Malware Analysis Report

2025-08-10 23:14

Sample ID 221031-1y8e4adee3
Target e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1
SHA256 e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1

Threat Level: Known bad

The file e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Dcrat family

Process spawned unexpected child process

DCRat payload

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:04

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:04

Reported

2022-10-31 22:07

Platform

win10-20220901-en

Max time kernel

23s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\e6c9b481da804f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Google\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\e6c9b481da804f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Google\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\Office16\sihost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\Office16\66fc9ff0ee96c2 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\c5b4cb5e9653cc C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\HoloShell\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\HoloShell\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1.exe C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1.exe C:\Windows\SysWOW64\WScript.exe
PID 2732 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1.exe C:\Windows\SysWOW64\WScript.exe
PID 5096 wrote to memory of 4284 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 4284 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 4284 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4284 wrote to memory of 3848 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4284 wrote to memory of 3848 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3848 wrote to memory of 2224 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2224 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4920 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4920 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 1416 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 1416 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 1112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 1112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2124 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 2124 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 1732 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 1732 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3584 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 3584 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3848 wrote to memory of 4280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3848 wrote to memory of 4280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1.exe

"C:\Users\Admin\AppData\Local\Temp\e6979ec6a5c1b082df1e76930d265683381e771b02177e7ffe198ee1fb05e3a1.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Links\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Links\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\HoloShell\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\HoloShell\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\HoloShell\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\odt\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\odt\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Google\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office16\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\HoloShell\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gjUnKFcqIu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

"C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

"C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

"C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

"C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe"

Network

Country Destination Domain Proto
US 20.42.73.27:443 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
NL 84.53.175.11:80 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

memory/2732-120-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-121-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-122-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-123-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-125-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-126-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-128-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-129-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-130-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-131-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-132-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-133-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-134-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-135-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-136-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-137-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-138-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-139-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-141-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-140-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-142-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-143-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-144-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-145-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-147-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-146-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-148-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-149-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-150-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-151-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-152-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-153-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-154-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-155-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-156-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-157-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-158-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-159-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-160-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-161-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-162-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-163-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-164-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-165-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-166-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-167-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-168-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-169-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-171-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-172-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-173-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-170-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-174-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-175-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-176-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-177-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-178-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-179-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-180-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-181-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-182-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/2732-183-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/5096-184-0x0000000000000000-mapping.dmp

memory/5096-185-0x0000000076F80000-0x000000007710E000-memory.dmp

memory/5096-186-0x0000000076F80000-0x000000007710E000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4284-260-0x0000000000000000-mapping.dmp

memory/3848-283-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3848-286-0x0000000000330000-0x0000000000440000-memory.dmp

memory/3848-287-0x0000000000880000-0x0000000000892000-memory.dmp

memory/3848-288-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

memory/3848-289-0x0000000000890000-0x000000000089C000-memory.dmp

memory/3848-290-0x0000000000BC0000-0x0000000000BCC000-memory.dmp

memory/2224-291-0x0000000000000000-mapping.dmp

memory/2124-300-0x0000000000000000-mapping.dmp

memory/3584-314-0x0000000000000000-mapping.dmp

memory/4060-308-0x0000000000000000-mapping.dmp

memory/4820-306-0x0000000000000000-mapping.dmp

memory/3500-303-0x0000000000000000-mapping.dmp

memory/1732-301-0x0000000000000000-mapping.dmp

memory/2680-299-0x0000000000000000-mapping.dmp

memory/2664-298-0x0000000000000000-mapping.dmp

memory/2656-297-0x0000000000000000-mapping.dmp

memory/4784-296-0x0000000000000000-mapping.dmp

memory/1112-295-0x0000000000000000-mapping.dmp

memory/1416-294-0x0000000000000000-mapping.dmp

memory/3976-293-0x0000000000000000-mapping.dmp

memory/4920-292-0x0000000000000000-mapping.dmp

memory/4280-348-0x0000000000000000-mapping.dmp

memory/1112-363-0x00000216394D0000-0x00000216394F2000-memory.dmp

memory/4784-366-0x0000025F60CF0000-0x0000025F60D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gjUnKFcqIu.bat

MD5 37cf06a88257b85e1a5d602fb517f2c0
SHA1 e9500f19048cb2102a3da5d527c8b38aca4f8d74
SHA256 ac71e3acd580c3160a204aaee739c318bdb6364094d189f0c11b535ec72c9397
SHA512 a040fc4e5272768b0d7e526b5915e412f21f710dc83fd14873b682c604c6d86b41a15322e5fcfeb8b0197eaa8dfc6ad46466fbea6ddc72f5bb2063a7ae33c60b

memory/3868-385-0x0000000000000000-mapping.dmp

memory/3360-585-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3972-742-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Rn5V8mQYRH.bat

MD5 c00391b4a026850c280986d51d9ebcb5
SHA1 348b55df945f6361cec9ed421a2e9fd3536a5bcd
SHA256 bacd0e062d2bc8ea92d6c96aa784dc19c647aac099c673100427454c1dc26c1d
SHA512 ea7376aad3c433e10951da98b23deaaa2af6a648383ac1d01540d65b5da5ac18dd917f056ff25290a1ccecbef63a1fb7172f5c8915a21529228cfbec858db8b8

memory/4284-744-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bce22f3249adef446b596ec2da8cd6c6
SHA1 7af5f2c1c554c2659426dec0e1fafc8b8d5fb321
SHA256 ff7369b744ee394bb4a0b448512cb542600e70ec3e35be684d9566f9caec55f5
SHA512 0dcef7cb51d9afbdd6d6ca51d1493f928484246c059bbeb7de091f5363f5d08ce9d69173ecce4c6d3315d9b2f9da0a3241a4971ba2d4bb4d52c20a1a137d40fd

memory/2736-769-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c5055728d0bb83f641130546c3c0413
SHA1 5ed164bfdb2db61d0f554412939e9bdba035e032
SHA256 c583a9ac27748092a995aa00dec36c1645875c2d36efd1e3a917f25e09d6a8bf
SHA512 d61544f9b68da9d89ccfa17bdf90d1d66adc441e0ff0a987c39b35dbdc3eeca4a065a635ff22afbe18790cd27ac0edd6e9071a8195fb46c0d3e919ae0ddd3f2b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 733b77ac2e4becb9124f515bfbf2a435
SHA1 8789627012ffaee7c48d6c27bad245033953f45c
SHA256 a46eac7b10fa8ce7874194f5e72bed5d03184564aa4229c91273a034ea34765b
SHA512 ce32d93e9cccd9b5f0dfd22e208b30ac33ebd369ea6bb37e4b5e98379ba92c539af8141d61de2c4c007cb5881b233c879af1300a9f35039c57e528b0d1e7bd14

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 92fe93503a034e0d14274b069869276a
SHA1 d46e8e47538119562f5aaa6e9a1ccfb9084c8de8
SHA256 bb54c6654a2b74d86cd6d6cae4a2a83d27ec036b402066aa5c675de3bcfaab77
SHA512 3e9280ddc19c26b479f52bd07c7e446f7e583db529b639b4bd3942670c850d4d447bb02a0512edaebd346a75a4d55778b072ac6f52c147c239df8ea1870cede8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bab495d4b1142179fd5d7a33405830ed
SHA1 0ca8d4f1a86cdd0f8ef51554a6561e473f45edb9
SHA256 f6bc15c18e5d7d2222a524897b78d8cd8caad868ca4c2356b6d08643b908dddf
SHA512 eebd4fd6ac99a30feb0828967e335734ee8494ed2617194cb4428765cc74eeab2a451294e648e830bdbac66c213139bfa393cdc9f52ca98eb98b04e140c9654a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 317eec61e1127ca6a0abc7200c3cd6f0
SHA1 006c049d8b808b0546c144594b629ca26108e48f
SHA256 911bca8e26f59f96909d141d103b2e9b9b196850bfac8fc336d05b77de529f2b
SHA512 5eb2ffeca8ca63540f1cac7c3c7d375f07e0c62450c05fb521d54d6ac51f85a880fe5dc0f80635d84c889aea48e945cc3e07f8914fad09e1903ca7244885184c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 317eec61e1127ca6a0abc7200c3cd6f0
SHA1 006c049d8b808b0546c144594b629ca26108e48f
SHA256 911bca8e26f59f96909d141d103b2e9b9b196850bfac8fc336d05b77de529f2b
SHA512 5eb2ffeca8ca63540f1cac7c3c7d375f07e0c62450c05fb521d54d6ac51f85a880fe5dc0f80635d84c889aea48e945cc3e07f8914fad09e1903ca7244885184c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 280cf58000723aab5bd8583ffff35cff
SHA1 07e63bcd7a6ee2c11aa714400b8f89c17761c30f
SHA256 f8cad4f71280f710b2b7a739b1e3aa82d2a579beaf33d0a6a4e3b3ebf3f2c822
SHA512 334a4b0b7570470a0f161f77fca96944368e85fafd889f55bd7dd0b37e44f1fe29d0d5e635e0b7a13065c042af6da9231e4cfc3c9af490209e1d7e78b8fae409

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9803395c7f202e10ce817db9c474c195
SHA1 49df81d595d2d0ecb06b38d7c31ed5b685e82d9c
SHA256 ec61c989d4b7d2845ec96604fa83a2258f8614149c91198da96aa29ac0580d16
SHA512 f958c4ec79ce82e998e61f73a9a6e586bd9d8a7ca317b252f012cb45b6a7e77bd5695c6c52ed1bd9f2debdee9257f16420677f6e78173213b8980234876a6b30

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c984ef72186b63ec54114af80436af3
SHA1 bf1d555b8c280c0198c98288e3e7df840feccfca
SHA256 b2ff10b065b25ea2c74d1659196b34e565f3fc79be340ca8a3c66843283110d8
SHA512 bdc1532a67b81da75d7cd504b0cc63ee217f509bfe811a4dd5835273464752c8d8347bbea7e50ca5f6a4479e0887a3ac79ac2b0da2e9a2e030af40e2fdff12f3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c984ef72186b63ec54114af80436af3
SHA1 bf1d555b8c280c0198c98288e3e7df840feccfca
SHA256 b2ff10b065b25ea2c74d1659196b34e565f3fc79be340ca8a3c66843283110d8
SHA512 bdc1532a67b81da75d7cd504b0cc63ee217f509bfe811a4dd5835273464752c8d8347bbea7e50ca5f6a4479e0887a3ac79ac2b0da2e9a2e030af40e2fdff12f3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b8305bcdae8e0238226106ca9de7d989
SHA1 d7deb81ee9d3044073c30f87ea78eb0c7132ad4a
SHA256 22c16f82a3b6904cc5594888f454f6868e9f16887c7f0ec1d84558fd42d89a71
SHA512 83b3d39c61899167b6106f0f80d143773112737be388e22e7ae1497d002217bc13cd8a348abc76db9910cb86e1ed6d7e700b377cf57af4acba6ce2333afb20e5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e9a856a3f434b4a6a99b6bcaf8155056
SHA1 8ec28b88e8dbbdf4d3fa6809a5fe8dfd06f503bf
SHA256 48cf16ce0943c2ef7ad1e162fb1a98ecc28c96e66885f32f76a8c7d4bc89c60b
SHA512 3aa1c3779d7e2f17168e939a1a878a93b2922c6393bd15db5028199e3c1fa0221feaa6cb3290e01695f034128c8713e8e848edef87bc51e3216f34aa50213152

memory/4288-796-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

MD5 ea63afd097f3d323a211f4f767784aee
SHA1 0c648ea55f7f63afc2993be2705a88a7fddcda5c
SHA256 3da578bd9db104cbbaa5f49467610a5241c48b9ba034a5ae4eaac45ad60bf44d
SHA512 071630062230105d66181a92c83d02c3f1a39e4629d10136a6d1909e561b7dd6f0f7bb3dd67fbca1ba3966de8cfb8ab1a65120c4f3af3b581640c36d02d5fff6

memory/4456-798-0x0000000000000000-mapping.dmp

memory/3860-799-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3736-801-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\O1BWw2qr2X.bat

MD5 102a0dd1a4409324142f5b546bbdc448
SHA1 1a864a6618a46e44c4f4f08e81d30d15dc856982
SHA256 df3b68db40b9a4e9dfbb15651ae564e4aba5c1cf3378fe767b42b5e5ea0c19b5
SHA512 a40d93a6760cbfe79a2f13426ae7db0eec5d4071871d91b80dcd953fc41fdab6260884a2bb3cb55f5dc947a92f90d8d8c8948f848d9d8234e58788a8cafb5e5e

memory/4376-803-0x0000000000000000-mapping.dmp

memory/688-804-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394