Analysis Overview
SHA256
f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f
Threat Level: Known bad
The file f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
DCRat payload
Dcrat family
DcRat
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 11:39
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 11:39
Reported
2022-11-01 11:41
Platform
win10-20220812-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\dwm.exe | N/A |
| N/A | N/A | C:\Program Files\MSBuild\dwm.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\MSBuild\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\en-US\69ddcba757bf72 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\explorer.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\7a0fd90576e088 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Mail\en-US\smss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Internet Explorer\de-DE\cmd.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Internet Explorer\de-DE\ebf1f9fa8afd6d | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\Accessories\fr-FR\6ccacd8608530f | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\MSBuild\6cb0b6c459d5d3 | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Boot\Resources\dwm.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\MSBuild\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\MSBuild\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\MSBuild\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\MSBuild\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\MSBuild\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\MSBuild\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\MSBuild\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\MSBuild\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\MSBuild\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\MSBuild\dwm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings | C:\Program Files\MSBuild\dwm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe
"C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\odt\SearchUI.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 12 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\odt\SearchUI.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SearchUI.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Admin\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchUI.exe'
C:\Program Files\MSBuild\dwm.exe
"C:\Program Files\MSBuild\dwm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\dwm.exe
"C:\Program Files\MSBuild\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\dwm.exe
"C:\Program Files\MSBuild\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\dwm.exe
"C:\Program Files\MSBuild\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\dwm.exe
"C:\Program Files\MSBuild\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\dwm.exe
"C:\Program Files\MSBuild\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\dwm.exe
"C:\Program Files\MSBuild\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\dwm.exe
"C:\Program Files\MSBuild\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\dwm.exe
"C:\Program Files\MSBuild\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\dwm.exe
"C:\Program Files\MSBuild\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Program Files\MSBuild\dwm.exe
"C:\Program Files\MSBuild\dwm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 20.42.65.84:443 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/4696-119-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-120-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-121-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-122-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-124-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-125-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-127-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-128-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-129-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-130-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-131-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-132-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-133-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-134-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-135-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-136-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-137-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-138-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-139-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-140-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-141-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-142-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-143-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-144-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-145-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-146-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-147-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-148-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-149-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-150-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-151-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-152-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-153-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-154-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-155-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-156-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-158-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-157-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-159-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-160-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-161-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-162-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-163-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-164-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-165-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-166-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-167-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-168-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-169-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-170-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-171-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-172-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-173-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-174-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-175-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-176-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-177-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-178-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-179-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-180-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-181-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/4696-182-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/5056-183-0x0000000000000000-mapping.dmp
memory/5056-184-0x0000000077740000-0x00000000778CE000-memory.dmp
memory/5056-185-0x0000000077740000-0x00000000778CE000-memory.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/3556-259-0x0000000000000000-mapping.dmp
memory/4772-282-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4772-285-0x00000000009D0000-0x0000000000AE0000-memory.dmp
memory/4772-286-0x0000000000FE0000-0x0000000000FF2000-memory.dmp
memory/4772-287-0x0000000001010000-0x000000000101C000-memory.dmp
memory/4772-288-0x0000000000FF0000-0x0000000000FFC000-memory.dmp
memory/4772-289-0x0000000001020000-0x000000000102C000-memory.dmp
memory/2720-290-0x0000000000000000-mapping.dmp
memory/2520-291-0x0000000000000000-mapping.dmp
memory/3912-293-0x0000000000000000-mapping.dmp
memory/2448-292-0x0000000000000000-mapping.dmp
memory/3476-294-0x0000000000000000-mapping.dmp
memory/4012-295-0x0000000000000000-mapping.dmp
memory/4448-296-0x0000000000000000-mapping.dmp
memory/592-297-0x0000000000000000-mapping.dmp
memory/2648-298-0x0000000000000000-mapping.dmp
memory/2188-305-0x0000000000000000-mapping.dmp
memory/4764-301-0x0000000000000000-mapping.dmp
memory/1920-309-0x0000000000000000-mapping.dmp
memory/1284-318-0x0000000000000000-mapping.dmp
memory/4200-312-0x0000000000000000-mapping.dmp
memory/4900-346-0x0000000000000000-mapping.dmp
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4412-330-0x0000000000000000-mapping.dmp
memory/4220-328-0x0000000000000000-mapping.dmp
memory/4864-321-0x0000000000000000-mapping.dmp
memory/2720-373-0x00000291E9620000-0x00000291E9642000-memory.dmp
memory/4900-388-0x0000000000FB0000-0x0000000000FC2000-memory.dmp
memory/1920-418-0x000001CBF89A0000-0x000001CBF8A16000-memory.dmp
memory/5244-824-0x0000000000000000-mapping.dmp
memory/5160-858-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat
| MD5 | 7db8a8e4ba082515d2ba89a386caacfd |
| SHA1 | 05afc9082e37c1e90a91139149ac17963398b03d |
| SHA256 | 341c4bbc8ced38be49120599fd92257fc418824217001007a944a93a35087f80 |
| SHA512 | e11d4a56cd8b8085327e19cb3c5bb0a8a6bd9de76bd52c1d1d0aeb2651a5d2087da2b3491dd2d0bc1446154ed894e7826472bfe5a3b405fd28852dbc2f6e6923 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 94aca9ba1f84a489b4e97898bca4539b |
| SHA1 | 32bb3571fe4739ace62cf8704e039bbeead2939f |
| SHA256 | 17c0363e17f591bf9f53fab05ff46b37ea6a6d78c807b05ce07367c065286e79 |
| SHA512 | 7430b7583ac55ee15f6c4bf8ae32d486dc6f0e187a040738e8e53785c4df1b722103eebb7970a985b96b5ae9746478376815913ba7d4a2a9e1029c4910af47be |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bcd75daea7963167d3f8e40ba986ee7e |
| SHA1 | 6e0535c54ab8f7708932ba2f9674a2a6962c3943 |
| SHA256 | 99e82cbcc52a5f6b16bba8994228c35dba87abb8f047c5a210959b24c1f9b88f |
| SHA512 | 38b27ccf948d4a81eaff88b8358cd5ec1e4ed688c743436302eaa39866ffdade4b4d5567b146211d633d3d64626899de7637e4780d5b6412c19cdebc4edc2268 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d95a9865506ac32268c0388f8549a004 |
| SHA1 | 30d102f0d293abe78b4594933dfceaaed69c2706 |
| SHA256 | 17b28959d997b5a2e0d6a7ab08798a76e7a7c3b37ed1a6494a5e90ddb844e08f |
| SHA512 | ff4fddb63ec196a5e0851866df4dc322ceb9e3c5b3817c30fc481b9acbaa9404479dcb990b935fb330e525fa90896852b35533a470dba9036483239fb87c482e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aca575bb5b733dafbdc71372e52547ef |
| SHA1 | ed6bb9828fdf19693a86e6d74a0c7915be8d67e5 |
| SHA256 | e9be6f64f6ef44b4e30ae07d77ad7dcb41c1c1c3afe5da15c5c016d11eb8bd7f |
| SHA512 | 149bed98bc521acdc7392315c5b2bc132dff649ee6873f20c9bf7239100abbe12a61c767f094aa8c93e26b06a2ebbaa5938c669cc655f9dca0d38a5cfe02c493 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1aada366135da6f493d1fb63feaefe9e |
| SHA1 | 7a2e7a5dfb5c0374b719c7b050b0adaf48d451aa |
| SHA256 | 8f8fd98c392da6385211f970c638104f11407dcf935b062bb5f333d8daf46391 |
| SHA512 | bd88dc26e7f615e3aa02cf7dcc88a103b1c7df3b40abd6795b08964a15dc0b0a61554a33d2b280a1cebc01b0e0f3af05b22e63c5701c4ef18d18ef58d819b33e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1aada366135da6f493d1fb63feaefe9e |
| SHA1 | 7a2e7a5dfb5c0374b719c7b050b0adaf48d451aa |
| SHA256 | 8f8fd98c392da6385211f970c638104f11407dcf935b062bb5f333d8daf46391 |
| SHA512 | bd88dc26e7f615e3aa02cf7dcc88a103b1c7df3b40abd6795b08964a15dc0b0a61554a33d2b280a1cebc01b0e0f3af05b22e63c5701c4ef18d18ef58d819b33e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aca575bb5b733dafbdc71372e52547ef |
| SHA1 | ed6bb9828fdf19693a86e6d74a0c7915be8d67e5 |
| SHA256 | e9be6f64f6ef44b4e30ae07d77ad7dcb41c1c1c3afe5da15c5c016d11eb8bd7f |
| SHA512 | 149bed98bc521acdc7392315c5b2bc132dff649ee6873f20c9bf7239100abbe12a61c767f094aa8c93e26b06a2ebbaa5938c669cc655f9dca0d38a5cfe02c493 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3ce3ed4732ea2563a7d5e88d3da49cd3 |
| SHA1 | a2f686162e1e8b28fd5bb1dcbae15b4110f34100 |
| SHA256 | e0e7157657b14528b91ee8d0b04bd16cabd21cbd00a97a5c35ec0d773931cc02 |
| SHA512 | 79db38e035fe56d1de5942c9941951c3bd564f13f871d32de50a626d7695be133cbae0cf63b56770f29f8016a25951a8bb7700934f48deb778c3418de3d1910c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3ce3ed4732ea2563a7d5e88d3da49cd3 |
| SHA1 | a2f686162e1e8b28fd5bb1dcbae15b4110f34100 |
| SHA256 | e0e7157657b14528b91ee8d0b04bd16cabd21cbd00a97a5c35ec0d773931cc02 |
| SHA512 | 79db38e035fe56d1de5942c9941951c3bd564f13f871d32de50a626d7695be133cbae0cf63b56770f29f8016a25951a8bb7700934f48deb778c3418de3d1910c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6451f086db7687095451e197015c8d10 |
| SHA1 | a2c5fd63d4679e7ba4cafec585bd3aaf212d2476 |
| SHA256 | be28a4bf8dc8962d3a3fd92bab88af741b57b571d507da5e6d73e2ced22b537d |
| SHA512 | 6be7e42d2c7c72653b1b1f360f8252f3f3a4f703129ea5072998422243cb8a95f2402fc92a77a846f5a5843b92a74949b9287019d3b8bb28fa3ef6c71f29e692 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d95a9865506ac32268c0388f8549a004 |
| SHA1 | 30d102f0d293abe78b4594933dfceaaed69c2706 |
| SHA256 | 17b28959d997b5a2e0d6a7ab08798a76e7a7c3b37ed1a6494a5e90ddb844e08f |
| SHA512 | ff4fddb63ec196a5e0851866df4dc322ceb9e3c5b3817c30fc481b9acbaa9404479dcb990b935fb330e525fa90896852b35533a470dba9036483239fb87c482e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e9ba28f2d4217a343c8648d22fbe9737 |
| SHA1 | 07b1892d6330f61f2ead872cd41a60ab19f403a0 |
| SHA256 | da824bc99d5c24d7ca83e1e1cfee8288b7ad61736c3f143d816171b2044a4b73 |
| SHA512 | 29e202086d319135bb79ffd233e7b58eab0e7888485baaece1bc3a478b862c712ce061d1dd29017cb67ef0fe66037ec725996e19203a3f046ee46f94cfa35c35 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 94aca9ba1f84a489b4e97898bca4539b |
| SHA1 | 32bb3571fe4739ace62cf8704e039bbeead2939f |
| SHA256 | 17c0363e17f591bf9f53fab05ff46b37ea6a6d78c807b05ce07367c065286e79 |
| SHA512 | 7430b7583ac55ee15f6c4bf8ae32d486dc6f0e187a040738e8e53785c4df1b722103eebb7970a985b96b5ae9746478376815913ba7d4a2a9e1029c4910af47be |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a664255c97733804f7f63100d93cbd6 |
| SHA1 | a3075d899b36ee98e9cc2f85c9eb8df3a20abcf9 |
| SHA256 | ab128874f205d3d7c305b6a8ab946e8268da98093110046ec42693e563040dce |
| SHA512 | 3a36b4e8c6a1e8376ba667813a87f615deeb0b533d52a38941a0cd23b57fe10a8c2b12db6828d7c7ce345527eb1a45c64adf4bcd46d77576288d2b4b946dc813 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3a664255c97733804f7f63100d93cbd6 |
| SHA1 | a3075d899b36ee98e9cc2f85c9eb8df3a20abcf9 |
| SHA256 | ab128874f205d3d7c305b6a8ab946e8268da98093110046ec42693e563040dce |
| SHA512 | 3a36b4e8c6a1e8376ba667813a87f615deeb0b533d52a38941a0cd23b57fe10a8c2b12db6828d7c7ce345527eb1a45c64adf4bcd46d77576288d2b4b946dc813 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4dd63e07607ba0ddffea2322a093b96a |
| SHA1 | 388b4318a9662adb8b08b11a58e021d479f97ae9 |
| SHA256 | c0ad0fc641c5a85a002805a44b1412ee20e6982517b51927e2adb48606cc920c |
| SHA512 | 38e975456e95ea2b1acebf92e6baedac67801454d0f9a487939f5b57d1ad14c16c825c152a922a0d609f69241d78abfed2a73bcad8257d65d2017efa0218293d |
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/5980-913-0x0000000000000000-mapping.dmp
memory/6100-916-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat
| MD5 | 00a7d2623671304e88923e97e449aade |
| SHA1 | 1364efd78d24e1e8153aaadaf2def767717aa130 |
| SHA256 | c95b5e1165bd305657aed3278499e3536587b8ae65cf8aaa99a8c30904d865a7 |
| SHA512 | a1f8b444aa9a5d06ed21e38dd844ffcafdd6dc1f480414b41cc9d2c637984407633555f50a864da375048a5b2069b3713786976cc46ec6621eced4f925e9ecce |
memory/4528-918-0x0000000000000000-mapping.dmp
memory/4476-919-0x0000000000000000-mapping.dmp
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4304-921-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat
| MD5 | fcb02c8d1310b991994a853fbc77f907 |
| SHA1 | a40f1b5403bbf05ed8194854be55fa2aed93a271 |
| SHA256 | c4fb72fefdf1411abcf347db5d002a6fef2559ab6c00065a72f9ff90376dff20 |
| SHA512 | 93ba1ef90582fc3375049c5e9d2df818f6e91ab7f01a88e00fbe7872a00d9046166a7508d38172e72da257badf1b7f4742606d5b782da3f7f1573418a61f2e73 |
memory/3260-923-0x0000000000000000-mapping.dmp
memory/396-924-0x0000000000000000-mapping.dmp
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/396-926-0x00000000028D0000-0x00000000028E2000-memory.dmp
memory/5400-927-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat
| MD5 | 5f34dd91b67e3e6cce9bff23023fba1e |
| SHA1 | 6e1c508d36895de29d7f822950c5418e3669d7f4 |
| SHA256 | 2e5c642c995124b651def3c03d99b7d911f0dbfeb15952a79a36753a24abf762 |
| SHA512 | de7b1a2559f098c6370c0d1db1bdd3bff7c8338f28ec3e4d7fe66828b512c4a9002e1971d983cc42f9d372768776739160f6bd28648505b71fd5918456a3239e |
memory/4188-929-0x0000000000000000-mapping.dmp
memory/5568-930-0x0000000000000000-mapping.dmp
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5304-932-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat
| MD5 | 4d4247814705e009157329a520f9e3b3 |
| SHA1 | 7cfa598425716ff5c42ed51122f32131c6d4daa6 |
| SHA256 | 3ec0eb5c5b71f1ad28b4392c52dbb52ac0ba119e6af18f5fef17c146af49c045 |
| SHA512 | fb5f1f5983d91dc48f37e10647236278d0f1274aa73686a027730e87bce9b07ad6e9ad5e0fa54becee850f0b33b3b3ed090ccd0b80a731c0e6adb48a7455d76c |
memory/4232-934-0x0000000000000000-mapping.dmp
memory/412-935-0x0000000000000000-mapping.dmp
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/412-937-0x00000000009E0000-0x00000000009F2000-memory.dmp
memory/4248-938-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat
| MD5 | 87252dedc67e686a8047ac03ecd2310e |
| SHA1 | b9973782e07c20e5b389d9a19baa39309b6a07fd |
| SHA256 | d63e5da2af9a93aed6b873fa2bf798ca754bbd360c60415b4e26a3eaef3daf21 |
| SHA512 | a96acae6a507894172646861132ad708665145d8fed2a8ff406a4567521f8d49e2dd60409753badd86f65ffd79745e9384b9c7b635a2ec9378305472a21d063a |
memory/4716-940-0x0000000000000000-mapping.dmp
memory/364-941-0x0000000000000000-mapping.dmp
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/364-943-0x0000000001760000-0x0000000001772000-memory.dmp
memory/3816-944-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat
| MD5 | 3fe4dc2bc049629dcf4a8aa5eea56e59 |
| SHA1 | 11f38aef6314fa5663b41354c0fd47ac38d4dc9a |
| SHA256 | 600821eff272a1d3b102977888a930e55430d5d8200157ba1dc44903ba6487a8 |
| SHA512 | 39af477bbe44cd8259777cb6a9b1e39404368d00ea096d6d4bfc705bbb03906dbb6fd1fc5a66e7e3cfa3cd06c465c1b953b62aaa6bbf0222da34d12b8764d81c |
memory/5800-946-0x0000000000000000-mapping.dmp
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2612-947-0x0000000000000000-mapping.dmp
memory/4776-949-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat
| MD5 | 399924d5ceaded76fc71ddc01192ca5b |
| SHA1 | adf654ba327349b572f6703c9fbd482659591829 |
| SHA256 | b07c9606420b77a721404206b43cf47eb1a4a185181c8c2d03a8130c9a110242 |
| SHA512 | a05261b00c7f850dccda5a466ab55f307f74156ee7e1ddf3562e257219b424840f2c28473fc5ba1b3c70287da1bf127d6cae86d7bffba80bdf91e84d46a33d78 |
memory/2232-951-0x0000000000000000-mapping.dmp
memory/4540-952-0x0000000000000000-mapping.dmp
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1224-954-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat
| MD5 | 1de03e5acfa59717c6b97693f4c16438 |
| SHA1 | 77ac6d79588b0f06fb5f9b28a03915ddcd5b7808 |
| SHA256 | 809b7412b35b7ba8c2aabb48f659d90db58264c5f930dd0ec341b95d655a9181 |
| SHA512 | 5f224684ac1085094eec4d2216a8450bae791510e32ad5ed9d28dde6f464e7ba105891a62aeed284478ae8019529b1d11ba9990665c3a90b677ebb45d2c5ad8a |
memory/3724-956-0x0000000000000000-mapping.dmp
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4312-957-0x0000000000000000-mapping.dmp
memory/3800-959-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat
| MD5 | 0b982405a999928e2ccbe8427bd714e3 |
| SHA1 | ab7528f5d605efa4d0630272cc6055951d8f3306 |
| SHA256 | 2b6649a587c39b9d53559d8a1b4a09d7aa72664ea8b29f7d55a763635a94bc21 |
| SHA512 | ccd54ffe25c36ad3e10f083fb88e1b766a17b555283fa7de18454158df09b1e005f1f0de8a4b032afdc406e0bd17accd86282b68670758a22b3f38211ea75ecd |
memory/1120-961-0x0000000000000000-mapping.dmp
memory/4700-962-0x0000000000000000-mapping.dmp
C:\Program Files\MSBuild\dwm.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4700-964-0x0000000001090000-0x00000000010A2000-memory.dmp
memory/2392-965-0x0000000000000000-mapping.dmp
memory/4912-967-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat
| MD5 | 54fbf3131a7a654b542fda33da55a207 |
| SHA1 | 48e9d33d10484efa36edbc696692eec402fb3fcc |
| SHA256 | 64b6de21a44c7a9904505311ac5f0d4f85e0947604f94e6c3b9e51f047e481fd |
| SHA512 | 9992b88c803b7b35c1171e6a67619254749af39084a141e82e8e24dda22428ef73f5630284d06c4ae8fe067f0d8895d77f722156344c34effec6cce6a980b24b |