Malware Analysis Report

2025-08-05 17:32

Sample ID 221101-mmerrabhbn
Target 79febd0eae4663425df478455a683e21404984499327577df4e27c6d11214a94
SHA256 79febd0eae4663425df478455a683e21404984499327577df4e27c6d11214a94
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79febd0eae4663425df478455a683e21404984499327577df4e27c6d11214a94

Threat Level: Known bad

The file 79febd0eae4663425df478455a683e21404984499327577df4e27c6d11214a94 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

Process spawned unexpected child process

DcRat

DCRat payload

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 10:34

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 10:34

Reported

2022-11-01 10:37

Platform

win10-20220901-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79febd0eae4663425df478455a683e21404984499327577df4e27c6d11214a94.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Web\Wallpaper\Theme2\66fc9ff0ee96c2 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\appcompat\appraiser\Telemetry\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\appcompat\appraiser\Telemetry\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\79febd0eae4663425df478455a683e21404984499327577df4e27c6d11214a94.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
N/A N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\79febd0eae4663425df478455a683e21404984499327577df4e27c6d11214a94.exe C:\Windows\SysWOW64\WScript.exe
PID 2848 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\79febd0eae4663425df478455a683e21404984499327577df4e27c6d11214a94.exe C:\Windows\SysWOW64\WScript.exe
PID 2848 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\79febd0eae4663425df478455a683e21404984499327577df4e27c6d11214a94.exe C:\Windows\SysWOW64\WScript.exe
PID 2336 wrote to memory of 4668 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 4668 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 4668 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4668 wrote to memory of 4176 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4176 wrote to memory of 4972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 4972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 4976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 4976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 4864 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 4864 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 4888 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 4888 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4176 wrote to memory of 4432 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 4176 wrote to memory of 4432 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 4432 wrote to memory of 3892 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 4432 wrote to memory of 3892 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 3892 wrote to memory of 1360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3892 wrote to memory of 1360 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3892 wrote to memory of 4196 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 3892 wrote to memory of 4196 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 4196 wrote to memory of 4524 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 4196 wrote to memory of 4524 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 4524 wrote to memory of 4100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4524 wrote to memory of 4100 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4524 wrote to memory of 4788 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 4524 wrote to memory of 4788 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 4788 wrote to memory of 4216 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 4788 wrote to memory of 4216 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 4216 wrote to memory of 3680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4216 wrote to memory of 3680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4216 wrote to memory of 8 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 4216 wrote to memory of 8 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 8 wrote to memory of 4952 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 8 wrote to memory of 4952 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 4952 wrote to memory of 3196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4952 wrote to memory of 3196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4952 wrote to memory of 4260 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 4952 wrote to memory of 4260 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 4260 wrote to memory of 1496 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 4260 wrote to memory of 1496 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 1496 wrote to memory of 956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1496 wrote to memory of 956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1496 wrote to memory of 216 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 1496 wrote to memory of 216 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 216 wrote to memory of 420 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 216 wrote to memory of 420 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 420 wrote to memory of 1860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 420 wrote to memory of 1860 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 420 wrote to memory of 2948 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 420 wrote to memory of 2948 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 2948 wrote to memory of 3904 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 2948 wrote to memory of 3904 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 3904 wrote to memory of 3612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3904 wrote to memory of 3612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3904 wrote to memory of 4860 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 3904 wrote to memory of 4860 N/A C:\Windows\System32\cmd.exe C:\Windows\Web\Wallpaper\Theme2\sihost.exe
PID 4860 wrote to memory of 1708 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 4860 wrote to memory of 1708 N/A C:\Windows\Web\Wallpaper\Theme2\sihost.exe C:\Windows\System32\cmd.exe
PID 1708 wrote to memory of 340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1708 wrote to memory of 340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\79febd0eae4663425df478455a683e21404984499327577df4e27c6d11214a94.exe

"C:\Users\Admin\AppData\Local\Temp\79febd0eae4663425df478455a683e21404984499327577df4e27c6d11214a94.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\Theme2\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Theme2\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Theme2\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\appcompat\appraiser\Telemetry\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\appraiser\Telemetry\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\appraiser\Telemetry\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Theme2\sihost.exe'

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

"C:\Windows\Web\Wallpaper\Theme2\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/2848-120-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-121-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-122-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-123-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-125-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-126-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-128-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-129-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-130-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-131-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-132-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-133-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-134-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-135-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-136-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-137-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-138-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-140-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-139-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-141-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-143-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-142-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-144-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-145-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-146-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-147-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-148-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-149-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-150-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-151-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-152-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-153-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-154-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-155-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-156-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-157-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-158-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-159-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-160-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-161-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-162-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-163-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-164-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-165-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-166-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-167-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-168-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-169-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-170-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-171-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-172-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-173-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-174-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-175-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-176-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-178-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-177-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-179-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-180-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-181-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-182-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2848-183-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2336-184-0x0000000000000000-mapping.dmp

memory/2336-185-0x0000000077320000-0x00000000774AE000-memory.dmp

memory/2336-186-0x0000000077320000-0x00000000774AE000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4668-260-0x0000000000000000-mapping.dmp

memory/4176-283-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4176-286-0x00000000004B0000-0x00000000005C0000-memory.dmp

memory/4176-287-0x0000000000D10000-0x0000000000D22000-memory.dmp

memory/4176-288-0x0000000002610000-0x000000000261C000-memory.dmp

memory/4176-289-0x0000000002620000-0x000000000262C000-memory.dmp

memory/4176-290-0x0000000002630000-0x000000000263C000-memory.dmp

memory/4976-292-0x0000000000000000-mapping.dmp

memory/4864-293-0x0000000000000000-mapping.dmp

memory/4888-294-0x0000000000000000-mapping.dmp

memory/4972-291-0x0000000000000000-mapping.dmp

memory/4432-295-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4972-314-0x000001E338BD0000-0x000001E338BF2000-memory.dmp

memory/4432-315-0x0000000000A70000-0x0000000000A82000-memory.dmp

memory/4888-320-0x00000292B9120000-0x00000292B9196000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2b3cd63e2ee93059e2ff6fad95ea185a
SHA1 b2ae5a72231b2b8db2e719f142b63cf7389ba270
SHA256 455256ab4a923c595af83cf5f9efdf528bed6f3fa8946142431cc7ba667fd46b
SHA512 c598b0692525189820ccdeae7c8937b417493fc2a600f14578f1c594c47e4b1726c514de416d0c36010e18dcf093361a28957f9e23279d12f524640370cfd8ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0bdfaa14d7814b541a77f4e97920dfd6
SHA1 c239720eee47db7f7136bb78e37c539b9e735c4c
SHA256 4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272
SHA512 dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa8f69e931ea2640bf599d529997e181
SHA1 2e7a95e891cf871429a00810b118b4e4537d0d0a
SHA256 455bb1548a2dae1350bb8ccc11fa578e5413bd9fa47fe914744575f957ceaf3a
SHA512 a55ab4f0eb6b206f2e33e3b54b1297cb952149a0bd8f223d4c46768cf65072470201fd49c880d81b845841460de4fc7c9a72376f265061d80c0d840682effbc1

memory/3892-437-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

MD5 751e9c406584a116178f7f5289d2d0af
SHA1 15db741ff20f4b09ef089e10540f1033b2160df4
SHA256 06d55fbff9d2a3acee4679b022984f5a712139f8f7879a4e0813872fd3629c8c
SHA512 1e6635d72c9b867aa19b8d92dd3ca976b6881124b96ebab888e4ab8629401ec640a914002780a8778ac9191f7b90dbf578f92644d62977827427f374657a30aa

memory/1360-439-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4196-440-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/4196-443-0x0000000000850000-0x0000000000862000-memory.dmp

memory/4524-444-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

MD5 fc47c55565642ef46f1e6f02db25bf98
SHA1 79c7f77c9734cd92380850e2aff4a72bc51ee475
SHA256 f5de396249409d332305a679fa44ab13e8f1104c9c821bd9f3625fcdbf166c51
SHA512 866497bbf08225b3da682f6cf22aeacfea3bb0cdecbb5833805e7df0c17d74552dff382ddace4aa050f7300ea9d334786bf4a228da54a76e9d0f224e61ca4600

memory/4100-446-0x0000000000000000-mapping.dmp

memory/4788-447-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4216-449-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

MD5 5fd16d68d707a3ce86454bf85cd991f6
SHA1 1a0cbb4724d7e1b9d24694b5c048ca69c1a8bba3
SHA256 bd1e52cf2cf9b70cb65fff676e8dbbb17aace08f4835e70380586374860ab93c
SHA512 8ef1a575c6342c4f6d188ba02851183c62379b78c2a5ea79029a6e01419c2241458dfa5255e7153885b5c04e2b247d154296d526919f22428031483fcd3e639f

memory/3680-451-0x0000000000000000-mapping.dmp

memory/8-452-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/8-454-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

memory/4952-455-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat

MD5 9e5d7f43b4c3ab7008f5c672939d950f
SHA1 57563398a7cc6b49d8f2ace042edceb55211d5cb
SHA256 2b4f25665aec8fb6640344b482e23c2e021b62b877b5c8e9f4eb4b639aeb2d2e
SHA512 3160a5de63429251a45fb0a931ed686269ab092a2160f3fc3546cbf6cbb091115b8a7f4e4e519fb5b3007b3fa1ab7d362d7d712fe77dde3638dced47c0f7afca

memory/3196-457-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4260-458-0x0000000000000000-mapping.dmp

memory/1496-460-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat

MD5 f33a67df9357c1dcb6b6ae1c252f354d
SHA1 891771e2dbf235e755fcca81efc003e4432d1f35
SHA256 4503b20e5536f22400b7508a24d108be93c11044b88ad229294570ae3afa90ea
SHA512 79d8dc998266a0144e3438ed92852fd0b709f9d5d0939c17f0d12aff0b4ea766d3371aeceedc548220fde9ffbd8274d503f6d4aa14d62a6b27de56e7ce8187e1

memory/956-462-0x0000000000000000-mapping.dmp

memory/216-463-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/216-465-0x0000000001160000-0x0000000001172000-memory.dmp

memory/420-466-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

MD5 8b0b216e31f7ab74c3c151436c75c101
SHA1 cd23866b52d580981162a6caf4310afba1a68c53
SHA256 664e384ef60bf9deb66a91a940aec09ee9a0d2cecac64f160c4f4cdfed1e7d82
SHA512 87cd4429004780d91a483e2b83e7ab925f01021e6c66520bdd926b12f5c80404e299345da190f03ccb6c9325d6e12e4016099bb7a92889c62809005719bc4807

memory/1860-468-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2948-469-0x0000000000000000-mapping.dmp

memory/3904-471-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

MD5 8f8e30aa67b07494e95a0cd8e42038c2
SHA1 7aff481e95df24648350ce418f5c12bc8a64782f
SHA256 564e24c4f1a8bfe3990cc672a1bc3dc7998a948b4a9b069dc6d0502b0c44e20c
SHA512 5a0624a8a981846c091049734c07d85cf115563c20603d5cca0d5df1ae947467ec7249a4aede454f9033469f94fa6979f8d44331d57f03e68cd99768c548fda0

memory/3612-473-0x0000000000000000-mapping.dmp

memory/4860-474-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1708-476-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

MD5 09f56b255ab4a44c80b2dff6857367ce
SHA1 32b3858708277d4baab7f6940af9e1f3c2d7aaa6
SHA256 036014b6fae68f41605a9552cbb11bfffbdde9eb2b148e3f0da9632d3ae4022b
SHA512 9c0f5ef4919cbc812fe3f7a22e9a60b46fa7a620f5999dba6a9c6d6f52362b02c7049d59525b8f5de032fb97d803a4fe7f8242ece211c502f58b899edd8e107e

memory/340-478-0x0000000000000000-mapping.dmp

memory/2180-479-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2180-481-0x00000000010F0000-0x0000000001102000-memory.dmp

memory/4864-482-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

MD5 d636ad3d694b3c22a5c5c371336243dd
SHA1 de086c9dba90b0064ed099cfe08d288c7cc80db6
SHA256 b9919b34ffc0adbd70f09553c3afbc841b9396e19361ebe68f640763fe460d99
SHA512 9c40ce985402af6f558ce439e43ef2bf4a775640922f148d8589ce1a7661a9f2e2de08f997adc32236a3373cad00d487f20631c5ccc3d1c9716e03b0ac5be667

memory/1200-484-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3212-485-0x0000000000000000-mapping.dmp

memory/5076-487-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat

MD5 e462244119dd8609aa6afa75ff4af122
SHA1 c91c3de527131175ba9e0fc435f0ec491c6a62f1
SHA256 c513fdcbb31c98b5203587f5c124178a2015e50ea6731047229a57421a1bfa6a
SHA512 e92049b91f6f1acfe57058d5afad434f129e773852444b42b60f75f8dcc94e61fd8ef7151b426c5d6a4a8007fccf83c0c2f3231482633a5f2019d68ee2712820

memory/2788-489-0x0000000000000000-mapping.dmp

memory/5060-490-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3404-492-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

MD5 b8bf12433f996b8e52b968339c1ee774
SHA1 b816fed5fcd09e54980a017367986550e904f69e
SHA256 73789f74fb4b5a7aa6555db475e7689010669c25d0147bc071f1c361c5aa7d3d
SHA512 59827079cc4ab523439ee6bf96ecd1b9886bb98096aa4b4fc121cbe14fc69c7381c2ea14684490553fb6d9bf643078118e2675758c49efafa2327c97bbeb7c44

memory/1828-494-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4784-495-0x0000000000000000-mapping.dmp

memory/4108-497-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat

MD5 9e5d7f43b4c3ab7008f5c672939d950f
SHA1 57563398a7cc6b49d8f2ace042edceb55211d5cb
SHA256 2b4f25665aec8fb6640344b482e23c2e021b62b877b5c8e9f4eb4b639aeb2d2e
SHA512 3160a5de63429251a45fb0a931ed686269ab092a2160f3fc3546cbf6cbb091115b8a7f4e4e519fb5b3007b3fa1ab7d362d7d712fe77dde3638dced47c0f7afca

memory/4140-499-0x0000000000000000-mapping.dmp

memory/448-500-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/448-502-0x00000000009C0000-0x00000000009D2000-memory.dmp

memory/4512-503-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat

MD5 7597c78ecdb1ee2d30adfec502519ccc
SHA1 136880a5573bcd732cff86480c0143a320acf792
SHA256 880d4033ee429ae39f7fb0370bcc724ef779248ce8ac6bee5a11d618ffca1656
SHA512 267d87e2aa2b8a33b6d58820353ecea86199e2ecb16e1591871d1f5d11ea8e03b25d6b73c3ec91b94364172dd70c2f0429fa9a58905ab27461ac2644c6c50adf

memory/3640-505-0x0000000000000000-mapping.dmp

memory/4732-506-0x0000000000000000-mapping.dmp

C:\Windows\Web\Wallpaper\Theme2\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4732-508-0x0000000002440000-0x0000000002452000-memory.dmp

memory/5036-509-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EqBdbgL5Ji.bat

MD5 188d9a1e248576ee3721bfbd1938d66d
SHA1 b8cf5e08f6cde0e01a2aba2da4df9995dede536d
SHA256 202420bd8e158b9089dadfa0cce90275a07230547c07691a1f9690dfb1ec9ad1
SHA512 1d905d1d7cc55cfe65a56de1260b3e9a7bd4e60e8fe1fb0d7704c90b2b6b0b0542435d89fd10888db2c23c87491c489df181675f4f7ec3cb066892a518757a23

memory/5108-511-0x0000000000000000-mapping.dmp