937a7 |
memory/4276-221-0x0000000000000000-mapping.dmp
memory/4288-222-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp
memory/4336-223-0x0000000000000000-mapping.dmp
C:\providercommon\winlogon.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4336-225-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp
memory/2624-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat
| MD5 | 4920d04ff6b2b51fba6e2365876f2b5c |
| SHA1 | c0f4e09b8546f692bebc02359c1efa0c3c5de6f8 |
| SHA256 | 1107ae8bbfdc00dd8a08ca9d6bc13517b1453b95aff93a0be0c2b911e5c78691 |
| SHA512 | facfb4bdb98693e2f5c7fe16635195d6f907b751801d11159cdb6a65459fe3b5cee5d0b177b9cb71102fcc013eb6a095ad8859bee83021177c183d5d77f34e7a |
memory/3032-228-0x0000000000000000-mapping.dmp
memory/4336-229-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp
memory/228-230-0x0000000000000000-mapping.dmp
C:\providercommon\winlogon.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/228-232-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp
memory/2832-233-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat
| MD5 | 6b964e6e038803689b627660f1e3b0f7 |
| SHA1 | 2b8a336d17cfe174a99bfb03f1cb7e2420d95311 |
| SHA256 | 3848304b2aa8c0fc33d87dc8eaa14d85b13aa69302bb78311a5926948f6a819c |
| SHA512 | 93f45bc863f6b8ce3e2efee6da5058829cb366d6e38e6cac42e6b80fde0fe9e88e01b5bae8bb1898f8a1f5249c092cccb79c518e9891fd7e5e3f2999b0e47023 |
memory/2332-235-0x0000000000000000-mapping.dmp
memory/228-236-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp
memory/3664-237-0x0000000000000000-mapping.dmp
C:\providercommon\winlogon.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3664-239-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp
memory/1748-240-0x0000000000000000-mapping.dmp
memory/1892-242-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat
| MD5 | 99d334b71c2c01b21def789dcace2327 |
| SHA1 | e50fe4621cf3cadffe4be42190e6b30848e289d8 |
| SHA256 | 07795f5d1250b6e5296fad1bdd6989a4eae469ce6a54a9f519a365962aaf839a |
| SHA512 | 71ff1059a76d0d5c963c096ee7690ffb5cb9d13ea2f3bc4c1c7bd90d24195513a3ebffd52496f609761489a60acdcdb7f7edc891f0d3e30e09286f4073aa1f16 |
memory/3664-243-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp
memory/4976-244-0x0000000000000000-mapping.dmp
C:\providercommon\winlogon.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4976-246-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp
memory/4860-247-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat
| MD5 | 1b0bbd10531ddec3e503f80f9bebe0f8 |
| SHA1 | 12c2afeec8e1c3a7900be73153487609fd7e0ccf |
| SHA256 | b56c9fe7745cf476d3ca7752b84dab826d0f3797c5e8c630556e4e4e57ee5c8a |
| SHA512 | fa3183d417505064a9c4a9b51833db8e1781eb054e9bb6081d95c8e1a029eed5b1dde38066b32c9ecb23aa915fe1059d39fb2ba877e5bd413bcc84fd5c0103aa |
memory/3540-249-0x0000000000000000-mapping.dmp
memory/4976-250-0x00007FFA06FA0000-0x00007FFA07A61000-memory.dmp