Malware Analysis Report

2025-08-05 17:33

Sample ID 221101-mm59psahd3
Target c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367
SHA256 c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367

Threat Level: Known bad

The file c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 10:35

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 10:35

Reported

2022-11-01 10:38

Platform

win10-20220901-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Provisioning\Packages\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Provisioning\Packages\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
N/A N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4944 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe C:\Windows\SysWOW64\WScript.exe
PID 4944 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe C:\Windows\SysWOW64\WScript.exe
PID 4944 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe C:\Windows\SysWOW64\WScript.exe
PID 2024 wrote to memory of 4240 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 4240 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2024 wrote to memory of 4240 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4240 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4240 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3424 wrote to memory of 2420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2664 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2424 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2424 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 3236 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 3236 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 4732 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 4732 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3424 wrote to memory of 2688 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 3424 wrote to memory of 2688 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 2688 wrote to memory of 4060 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 2688 wrote to memory of 4060 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 4060 wrote to memory of 3228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4060 wrote to memory of 3228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4060 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 4060 wrote to memory of 1972 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 1972 wrote to memory of 5060 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 1972 wrote to memory of 5060 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 5060 wrote to memory of 5052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5060 wrote to memory of 5052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5060 wrote to memory of 4428 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 5060 wrote to memory of 4428 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 4428 wrote to memory of 4296 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 4428 wrote to memory of 4296 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 4296 wrote to memory of 552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4296 wrote to memory of 552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4296 wrote to memory of 4704 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 4296 wrote to memory of 4704 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 4704 wrote to memory of 3876 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 4704 wrote to memory of 3876 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 3876 wrote to memory of 372 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3876 wrote to memory of 372 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3876 wrote to memory of 3512 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 3876 wrote to memory of 3512 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 3512 wrote to memory of 4600 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 3512 wrote to memory of 4600 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 4600 wrote to memory of 3600 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4600 wrote to memory of 3600 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4600 wrote to memory of 4560 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 4600 wrote to memory of 4560 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 4560 wrote to memory of 96 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 4560 wrote to memory of 96 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 96 wrote to memory of 3968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 96 wrote to memory of 3968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 96 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 96 wrote to memory of 1168 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 1168 wrote to memory of 1200 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 1168 wrote to memory of 1200 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 1200 wrote to memory of 4788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1200 wrote to memory of 4788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1200 wrote to memory of 4264 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 1200 wrote to memory of 4264 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe
PID 4264 wrote to memory of 2296 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe
PID 4264 wrote to memory of 2296 N/A C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe

"C:\Users\Admin\AppData\Local\Temp\c33e5f12fbadf295b97d134314aa50ad8870947233724a88552463706ef64367.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Provisioning\Packages\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Provisioning\Packages\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\Packages\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Packages\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

"C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 13.89.179.8:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/4944-120-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-121-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-122-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-123-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-125-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-126-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-128-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-129-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-131-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-132-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-130-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-133-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-134-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-135-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-136-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-137-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-138-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-139-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-140-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-141-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-142-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-143-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-144-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-145-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-146-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-147-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-148-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-149-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-150-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-151-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-152-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-153-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-154-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-155-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-156-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-157-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-158-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-160-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-159-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-161-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-162-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-163-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-164-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-165-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-166-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-167-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-168-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-169-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-170-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-172-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-171-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-174-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-173-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-175-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-176-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-177-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-178-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-179-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-180-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-181-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-182-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/4944-183-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/2024-184-0x0000000000000000-mapping.dmp

memory/2024-185-0x0000000077D50000-0x0000000077EDE000-memory.dmp

memory/2024-186-0x0000000077D50000-0x0000000077EDE000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4240-260-0x0000000000000000-mapping.dmp

memory/3424-283-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3424-286-0x0000000000F70000-0x0000000001080000-memory.dmp

memory/3424-287-0x000000001BAB0000-0x000000001BAC2000-memory.dmp

memory/3424-288-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

memory/3424-289-0x000000001BAC0000-0x000000001BACC000-memory.dmp

memory/3424-290-0x000000001BAD0000-0x000000001BADC000-memory.dmp

memory/2420-291-0x0000000000000000-mapping.dmp

memory/3236-294-0x0000000000000000-mapping.dmp

memory/2424-293-0x0000000000000000-mapping.dmp

memory/2664-292-0x0000000000000000-mapping.dmp

memory/4732-295-0x0000000000000000-mapping.dmp

memory/2688-300-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2420-319-0x00000209FE470000-0x00000209FE492000-memory.dmp

memory/2420-322-0x00000209FE620000-0x00000209FE696000-memory.dmp

memory/4060-455-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

MD5 49cce861ef7f7b0d6e29f02fcdcccd1a
SHA1 1c2fafdb220f236fe61b5f0eeb461068c3f6bde4
SHA256 99622df326778754945069205a08584a2b5e0940bcdb731a92966b18a05b66c1
SHA512 dda945c8eeaf7b7df5d7acc70b823351a32d7b77907e60ab4f3fdb39cd9d80243bdfc75c6f39a12be4f2d8146c19c1752114d8c5be34d82f1c4f89e1a91840ea

memory/3228-463-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 00a91c4c518cfebfbe24e490abe0f129
SHA1 3a3d1d53a8123b0fa1ba8d3a69cd64e9ee88cb2f
SHA256 5e806ed47f1895831dd1c9e3fd93050dd50125330ffb2630d18e70dafaa4a211
SHA512 5189418607936fc322b041f6db7fc823d764fadac61fc3615a64f173721cc789162002bf5a55cd4a8ad947d9b5fc5ea6ccf707525ea6e84336b37e8f0fe7fc5b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 25836ba91a8abbc361fd8547d2d5a327
SHA1 72891660ec36837b0595ed387fa7cfededa29843
SHA256 9309486ab1a88c95791433e7b42daad1bf81321cc83575b0aa5be64c57739ef4
SHA512 22c9bc24290e9d6e6119fa064a00aa6a8e74e8bd667f2143cf07e10569c3348d72420f46b7cee7e6b05d289c2e54f6ce66a10b519192eeba9b8d41ddec1baf81

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 25836ba91a8abbc361fd8547d2d5a327
SHA1 72891660ec36837b0595ed387fa7cfededa29843
SHA256 9309486ab1a88c95791433e7b42daad1bf81321cc83575b0aa5be64c57739ef4
SHA512 22c9bc24290e9d6e6119fa064a00aa6a8e74e8bd667f2143cf07e10569c3348d72420f46b7cee7e6b05d289c2e54f6ce66a10b519192eeba9b8d41ddec1baf81

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6727481a43190c75ba9caa977dea6c9c
SHA1 df6b8c5c19c0621f507ca2352aae539b8894b7f9
SHA256 884d326a83c972dcfcfda9d7ea03caeca91794af1fcaf2fa5450ace1f39ce894
SHA512 9d1f6c84f6bad4d5a47b7abd43d2578ecb64be1870a7362828eb3e21d7dfb5a32e41c24b30a6e04651f87cafc5c046c2422b359e0ac306b83458b77b290fea9c

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1972-474-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/5060-477-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat

MD5 82e43be860698f01757c62d08e686e8d
SHA1 c9e4d41a86658da730cce89c7b616f387757f90a
SHA256 7940750b4a3311fbe1e355ea04c17ff4e8d7e358f1c754346430ef09025fdc8f
SHA512 12b02e22c9fd0075279e62ef9fdfb02457e99a3f1b1f6669a0607b5f9574dbecb2f62567c615dd3b42e976255557f612db74402fdf8673e6e6f24b1a027a702e

memory/5052-479-0x0000000000000000-mapping.dmp

memory/4428-480-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4428-482-0x00000000010A0000-0x00000000010B2000-memory.dmp

memory/4296-483-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

MD5 a01101e5d551ec2967731e86bef3cb71
SHA1 a0153ff9b6d0ee9a3279b9f7068330bb6a2ef94e
SHA256 3c4e4c725501a69fc1081716cc52e5512ae8bb8a1ba04b0a92d286530e792aaa
SHA512 16ad877fe8d15de9214c509d8c876e30f31ee1c45008ea8f5c7ec4547d0d2b981cdf9777828e074f28302e83a8389eea7c9b0a8abb5782a39638613f56c0f4b8

memory/552-485-0x0000000000000000-mapping.dmp

memory/4704-486-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3876-488-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

MD5 c2cf49868bd5aae6c7dce9aa82531bd5
SHA1 66eec7f1e1d1e35e5e09a26b8872e7c31a223021
SHA256 ca623ac948e02d223b68f9d8ab65ac88aabb05a8b881d22d9aca96318c4fe517
SHA512 a1db8b82a35f487cd0e4fdefe04a124ab791de9cfb765f61be0f5a6d6fd5ec3964d79a4d03e3ff40694d38d1e3d328763c0e041d6a1261b61a5cbf93c7bd36b7

memory/372-490-0x0000000000000000-mapping.dmp

memory/3512-491-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4600-493-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat

MD5 ee609a43f26a5a433adf5e3b84df9e3e
SHA1 5887cb64d2d915fad238fd220671bcdd5b71a5db
SHA256 9a9e5f862a7bb7b483c0593e6e33b6e869db4050cdf9173351d93bc45661ca11
SHA512 8306b2bd0929c468e40db6e72a9ab0755cf8ba4b1257222edf82cc161b81a8180befd88ce2aff05b9514691cc0e81b2b9198bb45ed0759d0fc140a7c120acadd

memory/3600-495-0x0000000000000000-mapping.dmp

memory/4560-496-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4560-498-0x0000000000780000-0x0000000000792000-memory.dmp

memory/96-499-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

MD5 4c9621b01fc1c796ef856a4efc30307e
SHA1 9ab12114d2d25dc85c1547b2f66acec9510f1baa
SHA256 4d3cf047b6eb37dea4f31ba91baa1376844778d2ef982fdb516e98d8d82cec91
SHA512 9fb2adfe34f5dfa83bcae03b8d4f2263a86544b15b03000df1247fcbe8ae1b12c4629bda0dd7ea67136dd5a1e2987f1a71455b77f329c313012185c6553c528b

memory/3968-501-0x0000000000000000-mapping.dmp

memory/1168-502-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1200-504-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

MD5 8b90353f65e28667a0d57a884af0184a
SHA1 6de25c7ab0b8c71cf0823ef82b704603656a2d66
SHA256 7a8496cf9d732350f5ef58ddbc0e6f6e4b248910e14e8e2df8d56e53ffbe1792
SHA512 4910cc7f5921e624512f996b59e6624e680ca1c760c887e773684d8dfc46fbe4ee40e9ced56471f8378fd920f4d1ebacb612d0a28d5e16bf69cb38471a8fb7a0

memory/4788-506-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4264-507-0x0000000000000000-mapping.dmp

memory/4264-509-0x00000000029A0000-0x00000000029B2000-memory.dmp

memory/2296-510-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

MD5 77b202fbab3ebff98b8050ef40f552b3
SHA1 914e789fefa9d40fd7fa24c83abbfc85f764bbd3
SHA256 d367302667d55e6d9a369a4586343ece74bd56daa00ba295801be73ebf56fe4d
SHA512 24451785c6a6a1bebe9959fa3d85d7d0810c35314dd2e4ffebfc949064af2c09f17115e9a338ec35ef89d6110b3c7fe475fb5ada65233c506668074f495479a5

memory/4668-512-0x0000000000000000-mapping.dmp

memory/1052-513-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1052-515-0x0000000000DF0000-0x0000000000E02000-memory.dmp

memory/328-516-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

MD5 a0726b02bbea4727fa550c4090efcb77
SHA1 aa49d33af258a023bb260cbc3ee4b7d15750f874
SHA256 b912418bcf3e65a8f009043b1076ed4701cd97bf63291b09b52b20d5f6a20394
SHA512 553ed2e93e2c45649378b425c1a827c2c57be4faa6ab88f14f54bd7b0827e1ad581d8c5a9a45f06672ca68e3eba10228b00e387cd98498f197cbd8818717e51b

memory/4588-518-0x0000000000000000-mapping.dmp

memory/68-519-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/68-521-0x00000000013C0000-0x00000000013D2000-memory.dmp

memory/4708-522-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

MD5 3012ce3b54b8c6ebb0c01f76bcf72907
SHA1 0709cd89c1ee5277dd9216eb8d47b3a7f0e53d35
SHA256 2d8037a0068a649973085778479d3e408bae62aee721c64df9f4c0476e5d9f4e
SHA512 58499571c839355ce3c98e019bb90c4a89b70cbb90660849e950d659a8b81771df912861246157c09b72c872e07a1c431f83e11c8ffdb9f916ff82274e41e266

memory/4728-524-0x0000000000000000-mapping.dmp

memory/340-525-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows NT\TableTextService\en-US\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/340-527-0x00000000010E0000-0x00000000010F2000-memory.dmp

memory/4232-528-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat

MD5 ca55c55bac6d95203347d206b308d429
SHA1 c93da474a4ffb84aefc3266770fcdcad327dec4c
SHA256 159669053a5b16455d63c1f63c42cccc58b6e3ba9a5aae2078d367b9790d77a5
SHA512 4c218abfe2b1cf317416ceb52f902dacb03545c690135da8c8d2d246896d2a10139c7bcaf197364db2c8c2acd2b3fe3f1c4018e0235103b01547f0fefab2dfbb

memory/5068-530-0x0000000000000000-mapping.dmp