Malware Analysis Report

2025-08-10 23:14

Sample ID 221031-1x27padec8
Target 816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7
SHA256 816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7

Threat Level: Known bad

The file 816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Process spawned unexpected child process

DCRat payload

Dcrat family

DCRat payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:02

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:02

Reported

2022-10-31 22:05

Platform

win10v2004-20220812-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Internet Explorer\ja-JP\c82b8037eab33d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\upfc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ea1d8f6d871115 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\OfficeClickToRun.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\e6c9b481da804f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ja-JP\WaaSMedicAgent.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\LiveKernelReports\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\LiveKernelReports\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7.exe C:\Windows\SysWOW64\WScript.exe
PID 3172 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7.exe C:\Windows\SysWOW64\WScript.exe
PID 3172 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7.exe C:\Windows\SysWOW64\WScript.exe
PID 4500 wrote to memory of 696 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 696 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 696 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 696 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 5104 wrote to memory of 1968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 1968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 1456 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 1456 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 1928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 1928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 1032 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 1032 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 424 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 424 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 736 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\Conhost.exe
PID 5104 wrote to memory of 736 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\Conhost.exe
PID 5104 wrote to memory of 816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 444 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 444 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 4956 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 4956 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 2060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 2060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 4260 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 4260 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 2192 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 2192 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5104 wrote to memory of 2024 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 5104 wrote to memory of 2024 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2024 wrote to memory of 404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2024 wrote to memory of 404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2024 wrote to memory of 1536 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Adobe\OfficeClickToRun.exe
PID 2024 wrote to memory of 1536 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Adobe\OfficeClickToRun.exe
PID 1536 wrote to memory of 3160 N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 1536 wrote to memory of 3160 N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 3160 wrote to memory of 1252 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3160 wrote to memory of 1252 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3160 wrote to memory of 4696 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Adobe\OfficeClickToRun.exe
PID 3160 wrote to memory of 4696 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Adobe\OfficeClickToRun.exe
PID 4696 wrote to memory of 4264 N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 4696 wrote to memory of 4264 N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 4264 wrote to memory of 4880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4264 wrote to memory of 4880 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4264 wrote to memory of 4804 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Adobe\OfficeClickToRun.exe
PID 4264 wrote to memory of 4804 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Adobe\OfficeClickToRun.exe
PID 4804 wrote to memory of 4444 N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 4804 wrote to memory of 4444 N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 4444 wrote to memory of 3456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4444 wrote to memory of 3456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4444 wrote to memory of 4128 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Adobe\OfficeClickToRun.exe
PID 4444 wrote to memory of 4128 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Adobe\OfficeClickToRun.exe
PID 4128 wrote to memory of 4032 N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 4128 wrote to memory of 4032 N/A C:\Program Files (x86)\Adobe\OfficeClickToRun.exe C:\Windows\System32\cmd.exe
PID 4032 wrote to memory of 1988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4032 wrote to memory of 1988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7.exe

"C:\Users\Admin\AppData\Local\Temp\816bd938e76154d9f6d193a5b6afb87cc0a8ad540ca8d95633b5660380cbf7e7.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\odt\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\odt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\odt\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\odt\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\odt\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\odt\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\odt\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\System.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\WaaSMedicAgent.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\WindowsHolographicDevices\SpatialStore\System.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pAoVHioU5v.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

"C:\Program Files (x86)\Adobe\OfficeClickToRun.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.238.20.126:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 13.89.179.8:443 tcp
US 8.238.20.126:80 tcp
US 8.238.20.126:80 tcp
US 8.253.208.120:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/4500-132-0x0000000000000000-mapping.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/696-135-0x0000000000000000-mapping.dmp

memory/5104-136-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5104-139-0x0000000000410000-0x0000000000520000-memory.dmp

memory/5104-140-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/1456-142-0x0000000000000000-mapping.dmp

memory/816-148-0x0000000000000000-mapping.dmp

memory/736-147-0x0000000000000000-mapping.dmp

memory/424-146-0x0000000000000000-mapping.dmp

memory/1032-145-0x0000000000000000-mapping.dmp

memory/740-144-0x0000000000000000-mapping.dmp

memory/1928-143-0x0000000000000000-mapping.dmp

memory/1968-141-0x0000000000000000-mapping.dmp

memory/4956-151-0x0000000000000000-mapping.dmp

memory/448-150-0x0000000000000000-mapping.dmp

memory/444-149-0x0000000000000000-mapping.dmp

memory/2060-152-0x0000000000000000-mapping.dmp

memory/2192-154-0x0000000000000000-mapping.dmp

memory/4260-153-0x0000000000000000-mapping.dmp

memory/1456-155-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/2024-156-0x0000000000000000-mapping.dmp

memory/740-158-0x0000028657E60000-0x0000028657E82000-memory.dmp

memory/1928-157-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/740-159-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/5104-160-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/424-161-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/1032-162-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/736-163-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/816-164-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/404-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\pAoVHioU5v.bat

MD5 80b1f9f27b159df7c120354d563085e4
SHA1 065b510ae1e8f68d94ffe6b071e339c647423135
SHA256 8156c2b96c49b50fb2be1e2818877758251b13fd44fafe400528087b7d1c979c
SHA512 bd791008d847c21eebe77bcb98ac4c8daabff9126c654a9946cd056d3b64c6ce4adb2623c5dc61465acb35e5ae9cc8466fc49b4bf845cc5dbd153c46aeefd640

memory/448-167-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/444-168-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/1968-169-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/2060-170-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4260-171-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/2192-172-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

memory/1928-179-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/1032-183-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

memory/1968-191-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

memory/2192-199-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4260-201-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

memory/2060-198-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/424-195-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4956-194-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/448-193-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/816-192-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

memory/740-186-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/444-185-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

memory/736-177-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4956-180-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/1456-176-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1536-202-0x0000000000000000-mapping.dmp

memory/1536-205-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/3160-206-0x0000000000000000-mapping.dmp

memory/1252-208-0x0000000000000000-mapping.dmp

memory/1536-209-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat

MD5 08e2559caae8675942809b9a7cbf2b0d
SHA1 751e734b61bd15343c47b0abbdd425565d0e06c1
SHA256 780e5eaf6e391be9d411477e6fd817f7cbde46d719d671f5a4518fbedb46196d
SHA512 a5064ff7909c1f438dcfc73d66d171f4a165df9ca0f6d089a29a82f4e73a434311df1f763be35d19518d5a8e81f1ce25bee2ab54eea8d94a892321b9a6e9408f

memory/4696-210-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OfficeClickToRun.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/4696-213-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4264-214-0x0000000000000000-mapping.dmp

memory/4880-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat

MD5 fc5ee3f9d7dab4952c8d07d906f0f2b7
SHA1 67254d13d716733ce7d74481212dac05eae3b08a
SHA256 c44ab7db1bb9b33f96939e9588032588951f6ac55c17b8ba1feebac37960dca1
SHA512 5660f4eab0ce011ded0d4e49efdcf823cbf313927fafcca171f5be119c48ebee88b546be418d8c7a263f409902b8e4adaee1a9ca3fc7ff33bac5ca9d43794a22

memory/4696-217-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4804-218-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4804-220-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4444-221-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

MD5 9147ea51f26dd9fa926c1937b7504cf0
SHA1 a7f9c874370676be68fd1f343d1f046da2d72f1b
SHA256 afed6008f6ef566ead7118d80e67ca2cd777af233f77303dc673a6e1266921bd
SHA512 5ab70dc32aa32f9c8012312d821a3319029b81df9210c376c6627855eb601dfe7be681af68c6e4e4784ba8ca3e07e1eef5c88fcad2a3f6ab2157d00c2a01c229

memory/3456-223-0x0000000000000000-mapping.dmp

memory/4804-224-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4128-225-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4128-227-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4032-228-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat

MD5 a96092a4e43ae15fb50be06d8aa9c690
SHA1 839f0b42f67e54d6d28fdc20aaed61060391ffaa
SHA256 0bf2476af6015e47c41a35e04e8d1f4fef9b8a41362dbd925571069956c15c37
SHA512 87fe2781c8f30a7595b66bf9db02d46af1e64f1dc97c0c9df5b8267ca1a888e3947ddfb971893324f5320dbf09c8ebefde797752c3bc8b69c6cff14ba25c2b0d

memory/1988-230-0x0000000000000000-mapping.dmp

memory/4128-231-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/816-232-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/816-234-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4684-235-0x0000000000000000-mapping.dmp

memory/2328-237-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

MD5 6fc5d50e272f8a8b9c719416676e20c3
SHA1 be03de91f6b22f63ed5f65a0210424de4e1a2a83
SHA256 814bea1a97dffe37f8263940c9e58ede8b53b46eabf25e459368ca9b7eff3dde
SHA512 0b6ba18ceb0237c6225f58c0ad9fb56603eb1fc38bc4d0ddf206fb2e18923ebb2fab6a150bd316bfa504d381ae70a7cece583a4effab41b3fa1a1e37f379c6a7

memory/816-238-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/1492-239-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1492-241-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/1352-242-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat

MD5 fc5ee3f9d7dab4952c8d07d906f0f2b7
SHA1 67254d13d716733ce7d74481212dac05eae3b08a
SHA256 c44ab7db1bb9b33f96939e9588032588951f6ac55c17b8ba1feebac37960dca1
SHA512 5660f4eab0ce011ded0d4e49efdcf823cbf313927fafcca171f5be119c48ebee88b546be418d8c7a263f409902b8e4adaee1a9ca3fc7ff33bac5ca9d43794a22

memory/1492-245-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/3220-244-0x0000000000000000-mapping.dmp

memory/2884-246-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2884-248-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/3476-249-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

MD5 8dddba39744c1b1376d2425fedd9faae
SHA1 abfb399476500f6a82cc771ed812b2688d15b528
SHA256 357d7f5779f8f76f964dd5969cbcb2e1c3fb4fead5f5d1426e9a8388cec23635
SHA512 e7aad2069083af282914ab52c8cec50dab4bc5d2c6e75713c3836bce6f04f258f1d3ddbe82f57eed75267ae5668da45364a9dacac90ae8eea1d7e58078f6488d

memory/536-251-0x0000000000000000-mapping.dmp

memory/2884-252-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/868-253-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/868-255-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/3520-256-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat

MD5 8c086b7667b6b35b687701d150dc9172
SHA1 ab45f9443fe4ef2e09209287bc4f2e5f66bbc2b2
SHA256 f35a7753c395ccfa1be71c548ae9193ef1a39a8a5a0146ed0cfd602abe3dfda4
SHA512 246720c750b52dd9167bfe0c0c2947da39d207c84932a398ed30161932b3e6d4e532bb2aa9d14fec24def4c2a231c9e17f39a15bcbcd417be838217b0a8bd653

memory/2284-258-0x0000000000000000-mapping.dmp

memory/868-259-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/2468-260-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2468-262-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/2900-263-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat

MD5 08e2559caae8675942809b9a7cbf2b0d
SHA1 751e734b61bd15343c47b0abbdd425565d0e06c1
SHA256 780e5eaf6e391be9d411477e6fd817f7cbde46d719d671f5a4518fbedb46196d
SHA512 a5064ff7909c1f438dcfc73d66d171f4a165df9ca0f6d089a29a82f4e73a434311df1f763be35d19518d5a8e81f1ce25bee2ab54eea8d94a892321b9a6e9408f

memory/2468-266-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/1456-265-0x0000000000000000-mapping.dmp

memory/1900-267-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1900-269-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4500-270-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

MD5 8c89c3110e44f0be6cb1c9100ad8c515
SHA1 c082ea1346054b032c0731e32606bac2ec980d2c
SHA256 2fbed9dc879b451ecf058d067811fa6ee094df9ad499ce72365a3749891a38dc
SHA512 d8e4e3d63bae40279d5c2e52d24f1dcbefd9306b72dff4d9e9f702c50fa67821eddc0f94ab943c3e25586f2224dd329d3374abf8f4415e9fcf2f334a744d9413

memory/1472-272-0x0000000000000000-mapping.dmp

memory/1900-273-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/532-274-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/532-276-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/4592-277-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

MD5 527be82da3bdceba8082e354c312bd45
SHA1 ec4fc43e0bb8f9c2317780e2f9647cd0f926af7b
SHA256 b38781488006a50b8ed9abe6148101472da072eebf12b7ccd2de1a623e39e91c
SHA512 aebbfdfb3b1fff83548e943976ffa582c4819f8124f47d7433c998d1b2d96f999b92d79ed306081969c2f9e0c6a4b754818ec4a1b151063fe37328d336b7f9e2

memory/5100-279-0x0000000000000000-mapping.dmp

memory/532-280-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp

memory/3420-281-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Adobe\OfficeClickToRun.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3420-283-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp