Malware Analysis Report

2025-08-10 23:14

Sample ID 221031-1xtwbaeddj
Target c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4
SHA256 c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4

Threat Level: Known bad

The file c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4 was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

DCRat payload

Process spawned unexpected child process

Dcrat family

DcRat

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:02

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:02

Reported

2022-10-31 22:04

Platform

win10-20220812-en

Max time kernel

147s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\6203df4a6bafc7 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Migration\WTR\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\en-US\Idle.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Cursors\lsass.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Downloaded Program Files\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\schemas\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\schemas\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Migration\WTR\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\en-US\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Cursors\6203df4a6bafc7 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Downloaded Program Files\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\Migration\WTR\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\Migration\WTR\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\Migration\WTR\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\Migration\WTR\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\Migration\WTR\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\Migration\WTR\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\Migration\WTR\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\Migration\WTR\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\Migration\WTR\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\Migration\WTR\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Windows\Migration\WTR\wininit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4.exe C:\Windows\SysWOW64\WScript.exe
PID 3040 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4.exe C:\Windows\SysWOW64\WScript.exe
PID 3040 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4.exe C:\Windows\SysWOW64\WScript.exe
PID 4512 wrote to memory of 4516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4516 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4516 wrote to memory of 3248 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3248 wrote to memory of 1544 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 1544 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 2872 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 2872 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3120 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3120 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 848 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 848 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 2428 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 2428 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3660 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3660 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 2636 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 2636 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 5084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 5084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 4812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 4812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 2108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 2108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3512 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3512 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 4656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 4656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3744 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3744 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 2028 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 2028 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3464 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3464 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 4176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 4176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3736 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 3736 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3248 wrote to memory of 396 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3248 wrote to memory of 396 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 396 wrote to memory of 4744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 396 wrote to memory of 4744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 396 wrote to memory of 3132 N/A C:\Windows\System32\cmd.exe C:\Windows\Migration\WTR\wininit.exe
PID 396 wrote to memory of 3132 N/A C:\Windows\System32\cmd.exe C:\Windows\Migration\WTR\wininit.exe
PID 3132 wrote to memory of 5704 N/A C:\Windows\Migration\WTR\wininit.exe C:\Windows\System32\cmd.exe
PID 3132 wrote to memory of 5704 N/A C:\Windows\Migration\WTR\wininit.exe C:\Windows\System32\cmd.exe
PID 5704 wrote to memory of 5760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5704 wrote to memory of 5760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5704 wrote to memory of 5780 N/A C:\Windows\System32\cmd.exe C:\Windows\Migration\WTR\wininit.exe
PID 5704 wrote to memory of 5780 N/A C:\Windows\System32\cmd.exe C:\Windows\Migration\WTR\wininit.exe
PID 5780 wrote to memory of 5892 N/A C:\Windows\Migration\WTR\wininit.exe C:\Windows\System32\cmd.exe
PID 5780 wrote to memory of 5892 N/A C:\Windows\Migration\WTR\wininit.exe C:\Windows\System32\cmd.exe
PID 5892 wrote to memory of 5948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5892 wrote to memory of 5948 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5892 wrote to memory of 5968 N/A C:\Windows\System32\cmd.exe C:\Windows\Migration\WTR\wininit.exe
PID 5892 wrote to memory of 5968 N/A C:\Windows\System32\cmd.exe C:\Windows\Migration\WTR\wininit.exe
PID 5968 wrote to memory of 6076 N/A C:\Windows\Migration\WTR\wininit.exe C:\Windows\System32\cmd.exe
PID 5968 wrote to memory of 6076 N/A C:\Windows\Migration\WTR\wininit.exe C:\Windows\System32\cmd.exe
PID 6076 wrote to memory of 6132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 6076 wrote to memory of 6132 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4.exe

"C:\Users\Admin\AppData\Local\Temp\c16cbce8292b81b29e79f6b590f474b19a2cdc2639b445d6f3998e701b4ad0a4.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\odt\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\odt\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Music\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\schemas\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\schemas\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\odt\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jO69LB4byb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Migration\WTR\wininit.exe

"C:\Windows\Migration\WTR\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/3040-118-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-119-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-120-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-121-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-123-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-124-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-126-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-127-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-128-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-129-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-130-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-131-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-132-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-133-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-134-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-135-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-136-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-137-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-138-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-139-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-140-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-141-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-142-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-143-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-144-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-145-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-147-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-148-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-149-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-151-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-152-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-153-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-150-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-146-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-154-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-155-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-156-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-157-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-158-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-159-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-160-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-161-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-162-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-163-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-164-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-165-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-166-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-167-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-168-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-170-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-169-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-171-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-172-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-173-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-174-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-175-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-176-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-177-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-178-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-179-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-180-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/3040-181-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4512-182-0x0000000000000000-mapping.dmp

memory/4512-183-0x00000000779B0000-0x0000000077B3E000-memory.dmp

memory/4512-184-0x00000000779B0000-0x0000000077B3E000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4516-258-0x0000000000000000-mapping.dmp

memory/3248-281-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3248-284-0x00000000009C0000-0x0000000000AD0000-memory.dmp

memory/3248-285-0x0000000001220000-0x0000000001232000-memory.dmp

memory/3248-286-0x0000000001240000-0x000000000124C000-memory.dmp

memory/3248-287-0x000000001B620000-0x000000001B62C000-memory.dmp

memory/3248-288-0x000000001B630000-0x000000001B63C000-memory.dmp

memory/2428-293-0x0000000000000000-mapping.dmp

memory/848-292-0x0000000000000000-mapping.dmp

memory/3660-295-0x0000000000000000-mapping.dmp

memory/4812-301-0x0000000000000000-mapping.dmp

memory/4656-311-0x0000000000000000-mapping.dmp

memory/3512-307-0x0000000000000000-mapping.dmp

memory/2108-304-0x0000000000000000-mapping.dmp

memory/5084-299-0x0000000000000000-mapping.dmp

memory/2636-297-0x0000000000000000-mapping.dmp

memory/3120-291-0x0000000000000000-mapping.dmp

memory/2872-290-0x0000000000000000-mapping.dmp

memory/1544-289-0x0000000000000000-mapping.dmp

memory/3736-329-0x0000000000000000-mapping.dmp

memory/4176-324-0x0000000000000000-mapping.dmp

memory/3464-319-0x0000000000000000-mapping.dmp

memory/2028-316-0x0000000000000000-mapping.dmp

memory/3744-312-0x0000000000000000-mapping.dmp

memory/396-362-0x0000000000000000-mapping.dmp

memory/2872-365-0x000001B6B5410000-0x000001B6B5432000-memory.dmp

memory/848-384-0x00000214F2090000-0x00000214F2106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jO69LB4byb.bat

MD5 39a8291f55caa819a6a9145a266d0fcb
SHA1 4784b0c76f65b46daec46aee2eef060178068957
SHA256 9c13bd79e82694b23a1d583accd5e8a82cf373f2d02c965dc20b0c66036da82f
SHA512 a4748be408ce4722a1e849401c7a3ac19052697e2462175b39b497bbed8396937621044ede5315af0bd2995b105d8ccf9743531e9f65807e70b31a6731af181e

memory/4744-421-0x0000000000000000-mapping.dmp

memory/3132-726-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3132-797-0x000000001B610000-0x000000001B622000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 974e7a417c80750e820ab36432a5c583
SHA1 324f4a90ab0efa81490972025aeb2c15fb20042b
SHA256 9a51d0169723f6776bce7212f29a3e5519ab8edadcaf33f56f6ea23556196df7
SHA512 45f05ebd6c606e668df3d55fbabe505bd9c0ff355f7d3e1e2d230705d0565e468d0ce770a169c45778e9e8339282245f7de1bbde0ba0e3bf4941beb1048b9471

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e18debd736ea845298d192aaeaf0c812
SHA1 60d82322739b6e25452daf3f183fb078d35ccfc3
SHA256 0d97bd4194cfddfac9c7430a685bdf99645ae27ddce0e65450e431bfa698705f
SHA512 a1386fd234cc35c4180b99e59c48a41e4b7a229dcc3401e0244a862c1ebfdbbece2a23eb0cbb41d1bbe60c53f3116ad5fdb26d1ab98d4d59889ef1d0cf3798e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e18debd736ea845298d192aaeaf0c812
SHA1 60d82322739b6e25452daf3f183fb078d35ccfc3
SHA256 0d97bd4194cfddfac9c7430a685bdf99645ae27ddce0e65450e431bfa698705f
SHA512 a1386fd234cc35c4180b99e59c48a41e4b7a229dcc3401e0244a862c1ebfdbbece2a23eb0cbb41d1bbe60c53f3116ad5fdb26d1ab98d4d59889ef1d0cf3798e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e18debd736ea845298d192aaeaf0c812
SHA1 60d82322739b6e25452daf3f183fb078d35ccfc3
SHA256 0d97bd4194cfddfac9c7430a685bdf99645ae27ddce0e65450e431bfa698705f
SHA512 a1386fd234cc35c4180b99e59c48a41e4b7a229dcc3401e0244a862c1ebfdbbece2a23eb0cbb41d1bbe60c53f3116ad5fdb26d1ab98d4d59889ef1d0cf3798e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e18debd736ea845298d192aaeaf0c812
SHA1 60d82322739b6e25452daf3f183fb078d35ccfc3
SHA256 0d97bd4194cfddfac9c7430a685bdf99645ae27ddce0e65450e431bfa698705f
SHA512 a1386fd234cc35c4180b99e59c48a41e4b7a229dcc3401e0244a862c1ebfdbbece2a23eb0cbb41d1bbe60c53f3116ad5fdb26d1ab98d4d59889ef1d0cf3798e4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8193d82f77058e277f8343a3ebd61522
SHA1 112dbb91cfabf6041e679810422c1abca36c98d0
SHA256 70e3471d63ccf866999540e5760f4bb2d8bb958f8ac41b932c17d3754ddb4342
SHA512 35c6fe8b6b1a697d8dd7454231ca008611333e5e9c232263982d29c2faafe9fc1b1a985ac5b089c7f836d81b7206595e60c1c203fd990968e13c347578a6bbf7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3057d5750de467747201f2093e138459
SHA1 5db0f666b68bbb11e5e7db074a55a6e2149e1feb
SHA256 f5eb2b199651f0d16a2bf4130ac2b9138ff94811fb113fad8337f5fabb303675
SHA512 cd0d01cbaa33edc277b348dfe65e3c18ad2fce07c034bd28d898880ce695cb34849f59e120c7f89b257d970df151246291fcd1ac73c527ad4888d303dcb68242

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8193d82f77058e277f8343a3ebd61522
SHA1 112dbb91cfabf6041e679810422c1abca36c98d0
SHA256 70e3471d63ccf866999540e5760f4bb2d8bb958f8ac41b932c17d3754ddb4342
SHA512 35c6fe8b6b1a697d8dd7454231ca008611333e5e9c232263982d29c2faafe9fc1b1a985ac5b089c7f836d81b7206595e60c1c203fd990968e13c347578a6bbf7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f07b15944f65d810eac3a97efe1964f9
SHA1 53d41cd0bf136e5d55757646233d0f0f0e9cdb67
SHA256 5224df61b6d5760f56aecfc70c56c5b63d4a3ce64c431ded409cbb72b44234ca
SHA512 b94b540ed85517ecce5558cb520850df5aafd8300ea757dbf93233dfceded1b3900d148b981c2192a68dd2e24b9fddbe659051cfb11d6e39b6fda57fb69273d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 217a7987b4fbb91a7068bd530f66ba6b
SHA1 e118397b759dc584d834222ac1b125225ef8db4a
SHA256 7158051eb17aa445a69ce1d11b2b280b7780cc9664e40c8e75392f01dff71b37
SHA512 62a7bb9333669491fd1c53bdfcf94b68200cb62dff8b43aa1556c9e613941609f50f7444fab55d5a440430048802412e262b1b9bd7d336428b6d17ce6b4fab2d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3704cdfa88bec33251df4bb250702f57
SHA1 836e9f32da8e8e328b0a9ca3660a3dc4defdb8a8
SHA256 5cd4c899a7f346447b025991628f53f3ca3812c6340b9acd0a445ea2486bfef5
SHA512 e1ac068b72b5f8f57159f10de5f92e4ad2db2ec85309f828dd1b79855064e0bc14bf9a72c3258344b809489aa0a4778fa7dbd324004a7f1e638567082423e5e5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96e66d2d19b5c2093e85dcc098b3d63d
SHA1 dc23592e06cfb458c4527c89fc77bcd800005c17
SHA256 45e778cd95ca987363f3ffbb5b60c3ed3e6e5fd7eb1d8221178bd123a4767313
SHA512 021c1d223fee83bafe4ed5b14e281da73cb3ed806ad72be2dbbf231d94c6c5eb855fda908da5b904b8bf58425106a038bdf07a074afddf9c98d556a366213813

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6028929ed911b32af3a43c254fcd98a0
SHA1 904450ddc55eff07f2a63a9a77e9f3c005e99281
SHA256 67b54c7c628bfb5f8687ba9d2854ca199d2544cc6876be4a0507aba35cf61b21
SHA512 12572e695c07db96636c92754e8bab2049bcc55dfbbe3c2de571b88a8c6991a8653a19224cd5e51120689546f14f1769e4a097e83abfd0b57c71ce9579e66f4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6028929ed911b32af3a43c254fcd98a0
SHA1 904450ddc55eff07f2a63a9a77e9f3c005e99281
SHA256 67b54c7c628bfb5f8687ba9d2854ca199d2544cc6876be4a0507aba35cf61b21
SHA512 12572e695c07db96636c92754e8bab2049bcc55dfbbe3c2de571b88a8c6991a8653a19224cd5e51120689546f14f1769e4a097e83abfd0b57c71ce9579e66f4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 331b22d599347668ebb39dee88700c58
SHA1 9b94e20d18152bccb2a88e09ea416129e34e364b
SHA256 a2fbd7aacd3cc9a30fabe77e25d713bea881b0b643f80c3d665f76ac0f0d4c35
SHA512 66b0935ee10186f75302ff9271b7ed25f44d9b96764dc8a9fcd103f0348aafc62c1f65326a4603d6a61291ee21ffd7a825ac7b606cedd0b8a5fa3b0e929fc461

memory/5704-892-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

MD5 fe6b43cd6e1601b6bdfc8e7a75c57e05
SHA1 b18d03cad6ac387bbc9d390469d5bf9225fcd180
SHA256 01b6fabd766d1d3a03adf83ebc8169c9b9dee2552ce0689b1a3d8abc19596492
SHA512 935afcd5357e714eb9474908c73e31d2aa6777248cea85eeaf7e0959130f2b999f79c9635df91a243602c58b7b60491053c2823b4b4bf634b899210c8c4eedf0

memory/5760-894-0x0000000000000000-mapping.dmp

memory/5780-895-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/5780-898-0x0000000000F70000-0x0000000000F82000-memory.dmp

memory/5892-899-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

MD5 81e5dd361d8b5354e5df87e3a3d80a61
SHA1 f99a8780681fa3ae9d047362012114010ec7433c
SHA256 51c9eb4a5478e3d45f81206ca0b9e3bb317eaa8ffe0a758a2d00ce98cc5cf2d9
SHA512 84e026914962188dbe35968b44c04309a34d1499c6579ff9994d999b89bb2c2fdc8032246943db1f28b90a9303fbec4330bd1bffa984035a3af71f718c2a3b5a

memory/5948-901-0x0000000000000000-mapping.dmp

memory/5968-902-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5968-904-0x0000000001240000-0x0000000001252000-memory.dmp

memory/6076-905-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

MD5 54ca0ec1ca3a8bedfaee0ac14ac08b95
SHA1 392e43329cc3eaf001764802a85f87ab503aa7e8
SHA256 fa6af58009223e63eb91155c66e7bbf8b3392fe9db5529bcf28e329864dccbce
SHA512 b04c9556f8ea58d2d6a0d63856d060de94dfe4a477d4b7899ee46bc6b2e281f8f826fcc5f423f4e3d1e4f6c0298232cfcc2fbb5adf3411d5600ea7331cadc6a0

memory/6132-907-0x0000000000000000-mapping.dmp

memory/5188-908-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5364-910-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

MD5 d1930853be5809b621b17cd896e4a7a9
SHA1 0225aac5446da24851f7bfcd4f9d4c77f233810e
SHA256 cb624db2408db437704cef0946f047a67418183a1b9e3ad18ff52cf01e3997e3
SHA512 ec8ca931eb5cd27da6276efba81c8375401d0a47172beca1675639653a54cce33ae00b232d19e88c1d3ea0cfcf847e719dac8900022c08bd1e5740fe18d0195f

memory/5464-912-0x0000000000000000-mapping.dmp

memory/4900-913-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4900-915-0x0000000000A10000-0x0000000000A22000-memory.dmp

memory/5076-916-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

MD5 d1930853be5809b621b17cd896e4a7a9
SHA1 0225aac5446da24851f7bfcd4f9d4c77f233810e
SHA256 cb624db2408db437704cef0946f047a67418183a1b9e3ad18ff52cf01e3997e3
SHA512 ec8ca931eb5cd27da6276efba81c8375401d0a47172beca1675639653a54cce33ae00b232d19e88c1d3ea0cfcf847e719dac8900022c08bd1e5740fe18d0195f

memory/5156-918-0x0000000000000000-mapping.dmp

memory/4964-919-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3708-921-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat

MD5 85ab8a2923448c2cec22e8593bafae0b
SHA1 6f0c797f1a48a17cbd4ab975b0d8192f9a5873f3
SHA256 eafbeb5dcc62393a92c52df628c34eb647057ec8a0c2f3a17341541caf95e71e
SHA512 05368e6fc61eaaf5750e437d8fb6402b396134bbc5e916bf4bcb6601ca70412b9faad52df379d91cb5a404569d9ae7fc62f7b05b05eeba57e47031026151f751

memory/3860-923-0x0000000000000000-mapping.dmp

memory/2600-924-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2600-926-0x0000000002740000-0x0000000002752000-memory.dmp

memory/532-927-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

MD5 9217d96bb9740a750ed2e0dd4d689009
SHA1 cd4ec2f8d3ea9d8477945ea6157aac6d7cc08a79
SHA256 23ff48c7f70d54cb37edec2dc21f0e1b81fb20a45f352f4babf37d3d6b883cde
SHA512 c580f8821e38a9f5a981ce5d1fca6655e604f16adc9823b04e2a864314a37b7d2ee9f4d64cc249769dd7722426850b3bb03f4843bc0b6684ba2a60053f1e0bd8

memory/1480-929-0x0000000000000000-mapping.dmp

memory/2176-930-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/680-932-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

MD5 104f6c2ca62b635b0009d08048665fe2
SHA1 9272612e3c5546d2332462b790f8a6ac67598389
SHA256 7e552d0174ebc3abca44f084a4fce8ae108de43d2ce7263e4018c750e30332ce
SHA512 c9ba99644f1c4ae8f3944363269d8cf3ef6722c3d44092c92f83401431910f54b51049144ca7d0258d56922de48c614115963627040e64dd5ed72a658ab14cfe

memory/3856-934-0x0000000000000000-mapping.dmp

memory/1556-935-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4820-937-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat

MD5 068020525f30437fb45c6dcb728ab0b0
SHA1 ab3a0d0dad1252353ea9d1e0be42491450460d13
SHA256 df9de09875f58d10533c42ba4a14b89c5a725db45fed7a1eb2bf443ab5be0064
SHA512 6e980134064d9a266b8303fd2e3949cea07f545cca516a55033de807fda4f33494509205584d9c590f4d02e8a7d7112a8007b0370403a88756727cc17d365502

memory/5592-939-0x0000000000000000-mapping.dmp

memory/1848-940-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1560-942-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat

MD5 85ab8a2923448c2cec22e8593bafae0b
SHA1 6f0c797f1a48a17cbd4ab975b0d8192f9a5873f3
SHA256 eafbeb5dcc62393a92c52df628c34eb647057ec8a0c2f3a17341541caf95e71e
SHA512 05368e6fc61eaaf5750e437d8fb6402b396134bbc5e916bf4bcb6601ca70412b9faad52df379d91cb5a404569d9ae7fc62f7b05b05eeba57e47031026151f751

memory/2248-944-0x0000000000000000-mapping.dmp

memory/3824-945-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3824-947-0x0000000001270000-0x0000000001282000-memory.dmp

memory/2432-948-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat

MD5 951b5494445aac585c9c054f8558daf0
SHA1 aaddaef32d82c840d8ed1f1f470411f985743ae0
SHA256 71322b9352a8f4aa238f22d31bdd856b75aecb7a5f89807d63d27f76fb8ec7d0
SHA512 5ea8e6a0eacce618e7bda070bcafc3bcf49b7fecbca6629c09b0f27b4b60a480b219fdeddfc1d63186b98525fa23e724b233e72de0867afd3f2bebb7eba1fa74

memory/528-950-0x0000000000000000-mapping.dmp

memory/728-951-0x0000000000000000-mapping.dmp

C:\Windows\Migration\WTR\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394