Analysis Overview
SHA256
f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8
Threat Level: Known bad
The file f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8 was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Dcrat family
DcRat
DCRat payload
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 11:37
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 11:37
Reported
2022-11-01 11:40
Platform
win10-20220901-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Java\jdk1.8.0_66\bin\6203df4a6bafc7 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\en-US\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\en-US\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office16\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office16\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\27d1bcfc3c54e0 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Provisioning\Cosa\OEM\winlogon.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Provisioning\Cosa\OEM\cc11b995f2a76d | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Program Files (x86)\MSBuild\Microsoft\System.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe
"C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dwm.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8sB0Cn4pv.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 87.251.72.33:443 | tcp | |
| DE | 136.244.80.197:80 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 20.44.10.122:443 | tcp | |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
Files
memory/1980-120-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-121-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-122-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-123-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-125-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-126-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-128-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-129-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-130-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-131-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-132-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-133-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-134-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-135-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-136-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-137-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-138-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-139-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-143-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-142-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-141-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-140-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-144-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-145-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-146-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-147-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-148-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-149-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-150-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-151-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-152-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-153-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-154-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-155-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-156-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-157-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-158-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-159-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-160-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-162-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-161-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-163-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-164-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-165-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-166-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-167-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-168-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-169-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-171-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-170-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-172-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-173-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-174-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-175-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-176-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-177-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-178-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-179-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-180-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-181-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-182-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/1980-183-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/3512-184-0x0000000000000000-mapping.dmp
memory/3512-185-0x0000000077460000-0x00000000775EE000-memory.dmp
memory/3512-186-0x0000000077460000-0x00000000775EE000-memory.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/5100-260-0x0000000000000000-mapping.dmp
memory/4616-283-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4616-286-0x0000000000EF0000-0x0000000001000000-memory.dmp
memory/4616-287-0x0000000001510000-0x0000000001522000-memory.dmp
memory/4616-288-0x00000000017C0000-0x00000000017CC000-memory.dmp
memory/4616-289-0x00000000017A0000-0x00000000017AC000-memory.dmp
memory/4616-290-0x00000000017B0000-0x00000000017BC000-memory.dmp
memory/1500-294-0x0000000000000000-mapping.dmp
memory/1772-293-0x0000000000000000-mapping.dmp
memory/1180-292-0x0000000000000000-mapping.dmp
memory/1280-291-0x0000000000000000-mapping.dmp
memory/880-295-0x0000000000000000-mapping.dmp
memory/4200-296-0x0000000000000000-mapping.dmp
memory/3312-297-0x0000000000000000-mapping.dmp
memory/208-298-0x0000000000000000-mapping.dmp
memory/3264-299-0x0000000000000000-mapping.dmp
memory/2232-300-0x0000000000000000-mapping.dmp
memory/4408-330-0x0000000000000000-mapping.dmp
memory/1180-341-0x000001BC0C4A0000-0x000001BC0C4C2000-memory.dmp
memory/1280-358-0x0000014BFED90000-0x0000014BFEE06000-memory.dmp
memory/768-365-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\d8sB0Cn4pv.bat
| MD5 | 4a7951267e8ff4bc00e1827e437b7485 |
| SHA1 | 30ded6defac1a366d6dd9b4f567b965a20d77af8 |
| SHA256 | aee9ba502ee5496e1ebe71928077ac7ab030d05e3948bd34732596d19e287334 |
| SHA512 | 7ddd53c8b8ca3a17598220ffc8465b528a85e8015471d81cce4952e83e5f78fe7748a1849ed41544b0a6dd9e8f72822cc41cbb40f66e4f3bd608f68250078447 |
memory/4692-612-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4692-627-0x0000000000F50000-0x0000000000F62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0bdfaa14d7814b541a77f4e97920dfd6 |
| SHA1 | c239720eee47db7f7136bb78e37c539b9e735c4c |
| SHA256 | 4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272 |
| SHA512 | dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | abf7fc04f64886ca908084fdacf6b490 |
| SHA1 | 6e54771bf8208d50eb2e28f19fbc39a89d73e177 |
| SHA256 | 1bdeec29a69dc2353c6fb83a30ef8e4c261ea619d52e59f46bd1171cc6b2603d |
| SHA512 | 7baebde225b8510c43452a61695c14d85432ada4d568e2432775b04a90a912e7238b717d60397f6cd48409bf808c91e13489383b08ead8d5aada439d026183c9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | abf7fc04f64886ca908084fdacf6b490 |
| SHA1 | 6e54771bf8208d50eb2e28f19fbc39a89d73e177 |
| SHA256 | 1bdeec29a69dc2353c6fb83a30ef8e4c261ea619d52e59f46bd1171cc6b2603d |
| SHA512 | 7baebde225b8510c43452a61695c14d85432ada4d568e2432775b04a90a912e7238b717d60397f6cd48409bf808c91e13489383b08ead8d5aada439d026183c9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 16702505b6f5af88f06aa6619382bf9a |
| SHA1 | 4b64f968c4a7889b5078a5ab44ced78813153db4 |
| SHA256 | 78a9f48ea9f2dc8e634ef056f2a976f7405cd4175bada9f5cbc0daf992da742c |
| SHA512 | a05a3937e8b49854ddf78c93ca35235ceb9f72ab67af36d00c268db28aff86e5120e4505eff0fa0adbd12298deca1515069f993a5f766353404f4723a6bb65d9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | edf66e57ae463c5ef325c9c4c1387a42 |
| SHA1 | 9cbe9222c0234720109eb65e8f08e6248a55331c |
| SHA256 | cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260 |
| SHA512 | a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | edf66e57ae463c5ef325c9c4c1387a42 |
| SHA1 | 9cbe9222c0234720109eb65e8f08e6248a55331c |
| SHA256 | cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260 |
| SHA512 | a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | edf66e57ae463c5ef325c9c4c1387a42 |
| SHA1 | 9cbe9222c0234720109eb65e8f08e6248a55331c |
| SHA256 | cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260 |
| SHA512 | a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 29b209d9727cbb94862959a28841f6a8 |
| SHA1 | dee0f0b5396aa5ef76f6b57e3882cb839d5b5c9c |
| SHA256 | cd1f4392ee8bb902981eff13c269ebc12130925aafab6826588f02b9339d2892 |
| SHA512 | c326f8c3a27636a21323b1f9a1c55b49aa5760a4548a2208254143df51b6c822ee4cf1d6d7977f9864dd4e38373da9e90a50337172333d5cdc6adea1e4eea57d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 29b209d9727cbb94862959a28841f6a8 |
| SHA1 | dee0f0b5396aa5ef76f6b57e3882cb839d5b5c9c |
| SHA256 | cd1f4392ee8bb902981eff13c269ebc12130925aafab6826588f02b9339d2892 |
| SHA512 | c326f8c3a27636a21323b1f9a1c55b49aa5760a4548a2208254143df51b6c822ee4cf1d6d7977f9864dd4e38373da9e90a50337172333d5cdc6adea1e4eea57d |
memory/4812-669-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat
| MD5 | 3ed2fe80a84d683cd56eb73d9a3681e6 |
| SHA1 | f4c16e2024877802fa183a27f07b07e282fa6a55 |
| SHA256 | a4baf1ea979bdec8fe986fe1028bf7f81ecee6e6fa53588664061dc0085f0acc |
| SHA512 | 8518f4cfcfba920ae0ac795f78d9ba82fafb26aca6ab10fb7f1c142f48f93ac4a6c40af4f9a74988d01781614e135d238fb2e75cdbbad53f0556c8bd2a6228b6 |
memory/4844-671-0x0000000000000000-mapping.dmp
memory/4472-672-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/4800-675-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat
| MD5 | d64dcb4f2e0cc43a77f6662be41773d2 |
| SHA1 | f34a62f0198f7a792bf3b9435587294a32b40e3c |
| SHA256 | 8bbc252ec1c568ec22a3c61d1fa923a71a9973569dd495299d1b7a074cdc2640 |
| SHA512 | 9e0ee12550eafdfbaf00d83fae9293516f1d8bf6dbb0e1470d96689f3f2e082492dbfac75a1f0dad611ec57ebe4c0a805d499504cf6122a96041384b3a8d067a |
memory/1980-677-0x0000000000000000-mapping.dmp
memory/1304-678-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1304-680-0x0000000000F90000-0x0000000000FA2000-memory.dmp
memory/2932-681-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat
| MD5 | a93422901e3b8c87e18da23a8d19291c |
| SHA1 | 2dbac899a2dd51f52097fbe53b93929c3d5b1c37 |
| SHA256 | 161d1fb4c39df0b031b5fb5e1decaa0368abc05858ce8cdd3b07da9ffb4094e4 |
| SHA512 | 6a841f4d99972b001e9e08cd4ab499c7ef19f4283a4fa91903c2baad6670f1135225100645428dfe8b91cb30d01a77a7602723613e48c2a6cb258b2d458b2849 |
memory/2688-683-0x0000000000000000-mapping.dmp
memory/1016-684-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1296-686-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat
| MD5 | 2b27069a4eb0d4b4651d092e495f7939 |
| SHA1 | 620fdd482ef7318e89c07fd524e4877894480160 |
| SHA256 | c698ac62e9896f4c2e0cbc23d804c730962ab5be5d8df975954f91ce7468129c |
| SHA512 | 4d7cb0870f07279c117aad0a2686fef3917e993b7193319063efcfd7a5325c7eea8bef2371f1ce79131a965ab0fbb7f3c9dcca74ac01d34f4c7a841b3326ae06 |
memory/1576-688-0x0000000000000000-mapping.dmp
memory/4264-689-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2164-691-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat
| MD5 | 45889d1187ae42ea09e11c9181e92305 |
| SHA1 | 285246e52208a22e683394c3eafb22ea4018fc55 |
| SHA256 | 1d9e6e578418b7ea2be8322dbc8d10158a3042a277509551ce54e9ee3eee7b17 |
| SHA512 | 63c6347445193bbb5e77fa5fa466c3d53d0fad01beee309327f7fb4a3167d5d1d4ae41fa3df209cd3bae991c96f2e4f84536462c668bf8ddcb55675813776cb2 |
memory/3788-693-0x0000000000000000-mapping.dmp
memory/2288-694-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/364-696-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat
| MD5 | 7e5b4012fa636bc4a1cd12bc0b85a945 |
| SHA1 | 1a10b718fff8381ab3716ec33bca7290ab560b26 |
| SHA256 | 3fb03f1bbd57e962cfa49464501a2db59f913a10131c750ab0c3b559c8e29d99 |
| SHA512 | 84778dc91f640ff95a1196dd129adbb0417bf9612305eef3e5df1424765514f71e00cff7551224378b4d9fe9c11cd3f64095508ee3534096038c331930117c64 |
memory/3276-698-0x0000000000000000-mapping.dmp
memory/2780-699-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3488-701-0x0000000000000000-mapping.dmp
memory/656-703-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat
| MD5 | 1fda1ee45b830ae50b6a80ba6a98e869 |
| SHA1 | d8ee1db1147d079390af15c795f4016fd6b19bf6 |
| SHA256 | 19fa24203dbccf01c388dec7ae3af84e3e948d368cf89d115fb6c57c55450b11 |
| SHA512 | 7be4a326681c0a473e09cfde1fc462d652bf11794ec28522afbfdced7db8083760b944ec2a4b458b97b911bb170a8d1bf623584d741c6c43025105ceb67b1f13 |
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4028-704-0x0000000000000000-mapping.dmp
memory/4028-706-0x00000000026F0000-0x0000000002702000-memory.dmp
memory/1556-707-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat
| MD5 | befcb53f41f729946fd4ee4dd08f85ee |
| SHA1 | 26e2ecb0e57888e01d268663d687e28e3d208c43 |
| SHA256 | f0b24bbcfec58d1355ae10da3d3d822fda9633593982c6cad8a2148a701efd95 |
| SHA512 | f3ed8f8ee70a9e4959c865ccb56e078adbab5a84987b2ae527dfbc880f6b373b206162ff3a95ed2d2664639813ee852318f06168ab5a7a708737d0aa59d6b568 |
memory/4508-709-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/416-710-0x0000000000000000-mapping.dmp
memory/416-712-0x0000000000720000-0x0000000000732000-memory.dmp
memory/4700-713-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat
| MD5 | 69efed9115a94abf1d518ae2378de5fd |
| SHA1 | 5cd8e8d2193769e7acf8f53a800695c500bd6360 |
| SHA256 | 7dda6460cdbec09f0f7ba9b24312d5897815c35eb6a46c589fc1cdf59ef2d5ca |
| SHA512 | ace971a606dc0ac5aa100d62bc7da2d3334bd3aec2dc5a9e7976f099f57109969486f8385b2d1998b6de21081f18623f6059503a88d70191ffc46435c296b26b |
memory/4616-715-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/524-716-0x0000000000000000-mapping.dmp
memory/4220-718-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat
| MD5 | d3544c44a7bb5b918122465af4ff2083 |
| SHA1 | 1706b4f6a1428f0a1aa882b669c02351315b5133 |
| SHA256 | 14630635d69f1efa5a56695b79bbf94a1588942ab03e5120353356e8706a619f |
| SHA512 | 5360249959b58e4e04a150d68f8f62553c22c41180c67ccc43c2be270f54e4165c848f39b6b0766aa905789595454ecfdf653cf3046334d43a8a4099376e9ba4 |
memory/5052-720-0x0000000000000000-mapping.dmp
memory/4276-721-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/768-723-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat
| MD5 | bcad8f63bf49e1f04c7ed57f496269a1 |
| SHA1 | 3ddde6230dfe21d802808253366f5e55b9b79642 |
| SHA256 | 918ae2ef1897af6a54b54ed74c1cdabc1d23c66e6a9391ecb27b13586165e73e |
| SHA512 | 4e1c724b0e4de99bc08551dd13fbf7cd302f7bf9233b3bba09bce3a216afa40b1077f8f7048ace322c06b5f1d1f0b9bc94cf6f9f07c8916b1fc3b9fcf8d4697d |
memory/3332-725-0x0000000000000000-mapping.dmp
memory/5020-726-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\MSBuild\Microsoft\System.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |