Analysis Overview
SHA256
c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b
Threat Level: Known bad
The file c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Process spawned unexpected child process
Dcrat family
DcRat
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 11:36
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 11:36
Reported
2022-11-01 11:38
Platform
win10-20220812-en
Max time kernel
148s
Max time network
145s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
| N/A | N/A | C:\Windows\addins\sihost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\088424020bedd6 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Speech_OneCore\Engines\Lexicon\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\addins\sihost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\addins\66fc9ff0ee96c2 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Windows\addins\sihost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe
"C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\odt\ShellExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\addins\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TeQomSDh46.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchUI.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\providercommon\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\odt\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Favorites\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'" /rl HIGHEST /f
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchUI.exe'" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\addins\sihost.exe
"C:\Windows\addins\sihost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| NL | 52.178.17.3:443 | tcp | |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| NL | 178.79.208.1:80 | tcp | |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
memory/4236-120-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-121-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-122-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-125-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-128-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-127-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-133-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-135-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-134-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-138-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-140-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-139-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-137-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-136-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-132-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-141-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-131-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-130-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-142-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-143-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-144-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-129-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-147-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-150-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-151-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-152-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-153-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-154-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-149-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-148-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-146-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-145-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-124-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-119-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-155-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-156-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-157-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-159-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-161-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-162-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-160-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-158-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-163-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-164-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-165-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-166-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-167-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-169-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-171-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-173-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-172-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-170-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-168-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-174-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-175-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-177-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-176-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-178-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-179-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-180-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-182-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/4236-181-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/3576-185-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/3576-184-0x0000000076E80000-0x000000007700E000-memory.dmp
memory/3576-183-0x0000000000000000-mapping.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
memory/4496-259-0x0000000000000000-mapping.dmp
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1316-285-0x0000000000920000-0x0000000000A30000-memory.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1316-282-0x0000000000000000-mapping.dmp
memory/1316-286-0x0000000001140000-0x0000000001152000-memory.dmp
memory/1316-287-0x0000000002A80000-0x0000000002A8C000-memory.dmp
memory/1316-289-0x0000000002AA0000-0x0000000002AAC000-memory.dmp
memory/1316-288-0x0000000002A90000-0x0000000002A9C000-memory.dmp
memory/1212-300-0x0000000000000000-mapping.dmp
memory/4164-303-0x0000000000000000-mapping.dmp
memory/2624-298-0x0000000000000000-mapping.dmp
memory/1908-346-0x0000024E25CC0000-0x0000024E25CE2000-memory.dmp
memory/4592-343-0x0000000000000000-mapping.dmp
memory/1048-353-0x0000021C282D0000-0x0000021C28346000-memory.dmp
memory/4612-348-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\TeQomSDh46.bat
| MD5 | 71690e3cefbb38040ca32a39d0f58772 |
| SHA1 | dbebc5a01c065d1732684a57e06c59161592f5ff |
| SHA256 | 295fbd6cc95bedba7589150dcfe4346c9f1c57d9b77c0eae2dc0541e824ebb5a |
| SHA512 | 35005cf28f6e5de331e97785fb4d618f9094b0697fda78c1bd11a891fdab7b4a0158b05db33459f569a6a4d173b6f0447a66a27e88a62e59a1abfc50c4cd9c29 |
memory/2508-297-0x0000000000000000-mapping.dmp
memory/3344-296-0x0000000000000000-mapping.dmp
memory/204-295-0x0000000000000000-mapping.dmp
memory/3388-294-0x0000000000000000-mapping.dmp
memory/3408-293-0x0000000000000000-mapping.dmp
memory/816-292-0x0000000000000000-mapping.dmp
memory/1908-291-0x0000000000000000-mapping.dmp
memory/1048-290-0x0000000000000000-mapping.dmp
memory/2224-606-0x0000000000000000-mapping.dmp
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2224-639-0x00000000015F0000-0x0000000001602000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fa366de96c6a8b5fa476a522d53296c5 |
| SHA1 | 327cb5c81735f30b5d41a8ed9b469aff827227e9 |
| SHA256 | 84a1fa9bf57ff953b568802272747a3f8749678da78cd3b3ad3ae7a6d19caf22 |
| SHA512 | f93a42a1222f55c2f5456f9577d6bb88442ce12897025a0e72665a39eaa303679d9417e7f0269f07433d1b62edca52c8c9d554c630f56c31cfb7596638e44c6b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 438866b18db37c0a6cce03c7a9dc8efe |
| SHA1 | 10334348f0535618938fa9de9d966aea941f8ac9 |
| SHA256 | 147f32eeb82d505e18d7c1db7adfde57e0ee95b5ebb5083b50f329e0030d3b6b |
| SHA512 | 3b93c8db469c873a190cd69b5cc21d9a57eea95f4c728bb46ebd2e07646ebe93234fdb588b20ae6a3643956699065d7666954b3968bd86713ab4bdc69388e854 |
memory/3832-685-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat
| MD5 | df0d72e6751ede3d32d0d6e337f9875f |
| SHA1 | 25a5e29b6c9b70648d484865853b93c05c844bc9 |
| SHA256 | 7de1f1bcfc34a65d66feab9a19e6e2612ec5f111430e1b68ac64cba4643ad1ab |
| SHA512 | c345a95fcdd6f1b77da4f8d64f6e67bf11456c94ffdb7097832c4f1585a6e3ed3d0fdba5a81d48ec6f611fe51bc98322648513744e1a487b285509abf85c88c2 |
memory/5112-682-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 17e952dd76815c2779e2b07c8b4a74af |
| SHA1 | 660be13fca327bcb5766849be6d864c30ab7c546 |
| SHA256 | 8a824e0a3dcea2dff871a45f9104d7f569cf2137a7d733ab425c3a860e334db9 |
| SHA512 | 0002b5fe0866b5cf0a7f2c7751a763be62ba92eeb52811819045e781f2d29a73619b6cc6574afe496590522473f66a823bbf89b2295ff58348dd79e9563e481b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 91481f12aabf4281c70a4c021d394fce |
| SHA1 | f80242317d997c130ac1575147232d84fb148ab0 |
| SHA256 | 60562bc49975a547b33c20ad9d6e08df9d0b15bddc417ec1a8c1f39c36a88bc5 |
| SHA512 | f96221f33a3a5923cd857a9982a4070335e9582a09a1e0d406380dee4ecfa6f74a2c815a0c1b6208d917ffd8f9d0c3afc1adc536589e019344986947e6b46536 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 91481f12aabf4281c70a4c021d394fce |
| SHA1 | f80242317d997c130ac1575147232d84fb148ab0 |
| SHA256 | 60562bc49975a547b33c20ad9d6e08df9d0b15bddc417ec1a8c1f39c36a88bc5 |
| SHA512 | f96221f33a3a5923cd857a9982a4070335e9582a09a1e0d406380dee4ecfa6f74a2c815a0c1b6208d917ffd8f9d0c3afc1adc536589e019344986947e6b46536 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ad6ce0f6cc83faff98595c7e1f17b896 |
| SHA1 | 7914de44c8a333a3df38eb79620b3f08858fa4ad |
| SHA256 | b8e57cc7e51f60ca79334054f1edf60d4dd4476282890f4810a65eb6378f0079 |
| SHA512 | c70acc8c01b65f72207b7a6d93921c41d89d2b0c41973274d8680bdf09160354fd958cc72b41ef414b367e017e4be71f5c8c0ba85c4e4ab85c590ebac0150719 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 325ba7c3266373711c72fa591e381ca3 |
| SHA1 | d16f8386bd2e3792a56dc50569266877f65cc0c1 |
| SHA256 | 71df852f809578511b4edfc899edd474e540742be217ec5af6c13c0623051242 |
| SHA512 | 97c0dd863c22d902c3cbc994b055ec0cabfc4176555a0c4e73a05989d1485175f4e5ae094dc92e99f6342d0cdfb64e5e94c3604104c6d074d8001e2aa7db8c63 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 325ba7c3266373711c72fa591e381ca3 |
| SHA1 | d16f8386bd2e3792a56dc50569266877f65cc0c1 |
| SHA256 | 71df852f809578511b4edfc899edd474e540742be217ec5af6c13c0623051242 |
| SHA512 | 97c0dd863c22d902c3cbc994b055ec0cabfc4176555a0c4e73a05989d1485175f4e5ae094dc92e99f6342d0cdfb64e5e94c3604104c6d074d8001e2aa7db8c63 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 02a019f0a061d1a48d160465b5e632de |
| SHA1 | 240081b27e884c8f7b2038929a743e53b6a14ac7 |
| SHA256 | be0143a8383b2ad9b23331773e4cf85cfdd61c34a02fd68563e30ea40fa9287f |
| SHA512 | 09740cab0be6760f3aebae6cb9de1eb317030cbbf19a4785ddcbf9d7023c5beeb45b6a8cd695cbbe56c44665b13b2949e214da6653ca2f05b63e6a03907118ec |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3676-686-0x0000000000000000-mapping.dmp
memory/3676-689-0x0000000000C20000-0x0000000000C32000-memory.dmp
memory/4684-690-0x0000000000000000-mapping.dmp
memory/4340-692-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat
| MD5 | ca98d0d30b65b9a90928a5db8c1c0dd9 |
| SHA1 | cf64fb1145eec1fe817925aa948e801f131f616c |
| SHA256 | e33fc417e02b03a758f52e56dd918a9423bda1f253fd908c69c0593e77ffced1 |
| SHA512 | 16ce23d992101d79ab9c17b493fc453b0897e1a443aa2fb8fcaf665056420b149f3fd34436120c7fb825d8c92c1c4ee1e08519d843e46dfa199fff0105f4fcff |
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4696-693-0x0000000000000000-mapping.dmp
memory/4696-695-0x0000000000820000-0x0000000000832000-memory.dmp
memory/4408-696-0x0000000000000000-mapping.dmp
memory/3672-698-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat
| MD5 | df0d72e6751ede3d32d0d6e337f9875f |
| SHA1 | 25a5e29b6c9b70648d484865853b93c05c844bc9 |
| SHA256 | 7de1f1bcfc34a65d66feab9a19e6e2612ec5f111430e1b68ac64cba4643ad1ab |
| SHA512 | c345a95fcdd6f1b77da4f8d64f6e67bf11456c94ffdb7097832c4f1585a6e3ed3d0fdba5a81d48ec6f611fe51bc98322648513744e1a487b285509abf85c88c2 |
memory/3680-699-0x0000000000000000-mapping.dmp
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5088-701-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat
| MD5 | 20a15bea2af2bbee568898a0f3889e02 |
| SHA1 | 22730eebc0f4bbeca1e38a82e98cc893ea223f70 |
| SHA256 | 0ba59b55ea723021c9237f9fbea5b107d86eee67a7db3e4a1f8680d4ee8334bf |
| SHA512 | 152abdb0f4143366f7c7a99544ec1624b2ea056d202dd8a89313b0a60a5da80a49fad7ed78e77156dfcc0370776c90d6c7117000904189e90fd942520c8e4cc6 |
memory/2052-703-0x0000000000000000-mapping.dmp
memory/3388-704-0x0000000000000000-mapping.dmp
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4052-706-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat
| MD5 | f34daa47e943522c0f3ad5287863f7bc |
| SHA1 | b2e4f9c75573a225929de89d898fe127875f0133 |
| SHA256 | 3cf0bbe2ee0b1ee409d82a22002bedcbb3c691fc2783a33cdf5ccbf9197fbba0 |
| SHA512 | c8d6452b6805c4fb60459e0de4512c082af9ffbb6a7b35bfa290e66d06d0e0ce068f187bbda87331057eee0f9ac83e4edfbb76ad3274b51461d55436d1ec6b2a |
memory/1280-708-0x0000000000000000-mapping.dmp
memory/1220-709-0x0000000000000000-mapping.dmp
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4716-711-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat
| MD5 | e35bf0f3a67c910f59264a0f0fe7b92b |
| SHA1 | 2bfa071ea51aef75644ca42b2e88f6b98d2c81b6 |
| SHA256 | 10b51a2efa4ecac4e5165ded7f50f450d858507d1a3dad6f2184fcdee4c0a460 |
| SHA512 | d55f9fa5473603e7c945dcd0f37f046381dd33d4441f282dbcf9a256d773f43e74af57b20dcd19310bec52da759c7937253c47690be41cd3d4dbdcf2023a9d14 |
memory/3688-713-0x0000000000000000-mapping.dmp
memory/416-714-0x0000000000000000-mapping.dmp
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2724-716-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat
| MD5 | 934889a4e1fb725807bac0e6482492b3 |
| SHA1 | bee0b2f446f19f8bb31363063e1a024b2e827fc9 |
| SHA256 | 0e1c91530655e242750c083bf1a0f49ad1236d23aafe8de67e6aa4f66c34bd77 |
| SHA512 | 712ab20d007f72d9fd599b3c0c36139642f34b43e34e407eda14715509322d6fd8890026f746f7198c6dfeded451bcee27b633b5b2ff94510f6d9065823c0fc2 |
memory/1748-718-0x0000000000000000-mapping.dmp
memory/4712-719-0x0000000000000000-mapping.dmp
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5032-721-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat
| MD5 | 237561babddf8d638a30baec71d52fa3 |
| SHA1 | 5f681941f767c865a93e28152c6b75d1edf901d5 |
| SHA256 | c8cfa62d55233d5ba7f59f474ead575f65fd8322b776c409084f466bb416ab65 |
| SHA512 | ab5db6539da2b9e4bc2ab2a51380201204e37d3aed9ddbdb5db8d6e723118177e80f79ea4059d07affd77ebca951c072c65d9c3862cf84d64a0b7b017d2c9bde |
memory/2468-723-0x0000000000000000-mapping.dmp
memory/4584-724-0x0000000000000000-mapping.dmp
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4584-726-0x0000000001620000-0x0000000001632000-memory.dmp
memory/32-727-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat
| MD5 | 0a4215511608b8893b6158e46327c860 |
| SHA1 | 17e538a3d698f52028f35d3e33f48efcb70f0892 |
| SHA256 | f89adffec88786018758be9a1637fdc81f9278b797925a7ed831472aa26478c2 |
| SHA512 | 4fee364d4ffad0599b174e717614b4f24f80c2732262151bf0ca09176578bd22e26f4c4ca4342e595eceeb7bb99361423efa3a378491c53176d3909b6d43b8e8 |
memory/4024-729-0x0000000000000000-mapping.dmp
memory/3316-730-0x0000000000000000-mapping.dmp
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4912-732-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat
| MD5 | da578db8e7b1bbec052458ada2354a03 |
| SHA1 | dc48c6cac634ef0c9d5dcd64b925664de3d48ebe |
| SHA256 | ea623f3f959758328560064b7f2f8dc97a448dd5b8bf6356d55e616decd08128 |
| SHA512 | dd573f8a3bb5dfc1eaf4fc3ea6e5146af05212cbc9620cf66774576d3c969bf27c7ccad2e41c86900e1fcce610cc5da88c65eb71ed8ade6f517a711acd489422 |
memory/2224-734-0x0000000000000000-mapping.dmp
memory/3460-735-0x0000000000000000-mapping.dmp
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3524-737-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat
| MD5 | 7bc7e4b5924094ee62b95fb0d6eb855e |
| SHA1 | acfe8493715eac24eee9d8aee16fda24939d9b8b |
| SHA256 | 41f1bf4396e999468648e4132fe5c4a33d0e227bb52b7733b2b825914a6f7131 |
| SHA512 | 03afde1a043c30a01400ca14108bc35f166791dd5a94f26234300b8b5d090681a613417da5910a4f6f27174302c9117b6ba2c999cd9c1a7b9828a724f2f76731 |
memory/1624-739-0x0000000000000000-mapping.dmp
memory/4512-740-0x0000000000000000-mapping.dmp
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4512-742-0x0000000001660000-0x0000000001672000-memory.dmp
memory/4684-743-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat
| MD5 | 68d7058740841eb184f3e1ce5d8eb796 |
| SHA1 | 99263232d574cb9aae2e2e4a3269e36575219be0 |
| SHA256 | 030ea6e015b0b3285d9550ee9a3de60ca5f6c7fa5dedfdb6f158c77f8980a59f |
| SHA512 | 8335184816f2d0667e51cc4f8449cf27b866cdb496a1376b2a1fab00977f6e5bc49930c76429f55689db98906236f0a7537308eed214ba7c9451ba71bc2d4975 |
memory/4596-745-0x0000000000000000-mapping.dmp
memory/4396-746-0x0000000000000000-mapping.dmp
C:\Windows\addins\sihost.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4396-748-0x0000000002B40000-0x0000000002B52000-memory.dmp