Malware Analysis Report

2025-08-05 17:32

Sample ID 221101-mpybwaahf6
Target 8f5c1de13d9fd0470c68ea327fd5f8dd7861357c8b39ca328ffb43b30a332995
SHA256 8f5c1de13d9fd0470c68ea327fd5f8dd7861357c8b39ca328ffb43b30a332995
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8f5c1de13d9fd0470c68ea327fd5f8dd7861357c8b39ca328ffb43b30a332995

Threat Level: Known bad

The file 8f5c1de13d9fd0470c68ea327fd5f8dd7861357c8b39ca328ffb43b30a332995 was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

DCRat payload

Dcrat family

DcRat

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 10:39

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 10:39

Reported

2022-11-01 10:41

Platform

win10-20220812-en

Max time kernel

144s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8f5c1de13d9fd0470c68ea327fd5f8dd7861357c8b39ca328ffb43b30a332995.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\Visualizations\c5b4cb5e9653cc C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8f5c1de13d9fd0470c68ea327fd5f8dd7861357c8b39ca328ffb43b30a332995.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4220 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\8f5c1de13d9fd0470c68ea327fd5f8dd7861357c8b39ca328ffb43b30a332995.exe C:\Windows\SysWOW64\WScript.exe
PID 4220 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\8f5c1de13d9fd0470c68ea327fd5f8dd7861357c8b39ca328ffb43b30a332995.exe C:\Windows\SysWOW64\WScript.exe
PID 4220 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\8f5c1de13d9fd0470c68ea327fd5f8dd7861357c8b39ca328ffb43b30a332995.exe C:\Windows\SysWOW64\WScript.exe
PID 4304 wrote to memory of 4608 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 4608 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4304 wrote to memory of 4608 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4608 wrote to memory of 3272 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3272 wrote to memory of 1184 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 1184 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 884 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 884 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 1352 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 1352 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 1584 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 1584 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 1700 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3272 wrote to memory of 1700 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1700 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1700 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1700 wrote to memory of 664 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 1700 wrote to memory of 664 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 664 wrote to memory of 1484 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 664 wrote to memory of 1484 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 1484 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1484 wrote to memory of 2616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1484 wrote to memory of 4144 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 1484 wrote to memory of 4144 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 4144 wrote to memory of 5040 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 4144 wrote to memory of 5040 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 5040 wrote to memory of 1256 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5040 wrote to memory of 1256 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5040 wrote to memory of 3888 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 5040 wrote to memory of 3888 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 3888 wrote to memory of 4704 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 3888 wrote to memory of 4704 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 4704 wrote to memory of 4560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4704 wrote to memory of 4560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4704 wrote to memory of 2176 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 4704 wrote to memory of 2176 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 2176 wrote to memory of 3416 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 2176 wrote to memory of 3416 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 3416 wrote to memory of 4232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3416 wrote to memory of 4232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3416 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 3416 wrote to memory of 2768 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 2768 wrote to memory of 1512 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 2768 wrote to memory of 1512 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 1512 wrote to memory of 3920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1512 wrote to memory of 3920 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1512 wrote to memory of 5012 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 1512 wrote to memory of 5012 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 5012 wrote to memory of 4020 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 5012 wrote to memory of 4020 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 4020 wrote to memory of 4988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4020 wrote to memory of 4988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4020 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 4020 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe
PID 2300 wrote to memory of 4056 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 2300 wrote to memory of 4056 N/A C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe C:\Windows\System32\cmd.exe
PID 4056 wrote to memory of 4792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4056 wrote to memory of 4792 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8f5c1de13d9fd0470c68ea327fd5f8dd7861357c8b39ca328ffb43b30a332995.exe

"C:\Users\Admin\AppData\Local\Temp\8f5c1de13d9fd0470c68ea327fd5f8dd7861357c8b39ca328ffb43b30a332995.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\odt\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\odt\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\odt\services.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jfcXHB472f.bat"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

"C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/4220-116-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-118-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-117-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-119-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-121-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-122-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-124-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-126-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-125-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-127-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-129-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-128-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-130-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-131-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-132-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-133-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-134-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-135-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-136-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-137-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-138-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-140-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-139-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-141-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-144-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-145-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-143-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-147-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-146-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-142-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-148-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-149-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-150-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-151-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-153-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-152-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-154-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-155-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-156-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-157-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-159-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-158-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-160-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-161-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-162-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-163-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-164-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-165-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-167-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-169-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-170-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-168-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-166-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-171-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-172-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-173-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-174-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-175-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-176-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-177-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-178-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4220-179-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4304-181-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

memory/4304-180-0x0000000000000000-mapping.dmp

memory/4304-182-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4608-256-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3272-282-0x00000000009B0000-0x0000000000AC0000-memory.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3272-279-0x0000000000000000-mapping.dmp

memory/3272-283-0x0000000000FD0000-0x0000000000FE2000-memory.dmp

memory/3272-285-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

memory/3272-284-0x0000000002AF0000-0x0000000002AFC000-memory.dmp

memory/3272-286-0x0000000002AE0000-0x0000000002AEC000-memory.dmp

memory/1584-291-0x0000000000000000-mapping.dmp

memory/1352-290-0x0000000000000000-mapping.dmp

memory/808-289-0x0000000000000000-mapping.dmp

memory/884-288-0x0000000000000000-mapping.dmp

memory/1700-312-0x0000000000000000-mapping.dmp

memory/884-313-0x0000029EB9160000-0x0000029EB9182000-memory.dmp

memory/1184-287-0x0000000000000000-mapping.dmp

memory/1184-320-0x0000020DF2560000-0x0000020DF25D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfcXHB472f.bat

MD5 f26a32375e91f32910ca68f1df36e49e
SHA1 3b06fe796af2882d004e52dc97a69382a8e0e3ab
SHA256 3bd7621ca41e937aa1121693311afc02d882729dc670665a5acb18e7d6365d4c
SHA512 d9b360a4a08732788f2d8d35001bc4b09194e7c7f030a4e89eb810472809560a16eb2070c1e837d701f61c2d4c10a5cc18a4f4c9649f2c95480d8f0372463eca

memory/2096-343-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f48be18585c7baf54425ab0a36d45cab
SHA1 8c7bae02363b7abc78aa00f0d5b17c18cf0b9e48
SHA256 17de4ceb4fa26e2e132f32befe8e427fefc9037c42e18be06c435f7f405d16de
SHA512 96db0983ec6a08ec79225ff9e89fc1919358d37ae7f8177a11ee93611057b92ccb7249b9dcd16e5687d090fabaf281ccb681873a77fc7e5e0eb78db9739c07ef

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f48be18585c7baf54425ab0a36d45cab
SHA1 8c7bae02363b7abc78aa00f0d5b17c18cf0b9e48
SHA256 17de4ceb4fa26e2e132f32befe8e427fefc9037c42e18be06c435f7f405d16de
SHA512 96db0983ec6a08ec79225ff9e89fc1919358d37ae7f8177a11ee93611057b92ccb7249b9dcd16e5687d090fabaf281ccb681873a77fc7e5e0eb78db9739c07ef

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f48be18585c7baf54425ab0a36d45cab
SHA1 8c7bae02363b7abc78aa00f0d5b17c18cf0b9e48
SHA256 17de4ceb4fa26e2e132f32befe8e427fefc9037c42e18be06c435f7f405d16de
SHA512 96db0983ec6a08ec79225ff9e89fc1919358d37ae7f8177a11ee93611057b92ccb7249b9dcd16e5687d090fabaf281ccb681873a77fc7e5e0eb78db9739c07ef

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ee60928339a4ced137c119eba3ca7aa6
SHA1 c005c4c04fc95da58e044715e01b62b018ef4460
SHA256 4b9b33b9027c348912e3346f8074a8cc1ec3fd40343275f4df3749dfe5425a5b
SHA512 431b941ba13408cb517d3b3cc58252a2db2193e1bb02fcafed3110102228380b6677c111725a63f9da2bee7ffd7b3d8db0aff073a479c102036b7a1560e25691

memory/664-466-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/664-469-0x0000000000590000-0x00000000005A2000-memory.dmp

memory/1484-470-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat

MD5 5a9ede7e5db66951759447dc8d375c4b
SHA1 28a81d580cd30330389446d1a16beab5ecda9a7f
SHA256 1582f659e70035ae772c11e49578e8196c97ff6a1083dc3483a2ef343c38a4b4
SHA512 60b4240920c2a5acac026b337248c6dfd690ea50367d8cb2e1c8996b55b4edd38d09147372e61588c012a5339dd9d0a82c8faf4c41a7972035d2ffd8d7099591

memory/2616-472-0x0000000000000000-mapping.dmp

memory/4144-473-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/4144-476-0x0000000001740000-0x0000000001752000-memory.dmp

memory/5040-477-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat

MD5 d4c370d4f45c2cae6182f5b7d1f14665
SHA1 85bb10d51dd6cc683dee42f8e9074321024f2a1b
SHA256 40b7b51f646219dc78f911ff900b1d8ca16313fbe2d4759db96956b45fb5b5be
SHA512 d4ae7b998640135b7f8a2ab2497695b9441499aed3aa464849546aafd5b80764ea4e54f4737de527417139f8f207d945b7a29aff1a82badd38dcb726a7aa7605

memory/1256-479-0x0000000000000000-mapping.dmp

memory/3888-480-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3888-482-0x0000000000BD0000-0x0000000000BE2000-memory.dmp

memory/4704-483-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

MD5 ddc157e60ac04d65b2d8d12205493ea6
SHA1 ba9ac09fea1bab53397c6744f83a4a963be44c84
SHA256 c2e5fbcd3e5857d16efb23f643cc7beed5aacc5251dd4c9e5f6e589c858a4648
SHA512 770eea5ca5294c6972a2278525869e6f82abb2180b280b92aeec180a2562833e43b66a95ca68c6f9abaeaada244f2f349fd2e1e950e2d1fe7beff411310383f3

memory/4560-485-0x0000000000000000-mapping.dmp

memory/2176-486-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3416-488-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

MD5 e1a47ecd4af58cc8f5c45bde4c715f78
SHA1 58746beca92fb541bff0aa69c4160e7c037aa7ca
SHA256 79c6c2eff89a26d652253a25f931086bc20785ffd38739c09c888ba4d0d11871
SHA512 fbaa5e1d1e7bd53a17c1506f300e8bf9d13e7fa3a1b3716816bade65ce4fb099f81ba773d47f172b20095b32cc317710fe372f3e985cf66c6b2130c9d869623d

memory/4232-490-0x0000000000000000-mapping.dmp

memory/2768-491-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2768-493-0x0000000001140000-0x0000000001152000-memory.dmp

memory/1512-494-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\TmtjCtAJTq.bat

MD5 2e8ec5ec9c8854b4326cb373dd99d68d
SHA1 af0f145ae34c6811f5d305ae565de95f728df378
SHA256 ee4d24f7e87d9267be1cf63a9a0c63e53e910afa6a15979cf6a51cb857106160
SHA512 3960f4e4520f7f1ab45c6c8a8f446f3f3159ce668df18b293a8e6ff06d68b28497395ea8fa0a8c3a89c53d4fda2ad22a89857b9c8aea018362373ed1dbfb06e9

memory/3920-496-0x0000000000000000-mapping.dmp

memory/5012-497-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5012-499-0x00000000011F0000-0x0000000001202000-memory.dmp

memory/4020-500-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

MD5 97b467ad0ad42aadafbec20f74306885
SHA1 6e95f885ac91b99bc4507d7f77499484c134e1d5
SHA256 b1e960663e77a8943f5d6368917114185a9857ef464ce86ca9d68ac5d3c98c71
SHA512 fcceea1ccdcf0072830a758b27aeac3d547189338e8ee10fdcc5da1d2e05747e02bfc62d1c306ab2715eb63a6d93581657e71854d514f0c1ba8f07e3f5377224

memory/4988-502-0x0000000000000000-mapping.dmp

memory/2300-503-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2300-505-0x0000000001300000-0x0000000001312000-memory.dmp

memory/4056-506-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat

MD5 56fb15e86fb390a20011c6772fded74c
SHA1 5159e908d95751512cab00b6836a92c42e7fd8d7
SHA256 0fe33d3acd5f8612a64360997338eb64be306b52aa767495ed1756670ec4944c
SHA512 2c5499f6f361a00a0fa17f6020d5f859a80c17871872a8867e51e6627adae7f82fe7c34a56246bde161cd2642aee2584a8a64aeed52924dd33204425dd3aa4fc

memory/4792-508-0x0000000000000000-mapping.dmp

memory/1344-509-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3828-511-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

MD5 b56eea76a986b6c7682a226e5a532b54
SHA1 6c6044087f57492f9afc1bbaa22f564e7d151348
SHA256 6aafb8f3589a5d3d4dfa8549a12cb3577fb115c55fe054dd011504ca9ed7bec9
SHA512 4d533483a8f4d240e1beaca595b7feee3854e43b626202d30066bd9ed0679bba2928f71a33fd12d7a56a79293477eeb74badabd633800b4c9174495be7e5b9a4

memory/1592-513-0x0000000000000000-mapping.dmp

memory/5116-514-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5116-516-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

memory/720-517-0x0000000000000000-mapping.dmp

memory/4180-519-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\gN51JOWfNX.bat

MD5 881f79ee1bdd91db1130a678fa5d86c1
SHA1 708b2dd526ee30eee19283455ab16a409cba37ed
SHA256 4e7aea37396f7a0224f2cfaf5f539f23d5c0609b31c5e47a277c03f7e2c5bb18
SHA512 332e40ba0e41788f373723a0c476810b3eb41b466ef0daf947a442a81a1badd77f0f330ba63afdfb8fdf544fa27bfce0cd682ea1ca4b9095e88911d3a276df91

memory/2600-520-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4804-522-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat

MD5 efc1feaf2c510c3e582944c12ef54b54
SHA1 3a1e298cb969767da2ab020f1d9788cabb4d861a
SHA256 68248e5d12dc3be289c0e1a6666e78f0222c265010db8aa40ec3743f7e34ba9d
SHA512 99e24b779db9125fef6bcd0662df5195732ae40dd5de81587d7fe755cc5b43b24f17e524c4f6fdf3fb5c70fbd72088ab96ae9c6058cf139b20529f4e34bb9370

memory/4844-524-0x0000000000000000-mapping.dmp

memory/2576-525-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/240-527-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

MD5 fad23eb1a31e57931ac89800f13d61a0
SHA1 333aa4ea6bf8524de6dbcf97e2c8cb568069503c
SHA256 d84f6934a232bfb3b956dd5b129d640b8add1c5ff592c3ade3d39e95c71eae3f
SHA512 81f038c0fc747c453801da750f8ba7c87d3d6aa6048e02a7627c9ffe76ac5c5e27403ba535fb561d852fcd1223e5eb186e88eef9f1e24b61baa24bcf12089083

memory/620-529-0x0000000000000000-mapping.dmp

memory/516-530-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4784-532-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

MD5 c5825df41c5c9bb946f4f5af3cf41e4a
SHA1 f3334215e160082df066280bdac9201c58313b1d
SHA256 a7851393b1e1d87838c30999575a8f4b1b9b0ddd8e31bb0e77392c148b70176e
SHA512 de5ca6fa0c942f3ce001ddb645d6612ff336626ee97ed14d9dfd080c654bb9bf3d5a00b9c161c31cc73ab7ce3e1601ff8b70c655084b4b1c13855a76fcad80ae

memory/4608-534-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Windows Media Player\Visualizations\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2940-535-0x0000000000000000-mapping.dmp