Malware Analysis Report

2025-08-05 17:33

Sample ID 221101-ml5lsaahc3
Target e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987
SHA256 e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987

Threat Level: Known bad

The file e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DcRat

DCRat payload

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 10:34

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 10:34

Reported

2022-11-01 10:36

Platform

win10-20220812-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ea9f0e6c9e2dcd C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\tracing\lsass.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\tracing\6203df4a6bafc7 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\taskhostw.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\taskhostw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A
N/A N/A C:\providercommon\taskhostw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\taskhostw.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe C:\Windows\SysWOW64\WScript.exe
PID 2716 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe C:\Windows\SysWOW64\WScript.exe
PID 2716 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe C:\Windows\SysWOW64\WScript.exe
PID 4892 wrote to memory of 2000 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 2000 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 2000 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2000 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3884 wrote to memory of 420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 1020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 1020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 3152 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 3152 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 1236 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 1236 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 1672 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 1672 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 612 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 612 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 1040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 1040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 4696 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 4696 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 204 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 204 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3884 wrote to memory of 2032 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\taskhostw.exe
PID 3884 wrote to memory of 2032 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\taskhostw.exe
PID 2032 wrote to memory of 4136 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 2032 wrote to memory of 4136 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 4136 wrote to memory of 4688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4136 wrote to memory of 4688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4136 wrote to memory of 892 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe
PID 4136 wrote to memory of 892 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe
PID 892 wrote to memory of 2484 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 892 wrote to memory of 2484 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 2484 wrote to memory of 4488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2484 wrote to memory of 4488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2484 wrote to memory of 4680 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe
PID 2484 wrote to memory of 4680 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe
PID 4680 wrote to memory of 3468 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 4680 wrote to memory of 3468 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 3468 wrote to memory of 4336 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3468 wrote to memory of 4336 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3468 wrote to memory of 3936 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe
PID 3468 wrote to memory of 3936 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe
PID 3936 wrote to memory of 4620 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 3936 wrote to memory of 4620 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 4620 wrote to memory of 4756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4620 wrote to memory of 4756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4620 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe
PID 4620 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe
PID 4748 wrote to memory of 4628 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 4748 wrote to memory of 4628 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 4628 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4628 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4628 wrote to memory of 4432 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe
PID 4628 wrote to memory of 4432 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe
PID 4432 wrote to memory of 1280 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 4432 wrote to memory of 1280 N/A C:\providercommon\taskhostw.exe C:\Windows\System32\cmd.exe
PID 1280 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1280 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1280 wrote to memory of 4056 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe
PID 1280 wrote to memory of 4056 N/A C:\Windows\System32\cmd.exe C:\providercommon\taskhostw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe

"C:\Users\Admin\AppData\Local\Temp\e94d8357aa3646382620513b5c5a2eca2f5e9d3a03d3e4546f7ddb2143957987.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\tracing\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\sppsvc.exe'

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\lsass.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\taskhostw.exe

"C:\providercommon\taskhostw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 51.105.71.136:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/2716-116-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-117-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-118-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-119-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-121-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-122-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-124-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-125-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-126-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-127-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-128-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-129-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-130-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-131-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-132-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-133-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-134-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-135-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-136-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-137-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-139-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-138-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-140-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-141-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-142-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-143-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-144-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-145-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-147-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-148-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-149-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-146-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-150-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-151-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-152-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-154-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-153-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-155-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-156-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-157-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-158-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-159-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-160-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-161-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-162-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-163-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-164-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-165-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-166-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-168-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-170-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-169-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-167-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-171-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-172-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-173-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-174-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-175-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-176-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-177-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-179-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/2716-178-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/4892-180-0x0000000000000000-mapping.dmp

memory/4892-182-0x0000000077A60000-0x0000000077BEE000-memory.dmp

memory/4892-181-0x0000000077A60000-0x0000000077BEE000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/2000-256-0x0000000000000000-mapping.dmp

memory/3884-279-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3884-282-0x0000000000A40000-0x0000000000B50000-memory.dmp

memory/3884-283-0x0000000002BA0000-0x0000000002BB2000-memory.dmp

memory/3884-284-0x0000000002BE0000-0x0000000002BEC000-memory.dmp

memory/3884-285-0x0000000002BB0000-0x0000000002BBC000-memory.dmp

memory/3884-286-0x0000000002BD0000-0x0000000002BDC000-memory.dmp

memory/420-287-0x0000000000000000-mapping.dmp

memory/1020-288-0x0000000000000000-mapping.dmp

memory/612-292-0x0000000000000000-mapping.dmp

memory/1040-293-0x0000000000000000-mapping.dmp

memory/4696-294-0x0000000000000000-mapping.dmp

memory/204-296-0x0000000000000000-mapping.dmp

memory/2032-304-0x0000000000000000-mapping.dmp

memory/1672-291-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1236-290-0x0000000000000000-mapping.dmp

memory/3152-289-0x0000000000000000-mapping.dmp

memory/1020-335-0x0000023CF1F90000-0x0000023CF1FB2000-memory.dmp

memory/2032-336-0x0000000000D10000-0x0000000000D22000-memory.dmp

memory/1236-339-0x00000261D7660000-0x00000261D76D6000-memory.dmp

memory/4136-572-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

MD5 87cd86e5145871bd2d7fd21d0f920eee
SHA1 18f81056df4de09b876809827e9a9ba16042f71e
SHA256 94679c39e49d6a74c47672b739700e462c90c88399d83e5785afee10a0d5dfc1
SHA512 57bc3f3c70ff2073c7b8a537ffd6ddb6a5dc08d13db066440d0b34b7270f3f7e2d18c5c070d76524ae5b69bb833a9052246f23f0d35ab14c12a12adb2405f880

memory/4688-592-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5d2ad700286261222cc9343298f99b4d
SHA1 5b290376b1c52d97d94c954d334ed829e1cef6a2
SHA256 5c2a4cd604f2804471f753e6b5307980f6b68262a881172745f7ab9a2c042cbc
SHA512 450f26bac2760744a46bc00bafa68452d608a2cd12f8ee2223255418d6a1836451a2f51ba18459a266b9428df6b366f494f52816f014fa65b03471713a52b719

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0a74878fe94a1868c1b40c079e6ceb65
SHA1 7b6a6720371b1f125b9b0ce4f233cf3b60614c70
SHA256 4122077a4f3b787451309955f566e65d5a80d4fa854fb27ea43cac4958ad1a3a
SHA512 b1bd79519e07e07480e11d252efda340075e61aed87b386a2870190b6adf0864793ddedcc0d7058a9febc385d26136971317551b6bf3ba127f21b5491af824a1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d83a51ad67952a34605b64663435970
SHA1 645dd9fb8815018da4e90e5b77c70804246c6ed2
SHA256 fcc18a90243feeafd5c4fdbbf9aadfb2da50d4b9cddcd046e207f2bbc61924bc
SHA512 6eaaaddea896878b23f8e0ba07443263adcaacfbeff21dd7961429ec457a3f4e41d3139b573ff7a8eaccc3e42abf3639a85c85d91ef5893898b0efd56baacc6c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7bf5e538e9f63f92f7028b22ee070ec6
SHA1 348735543b366d60f02f537dafc581905b0e1c84
SHA256 7f417088f56aed169c28627357f045cc3fae3b577134911568b6aeed616c8d73
SHA512 7dc9f94399fbfd248a848b6bd56b5c01b89c4a04f3577513f8628a61e4094583b0a87320d7880b32075dc269e083dbea8ecdbe82048275386a9a7614c2f6860e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39202069dabd1dd01042ee3936eaaa4b
SHA1 8b5cac8ca322ef1728b5738d5ecbc4a0e329ab1c
SHA256 d874b4657b7fc5ab7719bc1680c98bee3bc8ed6be662e26080ad9420d98d1f75
SHA512 b1bbc5995afd01ad4c85ebc42b0853b6ac00be79a43cba50fd1c964a3cba56c8f9cf3475f755e2d3e4dfe64fb306e9c7e061464270b44616e79580554d1387b5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0a74878fe94a1868c1b40c079e6ceb65
SHA1 7b6a6720371b1f125b9b0ce4f233cf3b60614c70
SHA256 4122077a4f3b787451309955f566e65d5a80d4fa854fb27ea43cac4958ad1a3a
SHA512 b1bd79519e07e07480e11d252efda340075e61aed87b386a2870190b6adf0864793ddedcc0d7058a9febc385d26136971317551b6bf3ba127f21b5491af824a1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 39202069dabd1dd01042ee3936eaaa4b
SHA1 8b5cac8ca322ef1728b5738d5ecbc4a0e329ab1c
SHA256 d874b4657b7fc5ab7719bc1680c98bee3bc8ed6be662e26080ad9420d98d1f75
SHA512 b1bbc5995afd01ad4c85ebc42b0853b6ac00be79a43cba50fd1c964a3cba56c8f9cf3475f755e2d3e4dfe64fb306e9c7e061464270b44616e79580554d1387b5

memory/892-610-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/892-613-0x0000000002DE0000-0x0000000002DF2000-memory.dmp

memory/2484-614-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat

MD5 875ab2cdcd50576a646c1600e4b5b50d
SHA1 ce6bd8cb7618554cfca6d04857dc7e42e53e7a32
SHA256 bc2b0613ee04a4af16651346d9e329894d20ec553880f3d67eeac63adba2107a
SHA512 7b27c73b23e36cb7fd34f6f2d4245090ff32e2edec0b7240b99810dbafb27e7dc8daf856752675b300f8c62adc3be73042a493b16be11247aa5bb3593e3edc6d

memory/4488-616-0x0000000000000000-mapping.dmp

memory/4680-617-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4680-619-0x0000000001470000-0x0000000001482000-memory.dmp

memory/3468-620-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

MD5 66368f4141424a031c4a7186ecc91ff1
SHA1 eec71aaea2f8f921ab930b72b18ba2b341117649
SHA256 5d66a05c44686eafc884f1683acd6716a0258774aec6326b988d38d89ebeab7e
SHA512 41cd5b2411864c643e082e81b731c541924144882cba5fb17ba22a053eedbffc3fa060e177369cfdd5b8277b6b0d2c2bbe9960b6673d53045f66ece9f12818f1

memory/4336-622-0x0000000000000000-mapping.dmp

memory/3936-623-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4620-625-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\OZJpL0Zeaq.bat

MD5 06f99ca2a76d10d32cec97bf6da84cee
SHA1 d5d5eb72a17096831195ac33610c162b94368c1c
SHA256 a57a20d51435fbe491e41103af41c1c57014a99a46d81ccb618dfac45168c344
SHA512 94fadf548d0fac077709d1a51e2bfbf2228b7d3dae4c9670bd80c735924643aaaeaa7d6576d26305423a303db699183a35989dc5160772cef088303b3393593f

memory/4756-627-0x0000000000000000-mapping.dmp

memory/4748-628-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4628-630-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat

MD5 3d6d8d2ea7345f8cab0a7670e601b63d
SHA1 f3d5384d6df72f242f52334b48e60e88b6094f81
SHA256 bb7c672e426f5fae6cdcfdd78aaa40abf99a3626b5921e50a9bc3db00182f716
SHA512 f8b32e90207f1b0d03c4778a2ef0cfeb822ebb311026ea764b7352ad628fc81932e90ae2288f7e8db1bddf6349f187535dc4574352d80b981f747315a1edff6a

memory/1652-632-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4432-633-0x0000000000000000-mapping.dmp

memory/1280-635-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

MD5 da353769e1d27afce1da128f363bf006
SHA1 10651200d28b90adb54fc27ce1e01614d216da3d
SHA256 dd5839a9fe8dc10a642915a1e4e1f593a135bbb599de954e6547909fa6ba5349
SHA512 d46281b54f4a6bf9b9dd03f2f70aa3ec0f6c269936ade0706ab345c726573792b176745ce505c4f272063f9c76b52c4de8b47fe39dd1f8553e5b1d1c8533e393

memory/2288-637-0x0000000000000000-mapping.dmp

memory/4056-638-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4908-640-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat

MD5 8a305e8e1cfe88e911613e5ba1d6f840
SHA1 537f7ff995efe142042272d1c7cbe73c09f6bc33
SHA256 330a13130134e60a3277bf889edc91352489d1a5578ea6b9f92c829a5477ea75
SHA512 69410c46c604cfc67b66df10f2b232e4d2a32a4e4be231580e4827becf9d0160e786b796974ebe9f5f27e401990a76bf8a38485e44de6480c69b7d16aeb34dca

memory/4880-642-0x0000000000000000-mapping.dmp

memory/544-643-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4328-645-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat

MD5 1cebf1848c89417e87fe506c51504f3b
SHA1 e64bc5958857038f9b5df99282ab5248eb7a1a01
SHA256 94c97b752d71cd6a1400a5e0d36e6e8a4a1bcc563b247c4aca35aabd7bc3af83
SHA512 3cff3d71a92f8f2d26097d6d34782948ae29ba9e6e4ae68aff456ac55dd27f233f61a299c80b4fce9ebc20b3f11c755a7b9dc85cbde8d73c743b9290c29d587d

memory/196-647-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2492-648-0x0000000000000000-mapping.dmp

memory/2492-650-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

memory/4804-651-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

MD5 49cb6ca937cee7f315d6dfa17361a178
SHA1 a37d2abec4b697d84331d7951839ecc030818dcb
SHA256 b65cee04dc0e38021fc85502493710781c2dcf0a8b4a44dd1c81116f3cf6dcfb
SHA512 f8bc892cff3db8dce149ff5869852583d0896398b3b156b1782082661e8c142b4c1ae1d625ba619f563058d55a1a13541c28881e6f9314b31315020b3d745283

memory/2532-653-0x0000000000000000-mapping.dmp

memory/2412-654-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4384-656-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\z6HXYUNDfk.bat

MD5 8bd29cddce0c906d872bc3ffdb74fe67
SHA1 daeca90dbc4ed563057e412d6f9153d7a27fb5a6
SHA256 298963fdaa930bcdbd7f9e6da5d920a92e512763701dad2d97cbb00f7268a1d8
SHA512 96cabf7253d961e14ecadbb2e6bf622c7f152decc9889de4bce6a1bc49d12b76b3dd7e859cdcbc0ea283ae8b9f4a2d64e71f625962f4c6c0d731e6d066a2457b

memory/208-658-0x0000000000000000-mapping.dmp

memory/416-659-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4972-661-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

MD5 87cd86e5145871bd2d7fd21d0f920eee
SHA1 18f81056df4de09b876809827e9a9ba16042f71e
SHA256 94679c39e49d6a74c47672b739700e462c90c88399d83e5785afee10a0d5dfc1
SHA512 57bc3f3c70ff2073c7b8a537ffd6ddb6a5dc08d13db066440d0b34b7270f3f7e2d18c5c070d76524ae5b69bb833a9052246f23f0d35ab14c12a12adb2405f880

memory/4424-663-0x0000000000000000-mapping.dmp

memory/1712-664-0x0000000000000000-mapping.dmp

C:\providercommon\taskhostw.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1712-666-0x0000000002510000-0x0000000002522000-memory.dmp