Malware Analysis Report

2025-08-05 17:32

Sample ID 221101-mpqa9sahf5
Target 33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9
SHA256 33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9

Threat Level: Known bad

The file 33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 10:38

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 10:38

Reported

2022-11-01 10:41

Platform

win10-20220812-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Common Files\7a0fd90576e088 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Portable Devices\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Portable Devices\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Common Files\explorer.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Cursors\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Cursors\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Resources\Maps\font\services.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Resources\Maps\font\c5b4cb5e9653cc C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\rescache\_merged\taskhostw.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\Resources\Maps\font\services.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe C:\Windows\SysWOW64\WScript.exe
PID 3064 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe C:\Windows\SysWOW64\WScript.exe
PID 3064 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe C:\Windows\SysWOW64\WScript.exe
PID 4296 wrote to memory of 3912 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 3912 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 3912 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3912 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3912 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4868 wrote to memory of 2148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2148 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 1852 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 1852 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2708 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2708 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2636 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2636 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 428 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 428 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 3784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 3784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2320 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2320 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 4500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 4500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2076 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 2076 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 3244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 3244 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4868 wrote to memory of 3580 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4868 wrote to memory of 3580 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3580 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3580 wrote to memory of 3324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3580 wrote to memory of 780 N/A C:\Windows\System32\cmd.exe C:\Windows\Resources\Maps\font\services.exe
PID 3580 wrote to memory of 780 N/A C:\Windows\System32\cmd.exe C:\Windows\Resources\Maps\font\services.exe
PID 780 wrote to memory of 3480 N/A C:\Windows\Resources\Maps\font\services.exe C:\Windows\System32\cmd.exe
PID 780 wrote to memory of 3480 N/A C:\Windows\Resources\Maps\font\services.exe C:\Windows\System32\cmd.exe
PID 3480 wrote to memory of 3628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3480 wrote to memory of 3628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3480 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Windows\Resources\Maps\font\services.exe
PID 3480 wrote to memory of 2188 N/A C:\Windows\System32\cmd.exe C:\Windows\Resources\Maps\font\services.exe
PID 2188 wrote to memory of 1368 N/A C:\Windows\Resources\Maps\font\services.exe C:\Windows\System32\cmd.exe
PID 2188 wrote to memory of 1368 N/A C:\Windows\Resources\Maps\font\services.exe C:\Windows\System32\cmd.exe
PID 1368 wrote to memory of 4380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1368 wrote to memory of 4380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1368 wrote to memory of 4960 N/A C:\Windows\System32\cmd.exe C:\Windows\Resources\Maps\font\services.exe
PID 1368 wrote to memory of 4960 N/A C:\Windows\System32\cmd.exe C:\Windows\Resources\Maps\font\services.exe
PID 4960 wrote to memory of 4572 N/A C:\Windows\Resources\Maps\font\services.exe C:\Windows\System32\cmd.exe
PID 4960 wrote to memory of 4572 N/A C:\Windows\Resources\Maps\font\services.exe C:\Windows\System32\cmd.exe
PID 4572 wrote to memory of 4368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4572 wrote to memory of 4368 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4572 wrote to memory of 2396 N/A C:\Windows\System32\cmd.exe C:\Windows\Resources\Maps\font\services.exe
PID 4572 wrote to memory of 2396 N/A C:\Windows\System32\cmd.exe C:\Windows\Resources\Maps\font\services.exe
PID 2396 wrote to memory of 4824 N/A C:\Windows\Resources\Maps\font\services.exe C:\Windows\System32\cmd.exe
PID 2396 wrote to memory of 4824 N/A C:\Windows\Resources\Maps\font\services.exe C:\Windows\System32\cmd.exe
PID 4824 wrote to memory of 3116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4824 wrote to memory of 3116 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe

"C:\Users\Admin\AppData\Local\Temp\33473ea0cb5aec66b7388943978b9cacd9f8c6843090e6ec05a22d10e96e8ef9.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Maps\font\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\Maps\font\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Maps\font\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\odt\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Maps\font\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mftNZ3WrbF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat"

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Resources\Maps\font\services.exe

"C:\Windows\Resources\Maps\font\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 20.189.173.2:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/3064-116-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-117-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-118-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-119-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-121-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-122-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-124-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-125-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-126-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-127-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-128-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-129-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-130-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-131-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-134-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-135-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-136-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-133-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-132-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-137-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-139-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-140-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-138-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-142-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-143-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-141-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-144-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-145-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-146-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-148-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-150-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-151-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-153-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-154-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-155-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-157-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-156-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-158-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-159-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-152-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-149-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-147-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-160-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-161-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-162-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-163-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-164-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-165-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-166-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-168-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-170-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-169-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-167-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-171-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-172-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-174-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-173-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-176-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-175-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-177-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-178-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/4296-181-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/4296-180-0x0000000000000000-mapping.dmp

memory/4296-182-0x0000000076FE0000-0x000000007716E000-memory.dmp

memory/3064-179-0x0000000076FE0000-0x000000007716E000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/3912-256-0x0000000000000000-mapping.dmp

memory/4868-279-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4868-282-0x0000000000640000-0x0000000000750000-memory.dmp

memory/4868-283-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

memory/4868-284-0x0000000000EE0000-0x0000000000EEC000-memory.dmp

memory/4868-285-0x0000000000EF0000-0x0000000000EFC000-memory.dmp

memory/4868-286-0x0000000000F00000-0x0000000000F0C000-memory.dmp

memory/2148-287-0x0000000000000000-mapping.dmp

memory/812-290-0x0000000000000000-mapping.dmp

memory/1852-289-0x0000000000000000-mapping.dmp

memory/2108-288-0x0000000000000000-mapping.dmp

memory/784-291-0x0000000000000000-mapping.dmp

memory/2636-293-0x0000000000000000-mapping.dmp

memory/2708-292-0x0000000000000000-mapping.dmp

memory/428-294-0x0000000000000000-mapping.dmp

memory/2320-298-0x0000000000000000-mapping.dmp

memory/3784-296-0x0000000000000000-mapping.dmp

memory/2388-295-0x0000000000000000-mapping.dmp

memory/3244-307-0x0000000000000000-mapping.dmp

memory/2076-305-0x0000000000000000-mapping.dmp

memory/4500-300-0x0000000000000000-mapping.dmp

memory/2108-353-0x000002AF47020000-0x000002AF47042000-memory.dmp

memory/2108-361-0x000002AF47210000-0x000002AF47286000-memory.dmp

memory/3580-365-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mftNZ3WrbF.bat

MD5 c7b94de1d801ec9e81a054e5765a3f0d
SHA1 0010741fecfd25825084d0a354f4a94e144349b8
SHA256 751f43ffc2415e7ca4f1854e18a2baf033f2ea58031a8ba750594e14c247ec02
SHA512 108ed7e48b1ed01f659a93ff456455849d2362f01355bc35fef96b5558514b9fec3aed653a8df88d2cb04912516fbe225616eab3a4ca2a0f7f855a4510838cb9

memory/3324-417-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/780-682-0x0000000000000000-mapping.dmp

memory/780-699-0x00000000008A0000-0x00000000008B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 882942a81cb291b68e08ccef00457f7b
SHA1 654cb307f350c2649158828c3a4e6109d07ad711
SHA256 2b94abb0dab627b79a0bad337876118f5198346175c6e4cee441442c78150479
SHA512 74aa632e67135ee285e0f985d93da9b127b92e133cc51ff53895d810cc9c30ac2dd0c12f903f8d13b83c900fccc51af74368faf7d3e2d8e165bfff5d16060e44

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7b309ee2005ac3bfe743a84f15c85ef9
SHA1 4d069ce352abe066896b0ad7e4a896da1cebaf98
SHA256 e8e550a75b8d03d87bd9b99c59db43b9c0e83becffc4c6b03427148e7afd509c
SHA512 0f5d002130d03735f7215895c1ae5d14fc027dcf8aa0a15b158e2c172a200d9886937b4329aba079c9f4a05ffe76104d33108b4743deaa281123481d0a2319d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7b309ee2005ac3bfe743a84f15c85ef9
SHA1 4d069ce352abe066896b0ad7e4a896da1cebaf98
SHA256 e8e550a75b8d03d87bd9b99c59db43b9c0e83becffc4c6b03427148e7afd509c
SHA512 0f5d002130d03735f7215895c1ae5d14fc027dcf8aa0a15b158e2c172a200d9886937b4329aba079c9f4a05ffe76104d33108b4743deaa281123481d0a2319d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 81e014853763e4dc4c97825c1f7f7033
SHA1 4f2c52c647b536dbeaa6a2acfc8f4ae93e3cc3c6
SHA256 a0feba5c6030cd830ea35568951d785815198a91493558462bbf02469ed0176f
SHA512 abd748b02306de935e392c27eb02c1d3a099dc6d8e578b50c84e62ef84b23af490dd9760408eafd8bd0bf3dc9313566cfc0dfb6dc92696030e7411d890563517

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a9ed7a1e8c9d3ee26fbb7c309f96c73c
SHA1 af01799ba56d245dac47f0315ceb042a20b50e01
SHA256 ebdcdfca32e6b9be979ad92e7f98560bbbcde3c484748bdb117c8543cacf00a5
SHA512 8b4b77ae926908c57c37ffd22334f91db079724025dc8ca88f9c71977dbfe626933e88fcd6ba2b42df688881f710378b86cc75718e8c9861a82b8f5ac54f3f5f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a9ed7a1e8c9d3ee26fbb7c309f96c73c
SHA1 af01799ba56d245dac47f0315ceb042a20b50e01
SHA256 ebdcdfca32e6b9be979ad92e7f98560bbbcde3c484748bdb117c8543cacf00a5
SHA512 8b4b77ae926908c57c37ffd22334f91db079724025dc8ca88f9c71977dbfe626933e88fcd6ba2b42df688881f710378b86cc75718e8c9861a82b8f5ac54f3f5f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f57b73efbb60154b26af589eaccdd892
SHA1 f258580fad36acf26688934bbddec40c155e40f2
SHA256 de10e1a92d9d0e0457b4a070fbeaf34282c4e51d68f2bb3167bf62d3fa00dd22
SHA512 9db06c69c661e57414efa28d2886465a48eca1f581ea8676e8c8b2ff2cc07d56be490dbe787bb65449eb2b335e7c53bf5b8e54db93b21ca478244def423462c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 81e014853763e4dc4c97825c1f7f7033
SHA1 4f2c52c647b536dbeaa6a2acfc8f4ae93e3cc3c6
SHA256 a0feba5c6030cd830ea35568951d785815198a91493558462bbf02469ed0176f
SHA512 abd748b02306de935e392c27eb02c1d3a099dc6d8e578b50c84e62ef84b23af490dd9760408eafd8bd0bf3dc9313566cfc0dfb6dc92696030e7411d890563517

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ab51c32729e135f689b2e3fb0e0894f9
SHA1 bfe3f3d615793eaa66d5837b348cb63399d52726
SHA256 090d59261898c70afe96d74592953f3f5d492c50c780eb120e6c813054e19130
SHA512 307e7bc41f521db8dbb6d7ad53dcd4d16a3454ce63b9128652f20b5ceb0f59b4d721081da6e9e383f091341e038b6d86ae10e7f8bf456cfc27f0628b42941596

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ab51c32729e135f689b2e3fb0e0894f9
SHA1 bfe3f3d615793eaa66d5837b348cb63399d52726
SHA256 090d59261898c70afe96d74592953f3f5d492c50c780eb120e6c813054e19130
SHA512 307e7bc41f521db8dbb6d7ad53dcd4d16a3454ce63b9128652f20b5ceb0f59b4d721081da6e9e383f091341e038b6d86ae10e7f8bf456cfc27f0628b42941596

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 882942a81cb291b68e08ccef00457f7b
SHA1 654cb307f350c2649158828c3a4e6109d07ad711
SHA256 2b94abb0dab627b79a0bad337876118f5198346175c6e4cee441442c78150479
SHA512 74aa632e67135ee285e0f985d93da9b127b92e133cc51ff53895d810cc9c30ac2dd0c12f903f8d13b83c900fccc51af74368faf7d3e2d8e165bfff5d16060e44

memory/3628-753-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat

MD5 6ad5ce5542450f5f3cf6b20b9b3a06ca
SHA1 3ce2d6f72b5eab6480160c7ba68bcb020336ffad
SHA256 138d1c15df8ff4d333b54c7affc5f57f49ba050e9838e58c2b91fed61cbb649a
SHA512 5ae9ff4083e9a4c1a3f89baf954de3a4d6cf52fb35140583f041ec84b24d51b1ccb439d1c9b0697e2e0717d97401fea4d4a2e67915c1f4c43566965e3b29574c

memory/3480-751-0x0000000000000000-mapping.dmp

memory/2188-754-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/1368-757-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

MD5 8bda044dbb8a43431283ff4ec741cea1
SHA1 3383299bc3e27dd8dd4ef2ac97eb52e55c315d54
SHA256 b62cf77f10ff514613892059352284df14709c3718def739eef9ddd4dbf166c5
SHA512 a486ad4ae2ed8115b00a7272ffc1835c2a80b48e1d84d1e856d85175de73e15e9c73cda6bb19349b9ea8af5b5ec23131c25ada07a371e22053ffc06c9f983f38

memory/4380-759-0x0000000000000000-mapping.dmp

memory/4960-760-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4572-762-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat

MD5 7a1e2c0ff8d90f444af2b7339f0ec48e
SHA1 e582a533f4fe7b9d4599d4ca582e3760f8f2f72e
SHA256 fd324733b076dfaf685c8ff2b8063e3148846b36dae5b54f622765e31d0cb978
SHA512 70afcd0bf2c25d25e1a16e34386b36bb83f6d02ca3721f98fc8597cdcb61dd1685f5c5b51a06dcdb6ab508624ec745debb7bf694498d513e3ab287fb9638eca6

memory/4368-764-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2396-765-0x0000000000000000-mapping.dmp

memory/2396-767-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

memory/4824-768-0x0000000000000000-mapping.dmp

memory/3116-770-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat

MD5 cb0410ffad04a3dd96a35fef2ab0d097
SHA1 da934750b0b640a5d56daf30aa6e136ef1a620f6
SHA256 40f270cb327b13a1de4b0ff08cbe3800fd46136a31ef58796a16f0f12e870ee6
SHA512 76d6ea5f5bee41b15daecadf279541b6cac6376da3b5393a7dbe5184797bf50053fe055f37551dd65bbe248d21ad54b41073f483557579b11ba64339c59ff8ba

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4244-771-0x0000000000000000-mapping.dmp

memory/4448-773-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat

MD5 69810fb43d328d2a47788a29f0c7ea1f
SHA1 79cdc1a93dbabd6b6fa48f2b4ff79d4b09d1c528
SHA256 dffb09c7a6a3673c141e73f85ebfc6a4dcb0ccce74f65ff49dd2c7e777caaec4
SHA512 c3501bcb679f58f0eec5b8421afeaba06855df8ad8ca19ae5d11b8360bf545b3934571b205b2a4be2e8c847d696e06e54e1533ced90867a31bc95ddbe96b390a

memory/5100-775-0x0000000000000000-mapping.dmp

memory/4876-776-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4876-778-0x00000000007D0000-0x00000000007E2000-memory.dmp

memory/4808-779-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat

MD5 ea0a095b68a30009b08b58b75c976afd
SHA1 f6ec9b505b9f3c55f7abca24f2028bafeaa0a701
SHA256 04e81ad3f4dd2748c0fe29d3360579fc0bbaa2883d37eb570c9a0b938bdb071c
SHA512 8732c20422723ff86e9748599f1f127feb45ad1954b9a1363553e303c8fbc71805d754eb15fec6871ba78b4da20ff9bbe8dc823725f1c2f8da0549afd79ecb22

memory/2704-781-0x0000000000000000-mapping.dmp

memory/4248-782-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3032-784-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

MD5 56e4518bc6a48002ab756291640a322e
SHA1 a0f95428e1baced6ca084fb2716845b65f75f5be
SHA256 8ecb7ad08212b379c8f900203bc54b5e3d5562ce53655deaa02295e2b1bb80d6
SHA512 d22dfeff13760d8ab31d096786d6ce43cd74cf240d181464bf8d3b4c5fd987c03aeccbc97bf84f637ae3c76289719e374901a35bd64f2aeff38ad63121b65751

memory/3788-786-0x0000000000000000-mapping.dmp

memory/4780-787-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4780-789-0x00000000015F0000-0x0000000001602000-memory.dmp

memory/936-790-0x0000000000000000-mapping.dmp

memory/1236-792-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

MD5 b145283042566f4c6d25c21e39fd91fe
SHA1 4d8569c8552d9c4e913cd1e8bd6b4c313d242bf3
SHA256 808b2ca14a64a0806818dcd6979d70cef811151d6a2042c13af5da2167685025
SHA512 705d912e42ed20398190dc6bb13bd13525ea3076ba85087ad561332b3c638ea623a000a6563961fffc0040a325ba54bbab91ea6d85177c00f6af3f5c706ff383

memory/1864-793-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3400-795-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat

MD5 0d45e7acce0109888cf245b7f5a9bbc8
SHA1 a0abcfa2fb59807be06136ae95b445046860ff0d
SHA256 385d96851f0f07de5d6a82e668c7ca84a7fa9ab51bc8fad8b3bfc7b863a9b667
SHA512 246112f7cda3ce28bf2a6213772c7f4718e073f6e83c9bf1f89a9a30a8eacc2885704628aba6e5cd65b231afca6c9a8781c8f8705996df1ab7a9430dae10dd28

memory/4736-797-0x0000000000000000-mapping.dmp

memory/3648-798-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4068-800-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

MD5 c9a5fced6bfa2d6775976569b458b9d9
SHA1 83362d4fcc507fa715ac6ae10a30be0c72f9a5a2
SHA256 3d12f24c6cca4ef57738a40519ba95b2df677c07f53285bb77e8f598937e2823
SHA512 8bd3ef15c38597055ac229aca59fe211188161bc5df1e3a28326882a4dd37bc93ea8a8914b9bc6ea53c271edb3ef156bb645d7c1a9b59bfbafeab81a1567a70a

memory/4896-802-0x0000000000000000-mapping.dmp

memory/3732-803-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3732-805-0x0000000000FF0000-0x0000000001002000-memory.dmp

memory/4956-806-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat

MD5 45ae6ceb150843934bce08ffc16b2000
SHA1 be067b3be757c1ecc66b4acfe98e030613dc52f0
SHA256 368c6c38ee1a16a6db56c20a7d5a695bf2072bcf5a3dc5ebb52216462d7fcb2a
SHA512 b77076c6ab897a40e26ef2e11dcafb793bf66e2eec7549f34d1807c873cc4f2194f51aa58fbc248848723511c21c48deae32c82da3dc8ad06690123777bdb738

memory/2148-808-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4740-809-0x0000000000000000-mapping.dmp

memory/4740-811-0x0000000001070000-0x0000000001082000-memory.dmp

memory/3384-812-0x0000000000000000-mapping.dmp

memory/3908-814-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat

MD5 361780c4ca74a284d718f65b9f94e971
SHA1 d8b28381c51ac7656577e205f1b49b434ff9404f
SHA256 4d985076977d2099de24d396263248be3a6843df11d61c1a599201a67cbcffcd
SHA512 a4f64c1fe20804950363e0030366f939a02e919b8306aea617ba554a00be5ec93c3c8091bc2e222e1a9be4277f7c8da7d7e083e35f73a4c344b8ffa4cf04f873

memory/2116-815-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4800-817-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

MD5 862773261cba9a05cdafe29331f1da62
SHA1 6e95507aed1ab9d8378886284a03af3385007dcc
SHA256 0f38626ad11000e2c2b9984f9259fc09caf26adf9bef26480ba323e3660fda5b
SHA512 41398fd8ea84eb015411458fa3dce9ed52e4f32a3fd8d83bb0a38e595d0e7701a44f9d49d849d663ac0d0de1d586431408cd99f979acbab7af4fc2ef02e4aae9

memory/2108-819-0x0000000000000000-mapping.dmp

memory/1564-820-0x0000000000000000-mapping.dmp

C:\Windows\Resources\Maps\font\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394