Malware Analysis Report

2025-08-10 23:14

Sample ID 221031-1yq6taeddp
Target 02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d
SHA256 02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d

Threat Level: Known bad

The file 02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DcRat

Process spawned unexpected child process

DCRat payload

DCRat payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:03

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:03

Reported

2022-10-31 22:06

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Default\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Default\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Default\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Default\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Default\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Default\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Default\csrss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Default\csrss.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Provisioning\Packages\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Provisioning\Packages\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Default\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Default\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Default\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Default\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Default\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Default\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Default\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Default\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default\csrss.exe N/A
N/A N/A C:\Users\Default\csrss.exe N/A
N/A N/A C:\Users\Default\csrss.exe N/A
N/A N/A C:\Users\Default\csrss.exe N/A
N/A N/A C:\Users\Default\csrss.exe N/A
N/A N/A C:\Users\Default\csrss.exe N/A
N/A N/A C:\Users\Default\csrss.exe N/A
N/A N/A C:\Users\Default\csrss.exe N/A
N/A N/A C:\Users\Default\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4912 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d.exe C:\Windows\SysWOW64\WScript.exe
PID 4912 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d.exe C:\Windows\SysWOW64\WScript.exe
PID 4912 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d.exe C:\Windows\SysWOW64\WScript.exe
PID 4408 wrote to memory of 760 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 760 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 760 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 760 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 760 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2916 wrote to memory of 4500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 4500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1968 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 3248 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 3248 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 2280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1872 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1872 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1404 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 1404 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2916 wrote to memory of 4544 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2916 wrote to memory of 4544 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4544 wrote to memory of 4404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4544 wrote to memory of 4404 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4544 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4544 wrote to memory of 1696 N/A C:\Windows\System32\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1696 wrote to memory of 3064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 3064 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2232 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2232 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 3244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 3244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 4292 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 4292 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 1148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1696 wrote to memory of 1148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1148 wrote to memory of 3304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1148 wrote to memory of 3304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1148 wrote to memory of 1640 N/A C:\Windows\System32\cmd.exe C:\Users\Default\csrss.exe
PID 1148 wrote to memory of 1640 N/A C:\Windows\System32\cmd.exe C:\Users\Default\csrss.exe
PID 1640 wrote to memory of 1108 N/A C:\Users\Default\csrss.exe C:\Windows\System32\cmd.exe
PID 1640 wrote to memory of 1108 N/A C:\Users\Default\csrss.exe C:\Windows\System32\cmd.exe
PID 1108 wrote to memory of 1508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1108 wrote to memory of 1508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1108 wrote to memory of 4404 N/A C:\Windows\System32\cmd.exe C:\Users\Default\csrss.exe
PID 1108 wrote to memory of 4404 N/A C:\Windows\System32\cmd.exe C:\Users\Default\csrss.exe
PID 4404 wrote to memory of 4380 N/A C:\Users\Default\csrss.exe C:\Windows\System32\cmd.exe
PID 4404 wrote to memory of 4380 N/A C:\Users\Default\csrss.exe C:\Windows\System32\cmd.exe
PID 4380 wrote to memory of 4712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4380 wrote to memory of 4712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4380 wrote to memory of 1764 N/A C:\Windows\System32\cmd.exe C:\Users\Default\csrss.exe
PID 4380 wrote to memory of 1764 N/A C:\Windows\System32\cmd.exe C:\Users\Default\csrss.exe
PID 1764 wrote to memory of 1656 N/A C:\Users\Default\csrss.exe C:\Windows\System32\cmd.exe
PID 1764 wrote to memory of 1656 N/A C:\Users\Default\csrss.exe C:\Windows\System32\cmd.exe
PID 1656 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1656 wrote to memory of 3452 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1656 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Users\Default\csrss.exe
PID 1656 wrote to memory of 2320 N/A C:\Windows\System32\cmd.exe C:\Users\Default\csrss.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d.exe

"C:\Users\Admin\AppData\Local\Temp\02aedfd20466bea025e2bb4b571c1d731c103f101a43b1c0c9ba901c81cc9b9d.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\odt\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\odt\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Provisioning\Packages\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Packages\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\RuntimeBroker.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yJNRBzAAII.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\odt\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VcPB9CXF5J.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\csrss.exe

"C:\Users\Default\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\csrss.exe

"C:\Users\Default\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\csrss.exe

"C:\Users\Default\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\csrss.exe

"C:\Users\Default\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\csrss.exe

"C:\Users\Default\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\csrss.exe

"C:\Users\Default\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\csrss.exe

"C:\Users\Default\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\csrss.exe

"C:\Users\Default\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\csrss.exe

"C:\Users\Default\csrss.exe"

Network

Country Destination Domain Proto
US 8.252.118.126:80 tcp
IE 13.69.239.74:443 tcp
US 8.252.118.126:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 8.252.118.126:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 93.184.221.240:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
NL 104.80.225.205:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/4408-132-0x0000000000000000-mapping.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/760-135-0x0000000000000000-mapping.dmp

memory/2916-136-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2916-139-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

memory/2916-140-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/4500-141-0x0000000000000000-mapping.dmp

memory/1968-142-0x0000000000000000-mapping.dmp

memory/1976-143-0x0000000000000000-mapping.dmp

memory/3248-145-0x0000000000000000-mapping.dmp

memory/2924-144-0x0000000000000000-mapping.dmp

memory/2280-146-0x0000000000000000-mapping.dmp

memory/1404-148-0x0000000000000000-mapping.dmp

memory/1872-147-0x0000000000000000-mapping.dmp

memory/4544-149-0x0000000000000000-mapping.dmp

memory/1976-150-0x0000013F6E210000-0x0000013F6E232000-memory.dmp

memory/2916-151-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/1968-152-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yJNRBzAAII.bat

MD5 e5be5cea38cf09966feb1e47e0d6ac81
SHA1 a00d6a0473aa7d5eff6669977d11c43949f197e3
SHA256 c558fd2f73f85845ee97cd0e31dd102c485629c64690cc42016768b603cf3aa8
SHA512 aef452b174e23e5c7c7e84fc684f63f982a6fca630165d0fd090ead385143bfbef0f79a76d18d13c0bce70903842869b711724a20272e0f734cb968dfe38e114

memory/4404-154-0x0000000000000000-mapping.dmp

memory/1976-155-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/2924-156-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/3248-157-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/2280-158-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/1404-159-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/4500-160-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/1872-161-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

memory/4500-171-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/1404-170-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/2280-172-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/1976-175-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

memory/2924-176-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a5e1f1efff867a822c6a57ee928dd66
SHA1 b017854d8a1deb05f1447e9dd6002902fb66bf6b
SHA256 8222fe869b025493591ca2ffbabe089c2e682449e77b754fc864ba62d64ee957
SHA512 25fc0fd6a71595c44efe34d281c4bc4924ac82f76b9f697497d0019fa2c8e0cadf58f92ae4272f00b1ef1e97dfd93bd740a9e7f7d9dc93cb1cadbde5f93d1782

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a5e1f1efff867a822c6a57ee928dd66
SHA1 b017854d8a1deb05f1447e9dd6002902fb66bf6b
SHA256 8222fe869b025493591ca2ffbabe089c2e682449e77b754fc864ba62d64ee957
SHA512 25fc0fd6a71595c44efe34d281c4bc4924ac82f76b9f697497d0019fa2c8e0cadf58f92ae4272f00b1ef1e97dfd93bd740a9e7f7d9dc93cb1cadbde5f93d1782

memory/1872-169-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

memory/1968-164-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

memory/3248-177-0x00007FF82F9F0000-0x00007FF8304B1000-memory.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1696-178-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

MD5 7f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1 d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA512 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

memory/1696-181-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

memory/3064-182-0x0000000000000000-mapping.dmp

memory/2232-183-0x0000000000000000-mapping.dmp

memory/3244-184-0x0000000000000000-mapping.dmp

memory/4292-186-0x0000000000000000-mapping.dmp

memory/816-185-0x0000000000000000-mapping.dmp

memory/1148-187-0x0000000000000000-mapping.dmp

memory/3064-188-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

memory/1696-189-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

memory/3244-190-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

memory/2232-191-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a5e1f1efff867a822c6a57ee928dd66
SHA1 b017854d8a1deb05f1447e9dd6002902fb66bf6b
SHA256 8222fe869b025493591ca2ffbabe089c2e682449e77b754fc864ba62d64ee957
SHA512 25fc0fd6a71595c44efe34d281c4bc4924ac82f76b9f697497d0019fa2c8e0cadf58f92ae4272f00b1ef1e97dfd93bd740a9e7f7d9dc93cb1cadbde5f93d1782

C:\Users\Admin\AppData\Local\Temp\VcPB9CXF5J.bat

MD5 2386f44ce65d56bb7bc36d94a7367efd
SHA1 7878dd750f0dceb3f254d64b2cc0cdb881a8f992
SHA256 35e631de3a0617c1bef45257815fa362617f6d4eac42163a3a9a65b842c30a1c
SHA512 dbb9be9e4691ed38ebac12006ff3ebd5d1e1ef5be337f9f04048bc0756a9adcee153b0c489eca0bf15c5abd7148da2397a1b7e6ff764e78cb3b893d58df8c2b3

memory/3304-194-0x0000000000000000-mapping.dmp

memory/816-195-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

memory/4292-196-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

memory/816-198-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 120c6c9af4de2accfcff2ed8c3aab1af
SHA1 504f64ae4ac9c4fe308a6a50be24fe464f3dad95
SHA256 461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222
SHA512 041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

memory/3244-200-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b7e0e67385d5dab240ab2f7c945f3443
SHA1 cb4b238a0757cc85115347f193946cdbfc089f4e
SHA256 8e1f6b184613f6618a22a3e3221276856dd07bc782423c1a208862c524bbb241
SHA512 ed243d9ef73e38a226cf2711a72cfb877cf90f0ee5e88a1db57747b76d9f14b9b2392849ba8e8a5510ae2ba3d15a5647ce7835323d49d93bb211c323a04fa14b

memory/4292-201-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c60463b0551abf52d31bc311e50c789
SHA1 59c839439e2b520bf1dc6c9872c03fef8eb85aa0
SHA256 31a2eaf3b166c43b57b902ed91ef7ac522724a679b82a31f8bdb5a6a35f76a4f
SHA512 b6b7b22f70f930f8ccf619b06f2e31903034774beee22fac8fb507e44352f74fba7ee03380a94ff988d7697ce467216e5ab7f9791c85628fe4afaa4871770676

memory/3064-203-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4822327741294722927d46423be14304
SHA1 3049826ae49ca304bd4a84a21b8ccb6a9499c39e
SHA256 b6ed5510a3376ce391d154b219c2d70cebb62e6fdef97022ad2bc305c5137a74
SHA512 c7607f4bab5688baaeab93bc92a2546d60f9f77b52614ad718133e4313674ae3bdbd497282220c399b2cd97c45a09adbecf1997ac82cab9e221129fa3ac83c8b

memory/2232-205-0x00007FF82F830000-0x00007FF8302F1000-memory.dmp

memory/1640-206-0x0000000000000000-mapping.dmp

C:\Users\Default\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Default\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1640-209-0x00007FF82F4E0000-0x00007FF82FFA1000-memory.dmp

memory/1108-210-0x0000000000000000-mapping.dmp

memory/1640-212-0x00007FF82F4E0000-0x00007FF82FFA1000-memory.dmp

memory/1508-213-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat

MD5 47e206ee673ea2ee1c79f4bde03b039a
SHA1 9d646e6459d26b5ac2f8d82d0d5ce9cae0bf57d5
SHA256 d44e1b09a355e414580ad5a62cee421f793f19a643e737f84600855f735b1e05
SHA512 e26452b411e59c43b6eb6fcaa7a4878bfe882941100222e4c0fc545527008e3f18427dbf89ff4b392239e75d63e8042669c8fa98f3943745df79f23476c42028

memory/4404-214-0x0000000000000000-mapping.dmp

C:\Users\Default\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/4404-217-0x00007FF82F120000-0x00007FF82FBE1000-memory.dmp

memory/4380-218-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

MD5 2b4b1d054aaf3321cc1a462ccff0d341
SHA1 275fe28b611fa0d3b54a57a3a69b86c1d0ea02be
SHA256 85c4e057147a897d651f3f72e8066097d75f4c81ea0ca6f01f0c2ba874f67f8a
SHA512 b09d6a668b9cae5dee12b26e95e4d3a25a597add0ab0e2e49086397ced8508c34628f7a9dd1859a9cc1c3588f2a37d265ff72d955a3e07de28ac10828ec63b04

memory/4712-220-0x0000000000000000-mapping.dmp

memory/4404-221-0x00007FF82F120000-0x00007FF82FBE1000-memory.dmp

memory/1764-222-0x0000000000000000-mapping.dmp

C:\Users\Default\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1764-224-0x00007FF82F120000-0x00007FF82FBE1000-memory.dmp

memory/1656-225-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat

MD5 af10681cf62d5c8d6c532ffaabfd8a32
SHA1 c72b5b092aa87bf8a31f444a4a2f3403d744e6f2
SHA256 44cb45e6afc317f3977822f42d1201edfb82181822408c88108c7950054c78d1
SHA512 78443ae35dcb4130b2566ff9cd994edf2ae166ba88ce34ec382565608160be345dd4d655d65678f5d6419c0bbb279919c5516973db8b2e24cb9ea42fe90763bc

memory/3452-227-0x0000000000000000-mapping.dmp

memory/1764-228-0x00007FF82F120000-0x00007FF82FBE1000-memory.dmp

memory/2320-229-0x0000000000000000-mapping.dmp

C:\Users\Default\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2320-231-0x00007FF82F1D0000-0x00007FF82FC91000-memory.dmp

memory/1880-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

MD5 0f9fe77c08da851b3335967a68ee6c13
SHA1 8fadccfbfb95b613901e82699c7c239356a8f80b
SHA256 2341cb550a4783753676792fe87b11223ab6dcae73fd8e0aaaa8c7e494f21e8e
SHA512 35fa2f6da8c1d4cc8300c8766b7e6f2f782d56169e763517c1d79277c376a81790ae74dd6514dada1a8290506ee073992a13778eed94a9cf7d5d6aff5e83133f

memory/4452-234-0x0000000000000000-mapping.dmp

memory/2320-235-0x00007FF82F1D0000-0x00007FF82FC91000-memory.dmp

memory/4924-236-0x0000000000000000-mapping.dmp

C:\Users\Default\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4924-238-0x00007FF82F1D0000-0x00007FF82FC91000-memory.dmp

memory/3592-239-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat

MD5 0fe086f46ba2826dd606415adf987d06
SHA1 8a1208bf31de069d296e63df5632a738b0f778f0
SHA256 3884b212043430fd38ebd7e99802a89cf428f9c3ace83266957287b9b26952d4
SHA512 85ed3e359af1c5e69f66b51efba4b3eb37756d3c701e1526b77d3cb22d0afa8ed5d716ee8715545c99bd78fc767b97fe1d3e5354fe4ae45c1defc07efc1c2b20

memory/2500-241-0x0000000000000000-mapping.dmp

memory/4924-242-0x00007FF82F1D0000-0x00007FF82FC91000-memory.dmp

memory/3208-243-0x0000000000000000-mapping.dmp

C:\Users\Default\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3208-245-0x00007FF82F1D0000-0x00007FF82FC91000-memory.dmp

memory/2220-246-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

MD5 2b4b1d054aaf3321cc1a462ccff0d341
SHA1 275fe28b611fa0d3b54a57a3a69b86c1d0ea02be
SHA256 85c4e057147a897d651f3f72e8066097d75f4c81ea0ca6f01f0c2ba874f67f8a
SHA512 b09d6a668b9cae5dee12b26e95e4d3a25a597add0ab0e2e49086397ced8508c34628f7a9dd1859a9cc1c3588f2a37d265ff72d955a3e07de28ac10828ec63b04

memory/4320-248-0x0000000000000000-mapping.dmp

memory/3208-249-0x00007FF82F1D0000-0x00007FF82FC91000-memory.dmp

memory/4820-250-0x0000000000000000-mapping.dmp

C:\Users\Default\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4820-252-0x00007FF82F1D0000-0x00007FF82FC91000-memory.dmp

memory/4748-253-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

MD5 2c4c063d95d64eabc012c508b4e00a9d
SHA1 001e8cec952fa72eec5fb5173e7d10ee856d91e5
SHA256 fb39bc71c50d26befb0c7729f52b4024b843c6bc72697d587e0addd7c7d915c8
SHA512 ecccaccdcdd76a9245bf27aecb67d48d4660e536953e449628bc409b6246c38df587004f544997b11a5c33518c55379317192174811a4f9cb83d9aa5955043ea

memory/1604-255-0x0000000000000000-mapping.dmp

memory/4820-256-0x00007FF82F1D0000-0x00007FF82FC91000-memory.dmp

memory/5080-257-0x0000000000000000-mapping.dmp

C:\Users\Default\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5080-259-0x00007FF82F1D0000-0x00007FF82FC91000-memory.dmp

memory/4912-260-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svzewrKVsp.bat

MD5 eba0f9db903c488b52b67ae56cfd7ac8
SHA1 d7bdb348fe46d76d68a31434499785b14cb75278
SHA256 201612422f3649f987cbed1cfd2139993199de18bae2babbd547b21582179387
SHA512 a362169ad713ae9e5cf0ec42bf7720d96ddf3b1bd6d407b1270679e30a8e4d2837b6a8769f2336fd3e2cfa8fded57e8380bfb6a7d90a08babd6ee8751462980d

memory/2508-262-0x0000000000000000-mapping.dmp

memory/5080-263-0x00007FF82F1D0000-0x00007FF82FC91000-memory.dmp

memory/3192-264-0x0000000000000000-mapping.dmp

C:\Users\Default\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3192-266-0x00007FF82F1D0000-0x00007FF82FC91000-memory.dmp