Analysis Overview
SHA256
ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c
Threat Level: Known bad
The file ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c was found to be: Known bad.
Malicious Activity Summary
DcRat
Dcrat family
DCRat payload
Process spawned unexpected child process
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 11:37
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 11:37
Reported
2022-11-01 11:40
Platform
win10-20220812-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\odt\csrss.exe | N/A |
| N/A | N/A | C:\odt\csrss.exe | N/A |
| N/A | N/A | C:\odt\csrss.exe | N/A |
| N/A | N/A | C:\odt\csrss.exe | N/A |
| N/A | N/A | C:\odt\csrss.exe | N/A |
| N/A | N/A | C:\odt\csrss.exe | N/A |
| N/A | N/A | C:\odt\csrss.exe | N/A |
| N/A | N/A | C:\odt\csrss.exe | N/A |
| N/A | N/A | C:\odt\csrss.exe | N/A |
| N/A | N/A | C:\odt\csrss.exe | N/A |
| N/A | N/A | C:\odt\csrss.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Mail\en-US\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\en-US\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\it-IT\dllhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\it-IT\5940a34987c991 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\debug\DllCommonsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\debug\a76d7bf15d8370 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\TAPI\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\TAPI\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\odt\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\odt\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\odt\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\odt\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\odt\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\odt\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\odt\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\odt\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\odt\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\odt\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings | C:\odt\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe
"C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\odt\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\DllCommonsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\debug\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\DllCommonsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ShellExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\sppsvc.exe'
C:\odt\csrss.exe
"C:\odt\csrss.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\smss.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\odt\csrss.exe
"C:\odt\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\odt\csrss.exe
"C:\odt\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\odt\csrss.exe
"C:\odt\csrss.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
C:\odt\csrss.exe
"C:\odt\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\odt\csrss.exe
"C:\odt\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\odt\csrss.exe
"C:\odt\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\odt\csrss.exe
"C:\odt\csrss.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
C:\odt\csrss.exe
"C:\odt\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\odt\csrss.exe
"C:\odt\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\odt\csrss.exe
"C:\odt\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 52.168.117.169:443 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.253.208.121:80 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2836-115-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-116-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-117-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-118-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-120-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-121-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-123-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-124-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-125-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-126-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-127-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-128-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-129-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-130-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-131-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-132-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-133-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-134-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-135-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-136-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-137-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-138-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-139-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-140-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-141-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-142-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-143-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-144-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-145-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-146-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-147-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-148-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-149-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-150-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-151-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-152-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-153-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-154-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-155-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-157-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-158-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-156-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-159-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-160-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-161-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-162-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-163-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-164-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-166-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-165-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-167-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-168-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-169-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-170-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-171-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-172-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-173-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-174-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-175-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-176-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-177-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/2836-178-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/1620-179-0x0000000000000000-mapping.dmp
memory/1620-180-0x00000000771B0000-0x000000007733E000-memory.dmp
memory/1620-181-0x00000000771B0000-0x000000007733E000-memory.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/2976-255-0x0000000000000000-mapping.dmp
memory/3960-278-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3960-281-0x0000000000FC0000-0x00000000010D0000-memory.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3960-282-0x0000000001820000-0x0000000001832000-memory.dmp
memory/3960-283-0x0000000001840000-0x000000000184C000-memory.dmp
memory/3960-284-0x0000000001850000-0x000000000185C000-memory.dmp
memory/3960-285-0x0000000001A00000-0x0000000001A0C000-memory.dmp
memory/564-286-0x0000000000000000-mapping.dmp
memory/1932-287-0x0000000000000000-mapping.dmp
memory/2044-288-0x0000000000000000-mapping.dmp
memory/2408-290-0x0000000000000000-mapping.dmp
memory/2268-291-0x0000000000000000-mapping.dmp
memory/2420-289-0x0000000000000000-mapping.dmp
memory/3784-292-0x0000000000000000-mapping.dmp
memory/3340-294-0x0000000000000000-mapping.dmp
memory/2924-293-0x0000000000000000-mapping.dmp
memory/1924-299-0x0000000000000000-mapping.dmp
memory/4772-296-0x0000000000000000-mapping.dmp
memory/1580-307-0x0000000000000000-mapping.dmp
memory/2816-312-0x0000000000000000-mapping.dmp
memory/2800-323-0x0000000000000000-mapping.dmp
memory/5116-344-0x0000000000000000-mapping.dmp
memory/4400-318-0x0000000000000000-mapping.dmp
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/564-367-0x00000134C2CE0000-0x00000134C2D02000-memory.dmp
memory/4800-302-0x0000000000000000-mapping.dmp
memory/5116-370-0x0000000001860000-0x0000000001872000-memory.dmp
memory/2420-373-0x000001FFF9830000-0x000001FFF98A6000-memory.dmp
memory/160-476-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat
| MD5 | 4d00dc1326c359289baf6301b8df5b9a |
| SHA1 | 091525f2ca119b2882dcee79ce72eddd5637a496 |
| SHA256 | 34062c0cb1b44b951bff0a64f03f0af4233f1707d0aff98f25ce9ae414dae199 |
| SHA512 | f6cabf7d4c367aa3c55e44f3e574926d10c5a4ba6b28eb4262f71fab3e8393822ec46d7c4d33807cb5b0e97956f5a507aaf228b118b1902566b91c2d7f731b13 |
memory/800-541-0x0000000000000000-mapping.dmp
memory/3892-784-0x0000000000000000-mapping.dmp
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e186e7843427f675720aa5a44346fcc5 |
| SHA1 | 61e2258b3f3134a2e59cb7c702cc42f016d365e5 |
| SHA256 | 60cdf598b71610e2ddc0ad3dd8ae885b6857a37ec076dee33e619a9161d1f103 |
| SHA512 | 2d81c68a9efb1b402d74756d8a7d2aa1e37c0c7d6fdf15aea621792ef8673a9bfdbcbd032bf813ea917dc4167f441307bcf1d17cc0dac1fc14f2d1e6247fc396 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e186e7843427f675720aa5a44346fcc5 |
| SHA1 | 61e2258b3f3134a2e59cb7c702cc42f016d365e5 |
| SHA256 | 60cdf598b71610e2ddc0ad3dd8ae885b6857a37ec076dee33e619a9161d1f103 |
| SHA512 | 2d81c68a9efb1b402d74756d8a7d2aa1e37c0c7d6fdf15aea621792ef8673a9bfdbcbd032bf813ea917dc4167f441307bcf1d17cc0dac1fc14f2d1e6247fc396 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9dae9b10fed8464da520d9f01d3ea2f9 |
| SHA1 | 77dc9f45640dbf10aff6965f3c28c7ae24f99213 |
| SHA256 | ca2de87fede2a4569fc09b5409edbb344d8b7e1e0e2bd606ee3ce201f6586d7d |
| SHA512 | b71ef41da8ab9df34b7498f5a6d8cc47e21a983b6d8fe4085167f251ef974783eb9fe0e67b8df9dd9de0a1e101cf2beaec822e828cdcf2aa505fb24ffd6eed1e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5c441da4958f384fd8d1766ecbe94e2e |
| SHA1 | c011ba96e01475dae49b26989af1ef101c566257 |
| SHA256 | db930b7eebc26051c4271be1d3b4283a74ae543680112f66db90f941c2ab042e |
| SHA512 | cca99d0ac36896f50b949b7bd14e6837251145fc3bc142d6974cbb95771adfcf31885333aa8b309dcfe602b46b799ecb2030eee33b40ffb285693384ec08b892 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8720ec8dc9cf5a8dccd0791358ef583a |
| SHA1 | ad7749c1185d6907c45fc608ecb8da473203ebc8 |
| SHA256 | ffb97d747261a663800ba0410abe104f6e9ed4d78d007ae571adcfd258aaefec |
| SHA512 | 19ff1289ad07a54fd8c662a71948145a50c33443481db81f2f76cb02dac4b9c1562f8bec2c7d32f996a38510ca0746584e5d1a1617fb6b841da467cdf5cf6626 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8720ec8dc9cf5a8dccd0791358ef583a |
| SHA1 | ad7749c1185d6907c45fc608ecb8da473203ebc8 |
| SHA256 | ffb97d747261a663800ba0410abe104f6e9ed4d78d007ae571adcfd258aaefec |
| SHA512 | 19ff1289ad07a54fd8c662a71948145a50c33443481db81f2f76cb02dac4b9c1562f8bec2c7d32f996a38510ca0746584e5d1a1617fb6b841da467cdf5cf6626 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ebea9b8d2699f2183c589dd046404b99 |
| SHA1 | cb2142ccfbbc0bbbe4d012f3700296ef75b5a59c |
| SHA256 | 4ae97535e164335db434c0a153d9d1700c8bcfca80066838417bec82569df35a |
| SHA512 | 061d1dd947bdf30623aaa7d829f965bfb5a8a41bd9867af561b3bde0ba5018386c7d1c48757652f7c40e608f45ac9fd602fa31364446db85d226860b27fbb090 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 71247185f6b866ae1fcef07c5ed12a60 |
| SHA1 | 2a692d071d38555652d307dbb26c07e29db64370 |
| SHA256 | 899b324db83a40fb10277e23a768ab250400c4a12a77ccce098286fa4b585d0e |
| SHA512 | 2206be9b365cf28169cc696122cd1bb82b00c74ebc7afe7588b8d30ef6aa7460c5ab948acaec6f75eaffbc962a2223fa6fa5442b6a5e09da2b446ea62bbcfb89 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ebea9b8d2699f2183c589dd046404b99 |
| SHA1 | cb2142ccfbbc0bbbe4d012f3700296ef75b5a59c |
| SHA256 | 4ae97535e164335db434c0a153d9d1700c8bcfca80066838417bec82569df35a |
| SHA512 | 061d1dd947bdf30623aaa7d829f965bfb5a8a41bd9867af561b3bde0ba5018386c7d1c48757652f7c40e608f45ac9fd602fa31364446db85d226860b27fbb090 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d5b3e713e95ad7f721b9441b7e629f00 |
| SHA1 | 69a0060ffb4023d110f70baa89f531b46b759069 |
| SHA256 | 79388600e027cddfabc1115e55817017032efe5639b19954903540642d0183c5 |
| SHA512 | 176e1d2e58f0d43558c14117ec84781d9c2f5ff1799ec7055877cd537f61007b2919a198546c392dee0117e58f95d22537a48c1a0015332a11713d07355ad167 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d5b3e713e95ad7f721b9441b7e629f00 |
| SHA1 | 69a0060ffb4023d110f70baa89f531b46b759069 |
| SHA256 | 79388600e027cddfabc1115e55817017032efe5639b19954903540642d0183c5 |
| SHA512 | 176e1d2e58f0d43558c14117ec84781d9c2f5ff1799ec7055877cd537f61007b2919a198546c392dee0117e58f95d22537a48c1a0015332a11713d07355ad167 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c43c0d4fde4864fe02f74f8e7d1dbed0 |
| SHA1 | 437121eb2ef581abd93ff3eea4151f6f54194944 |
| SHA256 | 58aa6cab35d66524c851e9ec29d0e26bc37d34b2a39b732902b802dbf92193a2 |
| SHA512 | 46c508b2c5cc05176c0a99fdf6831082c397646e55cc2653f6f593e8f7b592e8adba87d3f5056c45e2308c7951f45ff0520c130fa1dc17c85d06284cb6c860da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c43c0d4fde4864fe02f74f8e7d1dbed0 |
| SHA1 | 437121eb2ef581abd93ff3eea4151f6f54194944 |
| SHA256 | 58aa6cab35d66524c851e9ec29d0e26bc37d34b2a39b732902b802dbf92193a2 |
| SHA512 | 46c508b2c5cc05176c0a99fdf6831082c397646e55cc2653f6f593e8f7b592e8adba87d3f5056c45e2308c7951f45ff0520c130fa1dc17c85d06284cb6c860da |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5ea4596c843e578b58231cafa1f02eb5 |
| SHA1 | 31c589fc1f649847f046959e3791316dc802b711 |
| SHA256 | 23a9f71024fb4774c6ee83600330ee2b9a4825bab2f82e5edd462e4f46ff16fe |
| SHA512 | 37be98a97779d1bf97f469be9e84eae3bb4cc9e140bf489b1d0c3afaf9cb11b4e8d7fc91a77e4aa36266f882e831a2dea3ff4a35fbc241ff0061dc3f3ddb1509 |
memory/5444-857-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat
| MD5 | 6742f2f77f4e921ad233a4a23f3c1d15 |
| SHA1 | fc3212770e8183369ebbf8014f60401e548fe79b |
| SHA256 | 3e1434c758488bdea24194fab134d672352ee822abee2786435e9767e102f6c4 |
| SHA512 | add3ca18a9b6d87b383b87c76c0247f6d0e24b2cdc317d53a047bc5f3934b044ed448dc156aa5ae3a31c1616b060c6f4adc7d6f6f10ac86d1f94490d6e01d914 |
memory/5500-859-0x0000000000000000-mapping.dmp
memory/5524-860-0x0000000000000000-mapping.dmp
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5624-862-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat
| MD5 | 88ee88e10178c76a0dc36186abeadf57 |
| SHA1 | 819900b12ea256256252668cc78dd7e6fd923cdf |
| SHA256 | dd5fb40a06164a1ab768a8a704a508a53629fda6760c09d366b1e63c17121bf5 |
| SHA512 | ebcf3ee19932df33813d9f3ae99b32e1986edf96b5d1627e7d2267a619392fe36bb8a2bb01dfa2c5cedd71c11978b4547bd03783446e815e9a05def81de6fea9 |
memory/5680-864-0x0000000000000000-mapping.dmp
memory/5700-865-0x0000000000000000-mapping.dmp
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5856-869-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat
| MD5 | 77c1227097c246a32cbcf7635fdc7c4c |
| SHA1 | 7d4c498278df2d6b98e29c97482956c16b597be4 |
| SHA256 | 99b44adc2f056d42da296940b4d07a0fe8cae207aec7a3ae0a424a85312cf5b1 |
| SHA512 | d2525945e196fb3316a90b409931a1064a7d41b182321b340a9725927705efdfed2c9b24e589c23c8eae3d8025274fea64145a74c5bd2fce6e74e3f513930bc3 |
memory/5800-867-0x0000000000000000-mapping.dmp
memory/5876-870-0x0000000000000000-mapping.dmp
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5980-872-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat
| MD5 | 0f1821761000a82bb2dcdbe01e064b61 |
| SHA1 | 039f363971f1b022f8f13791086b83c7ea4c3654 |
| SHA256 | be6167cdf4fef6b2a89f3d91df4f6498225fecb325fbc8713a4cef017d4063f9 |
| SHA512 | b7f60fb116e346760d80a0e842d43f9c9eecb5de93dd1529d18c1610ec00ef05a78c11ecef0e91ee50aa9752035e6a2aed225cba1036d9b728373b97f42220d4 |
memory/6036-874-0x0000000000000000-mapping.dmp
memory/6056-875-0x0000000000000000-mapping.dmp
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/160-877-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat
| MD5 | 5e6c3d183d01926c819f8df45fac43e5 |
| SHA1 | 8044142c024c2dd5c33905c6231918c1123f6ecc |
| SHA256 | d5c46b393618e947e9efb35bacd039096fe4317a866ab064b6883a7f455ae8e9 |
| SHA512 | 4c7dc0817358e5a9026070b31449dade01ed848dd0c65463e09b6ae02147238aa0a5838ae850ef14f1229e66c47d3f1f5ba601f7ff866c22a24a0f27e92d7609 |
memory/5184-879-0x0000000000000000-mapping.dmp
memory/3116-880-0x0000000000000000-mapping.dmp
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5112-882-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat
| MD5 | 77c1227097c246a32cbcf7635fdc7c4c |
| SHA1 | 7d4c498278df2d6b98e29c97482956c16b597be4 |
| SHA256 | 99b44adc2f056d42da296940b4d07a0fe8cae207aec7a3ae0a424a85312cf5b1 |
| SHA512 | d2525945e196fb3316a90b409931a1064a7d41b182321b340a9725927705efdfed2c9b24e589c23c8eae3d8025274fea64145a74c5bd2fce6e74e3f513930bc3 |
memory/2436-884-0x0000000000000000-mapping.dmp
memory/2928-885-0x0000000000000000-mapping.dmp
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2928-887-0x0000000001250000-0x0000000001262000-memory.dmp
memory/5276-890-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat
| MD5 | 6c571904eccf059df2a2b9c7c5e14599 |
| SHA1 | e83281f57d14ee5c430205d99943f1b162342aab |
| SHA256 | 30f4987c39271b2931b08666914bb8aa9a9a692f52050750b11f840fefecf6d3 |
| SHA512 | 741f4c0cd93d91a07ff34d25662dadc0c66d850958095d50096a1a4995d8d4564455ad9aa650eb28c6ec54a67d2f5baabae08a7036509a8e8f55e65ea2858306 |
memory/648-888-0x0000000000000000-mapping.dmp
memory/4372-891-0x0000000000000000-mapping.dmp
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3288-893-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat
| MD5 | a20c831336ba3de2a5c3fdec2fdde2a7 |
| SHA1 | 52f2a5ba3f7caf86b2bd695344bd9b73069236be |
| SHA256 | 9af74507f52ddc135f9cbd76feb93ed352be88ad795575c89911bd59fe9c4676 |
| SHA512 | 1f05df52a96fc79814e9ac003240048aa0fd5b727badb1b2754ce34d74223109387e70c97812a14279b2c408bb42fe32bd217e470047a69fb3a80522c7ad7827 |
memory/2648-895-0x0000000000000000-mapping.dmp
memory/2280-896-0x0000000000000000-mapping.dmp
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2280-898-0x00000000014F0000-0x0000000001502000-memory.dmp
memory/1928-899-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat
| MD5 | dd5820c15338e2ca87339f68cc708bf9 |
| SHA1 | daf8d84aeba52eab407bc6efbbd2f43ac4265eac |
| SHA256 | 408bf189d2fddebbd224b1f2f151b699c1a906b4a65b65e362654814880b0075 |
| SHA512 | 3052bf45b1495951b4289eba108c2c18d2c31635aefb9347b121c25d801afc3c11152c34d7ee7d16337fe0313f096445e723b01c05087cfa0d1134c5572dbb4a |
memory/5076-901-0x0000000000000000-mapping.dmp
memory/3956-902-0x0000000000000000-mapping.dmp
C:\odt\csrss.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3956-904-0x0000000000FE0000-0x0000000000FF2000-memory.dmp
memory/2596-905-0x0000000000000000-mapping.dmp
memory/1932-907-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat
| MD5 | f41f55ea42384a397b2014a1d2b3f8fe |
| SHA1 | 7fb0b3a88a1b2da28d06354ef71b9afa26c672ab |
| SHA256 | 7c93ebc15d6f85b113e411b0ee1f873b9a6ea085537b2dfc7f3528d9252984dc |
| SHA512 | 30f1fbaacc51c1f137e86a1b119b33c56c39fcc8445ac5bf704e2c9fb4adb1f17e51c4a32699086bb6748bb1a624117f2860a21375d48f149575c3a2219078f3 |