Malware Analysis Report

2025-08-10 23:15

Sample ID 221031-1yzg7adee2
Target 538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379
SHA256 538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379

Threat Level: Known bad

The file 538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

Dcrat family

DCRat payload

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:04

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:04

Reported

2022-10-31 22:06

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\All Users\Mozilla\sppsvc.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\Office16\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\Office16\a76d7bf15d8370 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Vss\Writers\System\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\DigitalLocker\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\DigitalLocker\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Vss\Writers\System\wininit.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\All Users\Mozilla\sppsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\All Users\Mozilla\sppsvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
N/A N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Mozilla\sppsvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4216 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379.exe C:\Windows\SysWOW64\WScript.exe
PID 4216 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379.exe C:\Windows\SysWOW64\WScript.exe
PID 4216 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379.exe C:\Windows\SysWOW64\WScript.exe
PID 448 wrote to memory of 4364 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 4364 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 4364 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4364 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4364 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2796 wrote to memory of 4596 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 4596 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 4568 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 4568 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1804 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1804 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1400 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1400 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 4772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 4772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 3700 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 3700 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1844 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1844 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1384 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 1384 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2156 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2156 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2796 wrote to memory of 2588 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2796 wrote to memory of 2588 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2588 wrote to memory of 4860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2588 wrote to memory of 4860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2588 wrote to memory of 4648 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Mozilla\sppsvc.exe
PID 2588 wrote to memory of 4648 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Mozilla\sppsvc.exe
PID 4648 wrote to memory of 1976 N/A C:\Users\All Users\Mozilla\sppsvc.exe C:\Windows\System32\cmd.exe
PID 4648 wrote to memory of 1976 N/A C:\Users\All Users\Mozilla\sppsvc.exe C:\Windows\System32\cmd.exe
PID 1976 wrote to memory of 4540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1976 wrote to memory of 4540 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1976 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Mozilla\sppsvc.exe
PID 1976 wrote to memory of 1948 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Mozilla\sppsvc.exe
PID 1948 wrote to memory of 5076 N/A C:\Users\All Users\Mozilla\sppsvc.exe C:\Windows\System32\cmd.exe
PID 1948 wrote to memory of 5076 N/A C:\Users\All Users\Mozilla\sppsvc.exe C:\Windows\System32\cmd.exe
PID 5076 wrote to memory of 3848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5076 wrote to memory of 3848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5076 wrote to memory of 1548 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Mozilla\sppsvc.exe
PID 5076 wrote to memory of 1548 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Mozilla\sppsvc.exe
PID 1548 wrote to memory of 3304 N/A C:\Users\All Users\Mozilla\sppsvc.exe C:\Windows\System32\cmd.exe
PID 1548 wrote to memory of 3304 N/A C:\Users\All Users\Mozilla\sppsvc.exe C:\Windows\System32\cmd.exe
PID 3304 wrote to memory of 1776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3304 wrote to memory of 1776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3304 wrote to memory of 5068 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Mozilla\sppsvc.exe
PID 3304 wrote to memory of 5068 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Mozilla\sppsvc.exe
PID 5068 wrote to memory of 540 N/A C:\Users\All Users\Mozilla\sppsvc.exe C:\Windows\System32\cmd.exe
PID 5068 wrote to memory of 540 N/A C:\Users\All Users\Mozilla\sppsvc.exe C:\Windows\System32\cmd.exe
PID 540 wrote to memory of 2244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 540 wrote to memory of 2244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 540 wrote to memory of 3960 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Mozilla\sppsvc.exe
PID 540 wrote to memory of 3960 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\Mozilla\sppsvc.exe
PID 3960 wrote to memory of 4560 N/A C:\Users\All Users\Mozilla\sppsvc.exe C:\Windows\System32\cmd.exe
PID 3960 wrote to memory of 4560 N/A C:\Users\All Users\Mozilla\sppsvc.exe C:\Windows\System32\cmd.exe
PID 4560 wrote to memory of 3636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4560 wrote to memory of 3636 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379.exe

"C:\Users\Admin\AppData\Local\Temp\538053a0afbbf82926d53e5bdb7387cfd96e8173d030e94eea652ea895d64379.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office16\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Mozilla\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\odt\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\odt\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Users\Public\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\Writers\System\wininit.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\ClientX64\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\wininit.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZnhMCmO6P2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Mozilla\sppsvc.exe

"C:\Users\All Users\Mozilla\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Mozilla\sppsvc.exe

"C:\Users\All Users\Mozilla\sppsvc.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"

C:\Users\All Users\Mozilla\sppsvc.exe

"C:\Users\All Users\Mozilla\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Mozilla\sppsvc.exe

"C:\Users\All Users\Mozilla\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Mozilla\sppsvc.exe

"C:\Users\All Users\Mozilla\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Mozilla\sppsvc.exe

"C:\Users\All Users\Mozilla\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Mozilla\sppsvc.exe

"C:\Users\All Users\Mozilla\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Mozilla\sppsvc.exe

"C:\Users\All Users\Mozilla\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Mozilla\sppsvc.exe

"C:\Users\All Users\Mozilla\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\Mozilla\sppsvc.exe

"C:\Users\All Users\Mozilla\sppsvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
NL 95.101.78.106:80 tcp
NL 95.101.78.106:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
DE 51.116.253.168:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 93.184.220.29:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/448-132-0x0000000000000000-mapping.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4364-135-0x0000000000000000-mapping.dmp

memory/2796-136-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2796-139-0x0000000000D50000-0x0000000000E60000-memory.dmp

memory/2796-140-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4596-141-0x0000000000000000-mapping.dmp

memory/2724-142-0x0000000000000000-mapping.dmp

memory/1804-144-0x0000000000000000-mapping.dmp

memory/4568-143-0x0000000000000000-mapping.dmp

memory/3700-147-0x0000000000000000-mapping.dmp

memory/4772-146-0x0000000000000000-mapping.dmp

memory/1400-145-0x0000000000000000-mapping.dmp

memory/1844-148-0x0000000000000000-mapping.dmp

memory/2156-151-0x0000000000000000-mapping.dmp

memory/1384-150-0x0000000000000000-mapping.dmp

memory/2592-149-0x0000000000000000-mapping.dmp

memory/4568-152-0x0000020FF0810000-0x0000020FF0832000-memory.dmp

memory/2588-153-0x0000000000000000-mapping.dmp

memory/2796-154-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/2724-155-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4568-156-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/1804-157-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZnhMCmO6P2.bat

MD5 e78e07bb3abab9ce1d38171ccd7cb596
SHA1 bcfe5b07bca2052f8030a29ba2ae6cdbb19b6020
SHA256 1b8639f223bffb49019cd704717a6841fbe46d4836156599f4a5f3202d6de7af
SHA512 25479e273c37ab2f35ad6f15d505abb85bb4a7648b15313b27e72c37ec16850873e464ae49884130eb1ecee36841d7778aad50c9bd141698c35aa9a8d166943b

memory/1400-159-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4772-160-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/1844-161-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4860-162-0x0000000000000000-mapping.dmp

memory/3700-163-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4596-164-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/1384-165-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/2592-166-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/2156-167-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c47b3f4e68eebd47e9332eebfd2dd4e
SHA1 67f0b143336d7db7b281ed3de5e877fa87261834
SHA256 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA512 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

memory/2724-176-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bd5940f08d0be56e65e5f2aaf47c538e
SHA1 d7e31b87866e5e383ab5499da64aba50f03e8443
SHA256 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6
SHA512 c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/1400-182-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4596-186-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/3700-187-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ecceac16628651c18879d836acfcb062
SHA1 420502b3e5220a01586c59504e94aa1ee11982c9
SHA256 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512 be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

memory/2156-189-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/1844-185-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/1384-183-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

memory/1804-177-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/2592-174-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4568-173-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4772-172-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4648-190-0x0000000000000000-mapping.dmp

C:\Users\All Users\Mozilla\sppsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\ProgramData\Mozilla\sppsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4648-193-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/1976-194-0x0000000000000000-mapping.dmp

memory/4540-196-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

MD5 c023b654b2f2ef5f99ab07428f7e6749
SHA1 935f7b43eeaff2954f34b5b24d83f727725b8c97
SHA256 f041da715d1bef26d19a6ce8650f33c18d5c38857ae5ca1a9b41096cd4f8d790
SHA512 b8a1278327586f68a9004ccfac4e7d42a636209ed1dec38c5c5eb288573cbb508d86df3abed94bc57a397a00fe566fd8812fa5c9e095fd8a20310f4a6acc5c69

memory/4648-197-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\ProgramData\Mozilla\sppsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1948-198-0x0000000000000000-mapping.dmp

memory/1948-201-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/3848-204-0x0000000000000000-mapping.dmp

memory/1948-205-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

MD5 7b6b0fb45dd467fe9ee8179c95826239
SHA1 2c8e9193774f69e051e5ebb2ff377d33d60b21b4
SHA256 93891e3b5ae946098afa58fd991a62eea94d1554cc39f72141de7167183e223c
SHA512 aa416271d08f13c90fce07feeb4b34e46a24067722f170ac6f9974f81081d8cc3d439d163227783232f0ac95fc1774bf13d1140ade2fcbcb6b0724f87ffe56d2

memory/5076-202-0x0000000000000000-mapping.dmp

C:\ProgramData\Mozilla\sppsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1548-206-0x0000000000000000-mapping.dmp

memory/1548-208-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/3304-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DhSpfyjZaR.bat

MD5 306375475bb142335f2ee464aa512450
SHA1 516cd7861630db63973a9b40fa4117d1fb32bdd4
SHA256 cd3a652b6f74635935f098ec9e86b2795ac613dfd30e0f00afd37875aae8b95f
SHA512 16f076ef1637b84b1386cae90ceb1bb63a42914af484c9a3115d946e8442b5e2dee28ee62d11683b0fff1962c745391d1dc2671339f0c6734fcffddd97c48458

memory/1776-211-0x0000000000000000-mapping.dmp

memory/1548-212-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

C:\ProgramData\Mozilla\sppsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5068-213-0x0000000000000000-mapping.dmp

memory/5068-215-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/540-216-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat

MD5 dc910e9c64e4ea6b0769fba54431025c
SHA1 47107d2ca372cb0f621b24555ee6e0c25c1d1beb
SHA256 fb550b8b8ca348b2845c66bd4d43d19f345f5d8ca5d72065fc88a89e4626adef
SHA512 4da4498800dde343e45be3d812a69c6afaad7075d6fd9330d2b56e23dcaa5bb7f6470cd8965b4ce3e3805db534dcc5cf00922488bb0d31f5c36f9b62c3dfa39a

memory/2244-218-0x0000000000000000-mapping.dmp

memory/5068-219-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/3960-220-0x0000000000000000-mapping.dmp

C:\ProgramData\Mozilla\sppsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3960-222-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4560-223-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2wxi7FenmH.bat

MD5 1029503911c7ff81961a92edbd8f2c06
SHA1 46134e627d091b90b86089f6d8d9e022a27ac6e0
SHA256 5758de1be260fb92fcb69b3d5bfa4f6884f3e25305bc6f6807e6a99531e85251
SHA512 0abcfe8695c8d92ba66daf2f3046a7c6f9cd221ffcc8d966410006cddfdbaa39ca97607596b3dcf7276ea5e8f95c345cc87db1c33c5895f4ab3a89b51bd9bd34

memory/3636-225-0x0000000000000000-mapping.dmp

memory/3960-226-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4144-227-0x0000000000000000-mapping.dmp

C:\ProgramData\Mozilla\sppsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4144-229-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/3872-230-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

MD5 7b6b0fb45dd467fe9ee8179c95826239
SHA1 2c8e9193774f69e051e5ebb2ff377d33d60b21b4
SHA256 93891e3b5ae946098afa58fd991a62eea94d1554cc39f72141de7167183e223c
SHA512 aa416271d08f13c90fce07feeb4b34e46a24067722f170ac6f9974f81081d8cc3d439d163227783232f0ac95fc1774bf13d1140ade2fcbcb6b0724f87ffe56d2

memory/4144-233-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/3984-232-0x0000000000000000-mapping.dmp

memory/1588-234-0x0000000000000000-mapping.dmp

C:\ProgramData\Mozilla\sppsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1588-236-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4204-237-0x0000000000000000-mapping.dmp

memory/1588-240-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/3460-239-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat

MD5 b39b66c80cb992c50ef67291777e2067
SHA1 f04235717731fd52f45955c2116beda75522293e
SHA256 9d00606d4688eea3fb9c405758bc239f62003b816a2308817cfdd74051609f6b
SHA512 35303164724d62c76b3250b5e29fc2db7762353d863e8d242c607e827fe19b107c618a5878db1bd62ef4012dce7394f345c84433443e90d6f57c2899848f961a

memory/3964-241-0x0000000000000000-mapping.dmp

C:\ProgramData\Mozilla\sppsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3964-243-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4484-244-0x0000000000000000-mapping.dmp

memory/2444-246-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat

MD5 1b9b3252b5cd62fa56b99af459405396
SHA1 41b8a4fe561ec786be5a2d3df7805f79544125d8
SHA256 8b89cb1a539961f81932d6537b6b3f7fc3c83983f42e98cabe193ac46f69b542
SHA512 17f1ff58fe24e82ff3461e75a802a8b2c4b3d7f98a69323b86fdf051da807fdcf1ff2c119c2df12191e40af910abb096d6e88b692d461bd2dc42bb9f5e201820

memory/3964-247-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/2072-248-0x0000000000000000-mapping.dmp

C:\ProgramData\Mozilla\sppsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2072-250-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4840-251-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

MD5 ac05e35745acd188421d55476ec20085
SHA1 eb9fb77634470757718b9f203c03cdbb96e71078
SHA256 e0e4eca64721db9bf929d2caedc50771f3dac47c8c94536dbcd17d57ff4f0d70
SHA512 efee8a8e3d97054cb751437865d7f56a56dd7f4b53ee3d5171ba0abe06565f2dfe1d4e6eda6aa0f80892ca870746ca0ab8eb6b1eeb1235eda2ecce48d4530ac2

memory/2104-253-0x0000000000000000-mapping.dmp

memory/2072-254-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/1480-255-0x0000000000000000-mapping.dmp

C:\ProgramData\Mozilla\sppsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1480-257-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp

memory/4212-258-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

MD5 16a6c5cb25d605dfe2e06f1f803a8506
SHA1 08f397fb6d77797449cb3f417f1091d3de51379c
SHA256 72fa00aa95d24bbeb84b317c0fb8f6ae7e2adc3f7cea032538173a4f29df10b0
SHA512 d1504e3db745879ff7379aa2675132c705af6de6c165bf3340d69cfd1304686a622367ce13f644ab177ea8aeb8e5c7ca936390de8897a7181e012b874e3ae378

memory/4436-260-0x0000000000000000-mapping.dmp

memory/1480-261-0x00007FFE53510000-0x00007FFE53FD1000-memory.dmp