Malware Analysis Report

2025-08-10 23:15

Sample ID 221031-1z6mwseder
Target da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab
SHA256 da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab

Threat Level: Known bad

The file da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

DCRat payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:06

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:06

Reported

2022-10-31 22:08

Platform

win10v2004-20220901-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\e1ef82546f0b02 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\Help\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Help\Help\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Fonts\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Fonts\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
N/A N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab.exe C:\Windows\SysWOW64\WScript.exe
PID 3464 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab.exe C:\Windows\SysWOW64\WScript.exe
PID 3464 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab.exe C:\Windows\SysWOW64\WScript.exe
PID 2616 wrote to memory of 3596 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 3596 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 3596 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3596 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3596 wrote to memory of 3376 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3376 wrote to memory of 1136 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 1136 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4296 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4296 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 1324 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 1324 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 324 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 324 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4524 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4524 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 3096 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 3096 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 3216 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 3216 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 1656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 1656 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 1200 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 1200 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4036 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4036 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4888 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4888 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 2600 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 2600 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3376 wrote to memory of 4092 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3376 wrote to memory of 4092 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4092 wrote to memory of 4028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4092 wrote to memory of 4028 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4092 wrote to memory of 3500 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe
PID 4092 wrote to memory of 3500 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe
PID 3500 wrote to memory of 3656 N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 3500 wrote to memory of 3656 N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 3656 wrote to memory of 2204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3656 wrote to memory of 2204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3656 wrote to memory of 5108 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe
PID 3656 wrote to memory of 5108 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe
PID 5108 wrote to memory of 3908 N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 5108 wrote to memory of 3908 N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 3908 wrote to memory of 1360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3908 wrote to memory of 1360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3908 wrote to memory of 4220 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe
PID 3908 wrote to memory of 4220 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe
PID 4220 wrote to memory of 1096 N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 4220 wrote to memory of 1096 N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 3996 wrote to memory of 1028 N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 3996 wrote to memory of 1028 N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 1028 wrote to memory of 1032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1028 wrote to memory of 1032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1028 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe
PID 1028 wrote to memory of 1784 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe
PID 1784 wrote to memory of 3736 N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 1784 wrote to memory of 3736 N/A C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe C:\Windows\System32\cmd.exe
PID 3736 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3736 wrote to memory of 3912 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3736 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe
PID 3736 wrote to memory of 3464 N/A C:\Windows\System32\cmd.exe C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab.exe

"C:\Users\Admin\AppData\Local\Temp\da34ddaba3a336b8b5dc5737a2de840903b7b5a558e48de09d1503cb9f3bb9ab.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\My Documents\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Help\Help\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Help\Help\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\Help\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Pictures\Saved Pictures\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\Saved Pictures\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\Saved Pictures\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\providercommon\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\odt\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Help\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\Saved Pictures\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vncFek9wJT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

"C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

"C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

"C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

"C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

"C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

"C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

"C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

"C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

"C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
NL 104.80.229.204:443 tcp
GB 51.104.15.252:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
BE 67.24.33.254:80 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

memory/2616-132-0x0000000000000000-mapping.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/3596-135-0x0000000000000000-mapping.dmp

memory/3376-136-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3376-139-0x0000000000900000-0x0000000000A10000-memory.dmp

memory/3376-140-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/1136-141-0x0000000000000000-mapping.dmp

memory/1324-143-0x0000000000000000-mapping.dmp

memory/4296-142-0x0000000000000000-mapping.dmp

memory/3096-146-0x0000000000000000-mapping.dmp

memory/4524-145-0x0000000000000000-mapping.dmp

memory/324-144-0x0000000000000000-mapping.dmp

memory/3216-147-0x0000000000000000-mapping.dmp

memory/1656-148-0x0000000000000000-mapping.dmp

memory/1200-149-0x0000000000000000-mapping.dmp

memory/4036-150-0x0000000000000000-mapping.dmp

memory/4888-151-0x0000000000000000-mapping.dmp

memory/2600-152-0x0000000000000000-mapping.dmp

memory/1136-153-0x00000246D63A0000-0x00000246D63C2000-memory.dmp

memory/4092-154-0x0000000000000000-mapping.dmp

memory/1136-155-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/3376-157-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/4296-156-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/1324-158-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/4524-159-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/324-160-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/3096-161-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vncFek9wJT.bat

MD5 c36298355bf11dfe3f8e6ea4fffe544e
SHA1 ae0fd683662b59798b513cf5fa23f9d3d571c928
SHA256 5248beb669ebab41e4d878a5f01d4927ed48b4c651f2018fdc66fe554fa0abcb
SHA512 6486e9a3c92226f19b00c0fc468abab322f3ff78735de4cb274910472e3bb82aa7953964cef7eb218b54241f7d1e7f36a7e55065bc35dc54739c5430adc1fa31

memory/3216-163-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/1656-164-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/1200-165-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/4036-166-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/4888-167-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/2600-168-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/4028-169-0x0000000000000000-mapping.dmp

memory/1136-170-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/4296-173-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ecceac16628651c18879d836acfcb062
SHA1 420502b3e5220a01586c59504e94aa1ee11982c9
SHA256 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512 be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

memory/4888-189-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/1200-188-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

memory/4524-183-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/1324-181-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/3096-180-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/4036-179-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

memory/324-175-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60804e808a88131a5452fed692914a8e
SHA1 fdb74669923b31d573787fe024dbd701fa21bb5b
SHA256 064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61
SHA512 d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

memory/3216-192-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/2600-193-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/1656-190-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3500-194-0x0000000000000000-mapping.dmp

memory/3500-197-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/3656-198-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

MD5 ad070ef0875bbf576d147c2c14944827
SHA1 3e64fdaf687a9897d5cff24baf6eaf64a9114b74
SHA256 fe3fb9ba879e8c163dfc8758225a5d7881c1af906ab6c50de24c624de1bf4ba4
SHA512 d9c8d6343de0d36455d2e7384ec2eb00bc28515ddbaee570241ddd834a32ae030749456782a8f9f6036396b7dc2c0c8133bd9f4ad91545b75bcedf852b49dfa9

memory/2204-200-0x0000000000000000-mapping.dmp

memory/3500-201-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/5108-202-0x0000000000000000-mapping.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/5108-205-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/3908-206-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat

MD5 46d5cf2954820d5c55f65936474d8053
SHA1 c3c1f9d9b8f1074b57ea2e7af6477f7e6de576c9
SHA256 0428e836f54686dcfb983e65102f5af281e50a6dd667cb859c0debd60b647bb4
SHA512 ae4b99793bfa7d2276421cf3c712e1eedf61bb75287c2600c7f859fba8ec22607cdfeb65148535d03e9a6f839a03601586a713abef3c23aa3585e8259b2a29f7

memory/1360-208-0x0000000000000000-mapping.dmp

memory/5108-209-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/4220-210-0x0000000000000000-mapping.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4220-212-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/1096-213-0x0000000000000000-mapping.dmp

memory/4220-214-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3996-216-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/1028-217-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

MD5 96f567be0d9155a25fb219cba2112a4d
SHA1 893edaa870cd4e20c79c7a5dea73cce47d9c2bb7
SHA256 382089f19bb624587a1d6ba744b5b760eccccd6cd929b146ada5123fe93d3004
SHA512 b47ff5cefe1257c780ff954c5eddc9b235210fa7f78b6822f9b3ffdbea84f12495a250c2051638ffb191e2eaee1954e28984c5f48a8b179e5896c142f4794cf8

memory/1032-219-0x0000000000000000-mapping.dmp

memory/3996-220-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/1784-221-0x0000000000000000-mapping.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1784-223-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/3736-224-0x0000000000000000-mapping.dmp

memory/3912-226-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat

MD5 3d6b4da902b9561bef2d4615c75f06a2
SHA1 4e2ddd419e4b9202461bbd9964cf960c9ef053cb
SHA256 2538bdf3640898d16173c365ad6e2f71b197049aee2df2a531e68ee880a2f0ba
SHA512 a88d615aa084866c82f8e3c4fb104f8818e16d6b609dc3eac669d2713538c22807086e34b436768bb87e5d5eb6f062fc3fed4536ec5b4f557c6012b0dea0e44e

memory/1784-227-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/3464-228-0x0000000000000000-mapping.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3464-230-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/1332-231-0x0000000000000000-mapping.dmp

memory/3464-232-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/3744-234-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat

MD5 94f14adfbe52da7bba55979b02fe6959
SHA1 967f578297d02f9cf4b0acf8884a9908bc2404df
SHA256 048a2dd20cd659086aed1dcaf695828687d193389fa27700824cb3cf2c48c3ae
SHA512 36a2254a7c3174979c4d08756db9823551568fb25ee970cb8b742699febd6c5bc88a64a5425abbd9d73fe326d4fbfd3c6d2a1de90c14665abaf078fc6d056942

memory/5104-235-0x0000000000000000-mapping.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5104-237-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/4160-238-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat

MD5 bebeed6b81f5dbc3d7a27e9e5be5cea5
SHA1 3061770d11beef2585a57d7cefb3350d53200c4c
SHA256 e020e23ea58ff9e1092b78dc8f5d00b98c5161e59bec0947c0f524fcf36e56bf
SHA512 6eae1db33f5f3eecb65cd39e2c30fa9be19b5fabc74d69d5547dd0b8c942be2d658e9de5a56f2b6ba3c993580665b03e3ee6b0a46983ad0d13a09d14d9070ff8

memory/1952-240-0x0000000000000000-mapping.dmp

memory/5104-241-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/3892-242-0x0000000000000000-mapping.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3892-244-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/940-245-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

MD5 180aeb2bc682c900308b258ec811e199
SHA1 4bf523423f24f70c8508e9d532f04710afca09cd
SHA256 e14a67078ff29d66bf853e555efae0a3fab17da44f0285a702874cf722c5fae9
SHA512 595d7225488a8df5c2fc0ff9b8fe14fbf24b17861442ba669095cf3e11cc6682f5075e4a6d8c3ec724f2bc46a8d1ae538c8c93dabd86766120038b6f40261d1c

memory/3892-248-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/204-247-0x0000000000000000-mapping.dmp

memory/4924-249-0x0000000000000000-mapping.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\SppExtComObj.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4924-251-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp

memory/4660-252-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

MD5 468ae255b4e440f71989dbea57ba8650
SHA1 4906fd145899f295b17d3eccf92aa2f6293a8a21
SHA256 28a8b8408f972265358825815eaf16b261ad5f2374aa855442e36494a8875997
SHA512 df631ab3e1c7c35d9bf40cb257eab9e32a259a8a11a1de5c8251b92a70434c345bda16c452443698666209a15467916084443e676ebe977684d5b1132af10bdb

memory/4476-254-0x0000000000000000-mapping.dmp

memory/4924-255-0x00007FF860CE0000-0x00007FF8617A1000-memory.dmp