Malware Analysis Report

2025-08-05 17:32

Sample ID 221101-mqqcnabhdq
Target 230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde
SHA256 230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde

Threat Level: Known bad

The file 230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

Process spawned unexpected child process

DCRat payload

DcRat

DCRat payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 10:40

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 10:40

Reported

2022-11-01 10:43

Platform

win10v2004-20220901-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\explorer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\All Users\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\ea1d8f6d871115 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Media Renderer\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\ModifiableWindowsApps\csrss.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Registration\CRMLog\SppExtComObj.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Registration\CRMLog\e1ef82546f0b02 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\AppReadiness\SppExtComObj.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\AppReadiness\e1ef82546f0b02 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\All Users\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\All Users\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\All Users\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\All Users\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\All Users\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Users\All Users\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe C:\Windows\SysWOW64\WScript.exe
PID 4828 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe C:\Windows\SysWOW64\WScript.exe
PID 4828 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe C:\Windows\SysWOW64\WScript.exe
PID 2948 wrote to memory of 2396 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2396 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 2396 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2396 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 5020 wrote to memory of 4668 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 4668 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 1196 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 1196 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 5000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 5000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 540 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe
PID 5020 wrote to memory of 540 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe
PID 540 wrote to memory of 2304 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2304 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2624 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2624 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 404 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 404 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4616 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4616 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4116 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4116 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 5024 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 5024 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2356 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2356 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 5060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 5060 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1352 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1352 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 4724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 740 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 5000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 5000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1392 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 1392 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 3772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 3772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 628 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 628 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 540 wrote to memory of 2976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 540 wrote to memory of 2976 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2976 wrote to memory of 5400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2976 wrote to memory of 5400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2976 wrote to memory of 5908 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\explorer.exe
PID 2976 wrote to memory of 5908 N/A C:\Windows\System32\cmd.exe C:\Users\All Users\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe

"C:\Users\Admin\AppData\Local\Temp\230aae467f83c1ae425b2fdb0784cd37a30f132b795c392264349259c542dfde.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\odt\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Videos\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\odt\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\NetworkService\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\NetworkService\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Videos\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Videos\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\odt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\Cookies\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\odt\System.exe'" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\AppReadiness\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\System.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MVrPQ66MMH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\explorer.exe

"C:\Users\All Users\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\explorer.exe

"C:\Users\All Users\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\explorer.exe

"C:\Users\All Users\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\explorer.exe

"C:\Users\All Users\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\explorer.exe

"C:\Users\All Users\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\explorer.exe

"C:\Users\All Users\explorer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\All Users\explorer.exe

"C:\Users\All Users\explorer.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 20.42.73.25:443 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/2948-132-0x0000000000000000-mapping.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/2396-135-0x0000000000000000-mapping.dmp

memory/5020-136-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5020-139-0x00000000005B0000-0x00000000006C0000-memory.dmp

memory/5020-140-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4668-141-0x0000000000000000-mapping.dmp

memory/1196-142-0x0000000000000000-mapping.dmp

memory/812-144-0x0000000000000000-mapping.dmp

memory/5000-143-0x0000000000000000-mapping.dmp

memory/540-145-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4668-147-0x0000025EF8040000-0x0000025EF8062000-memory.dmp

memory/5020-148-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4668-149-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/1196-150-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/5000-151-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/812-152-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/540-153-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

memory/5000-159-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4668-158-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/812-160-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/1196-161-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/2624-164-0x0000000000000000-mapping.dmp

memory/404-165-0x0000000000000000-mapping.dmp

memory/4616-166-0x0000000000000000-mapping.dmp

memory/4116-167-0x0000000000000000-mapping.dmp

memory/2280-163-0x0000000000000000-mapping.dmp

memory/2304-162-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

memory/2356-170-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

memory/5060-171-0x0000000000000000-mapping.dmp

memory/1352-173-0x0000000000000000-mapping.dmp

memory/4308-172-0x0000000000000000-mapping.dmp

memory/5024-168-0x0000000000000000-mapping.dmp

memory/2304-174-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/912-178-0x0000000000000000-mapping.dmp

memory/740-180-0x0000000000000000-mapping.dmp

memory/5000-181-0x0000000000000000-mapping.dmp

memory/404-182-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/1392-183-0x0000000000000000-mapping.dmp

memory/628-187-0x0000000000000000-mapping.dmp

memory/2356-188-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/3772-186-0x0000000000000000-mapping.dmp

memory/4616-185-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/2264-184-0x0000000000000000-mapping.dmp

memory/2624-179-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4724-177-0x0000000000000000-mapping.dmp

memory/2280-176-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/996-175-0x0000000000000000-mapping.dmp

memory/5060-189-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/2976-191-0x0000000000000000-mapping.dmp

memory/1352-190-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/996-192-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

MD5 7f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1 d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA512 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

memory/912-194-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/2264-195-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/540-196-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/3772-197-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MVrPQ66MMH.bat

MD5 37a2279fad3b1f7b01958dd054519cbb
SHA1 551b47df1828aee989d36f6e8639be1301c38cb3
SHA256 95e447f2dbde5fc49ba08f7728229d3e347ec3f23bdd4d3d94bcdbc839d4f34b
SHA512 9a4eac4ddf737fab828acdcc1231fec9e914438d9773a6988a84e88dc51be5d770c84e37a759e01fd9b48082123dcc4c41e23c7462cd194e5b06b7e41ffa2703

memory/4116-199-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/5024-200-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4308-201-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4724-202-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/740-203-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/5000-204-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/5400-205-0x0000000000000000-mapping.dmp

memory/1392-206-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/628-207-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/2304-208-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4a40b6dc9559e70af09a5466cba5abc6
SHA1 d4cfd42fe9afe6c43489950849d9cd38302cb4d6
SHA256 743601e30b004830c766fe094f50404ab1e82eefb07f113417c11c1b70fbf861
SHA512 70387883cfdbc3ebbf46d73cc0bd9039db5fc02f48bdafb20f0f50c4c4368ddf834e2675a061e1feb3c7865d0187554e0656f5962327f28a3538b29e994f8519

memory/2280-210-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3790db0d06fb3eac613c761c56cd2618
SHA1 bade8e2425dc61cfa22dbd30df2009c1877c9e86
SHA256 cba84816c2d4c602b934d907afd45707f5633b78274eb402f12fb7c419a291c5
SHA512 253079b5f084e4b0df08304d5daaf4bdf6cc78b89dc2ef1bf540bab147ee2db5046325ba9817e43292f9c9239f473941bae4e0ed757de58f1e549f12b086963c

memory/2624-212-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 150616521d490e160cd33b97d678d206
SHA1 71594f5b97a4a61fe5f120eb10bcd6b73d7e6e78
SHA256 94595c05912cbb8380f7ed34499eb01fb91707a1ed1c02c02002a4361e889827
SHA512 7043dc4b336b1688205fbe762e731478ecaa0036c9f5e0434c79b8a6f8fa58b0705c8674fd6a047e6009edc52c37ce4e2ce81694e13b79a3e8183a32307f3815

memory/404-215-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a5650126660a2760e93e48a63a9f626
SHA1 35710b657094c22ed66a37854173ce2090f02caa
SHA256 e981ba57e2617381d8d75f0c7ffb6e836afbeb475434a06b56b9a5a988761e92
SHA512 4e4cc9dc507cd95d5f9ddc181f68e97e5351aa7748c574717ac4cf0ff882f7fb1c6d6460b63560db382697c44118b8c2a288e2c94c9c8457b15ca6a9b1a66ba9

memory/5024-220-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4116-221-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4308-227-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/2356-229-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/5000-233-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1aca6db16211f202d2ea4849f0c3ad3b
SHA1 cfb4332df11774f96313ad62b4dc9dc8cf1e632e
SHA256 2cfef95b36ca39cb7949287af66efced1646ade2293fca0a0157f3957278ba90
SHA512 de22fa723d26ea33fc9a9d25172e5fe2f87f5db458101e139b35646a3157fdf0533e7b60559c31ad64551000a4494b852ce38d88e44837fa64db4b4087d91a15

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9f42c517cfa4df59cc9ce69cb44518a8
SHA1 1650010403502ef82ad2622268c50adb85e42973
SHA256 91bfeda38235a016be22a68fb6705950185f03b9c562b9053178755e5c36a58f
SHA512 19b6e1e93dce218d53953e664f54c6a139cb60837295fb49f620e698aaadb4d34c1243484ccd3c6cb0ed2619908068e6b190847cdf27786e249bf475076888cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 174ee3eb2a195cb2fb7a08930e5e3d64
SHA1 83505b16e9deb08919ad4600502272c36f8270e8
SHA256 f3cf2d850fcd88530cc2d76f327749074f4da3f20230cedf62cd5f2dea77e814
SHA512 f9f0c64b36e92975ed0da80d3314773798e876e0adb5323155800ef7a1101a5f1ddca2a761c4488f15216010c03d81958c0bf2ec02213c7d0cb0f0b341c2fd24

memory/628-243-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/3772-245-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 174ee3eb2a195cb2fb7a08930e5e3d64
SHA1 83505b16e9deb08919ad4600502272c36f8270e8
SHA256 f3cf2d850fcd88530cc2d76f327749074f4da3f20230cedf62cd5f2dea77e814
SHA512 f9f0c64b36e92975ed0da80d3314773798e876e0adb5323155800ef7a1101a5f1ddca2a761c4488f15216010c03d81958c0bf2ec02213c7d0cb0f0b341c2fd24

memory/2264-241-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/1392-240-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/912-238-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1aca6db16211f202d2ea4849f0c3ad3b
SHA1 cfb4332df11774f96313ad62b4dc9dc8cf1e632e
SHA256 2cfef95b36ca39cb7949287af66efced1646ade2293fca0a0157f3957278ba90
SHA512 de22fa723d26ea33fc9a9d25172e5fe2f87f5db458101e139b35646a3157fdf0533e7b60559c31ad64551000a4494b852ce38d88e44837fa64db4b4087d91a15

memory/740-235-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4724-234-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eaf2949b53de8c4a84042633ab9545d4
SHA1 882fa652ca3ca05f93f383057b9937cf8bff704e
SHA256 42e02d0d8a7ea1446fadc3a43297652904bb326b3d2d961d83783fb0b47d3d50
SHA512 5da2d97fe178b9764c51599f1410f0bb41f5bd7dd37b027f00b378a5d12be57b72dcf9e4800e765384fbf17c784876b5783b08fa940d1db44cfb928ea391bb00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eaf2949b53de8c4a84042633ab9545d4
SHA1 882fa652ca3ca05f93f383057b9937cf8bff704e
SHA256 42e02d0d8a7ea1446fadc3a43297652904bb326b3d2d961d83783fb0b47d3d50
SHA512 5da2d97fe178b9764c51599f1410f0bb41f5bd7dd37b027f00b378a5d12be57b72dcf9e4800e765384fbf17c784876b5783b08fa940d1db44cfb928ea391bb00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eaf2949b53de8c4a84042633ab9545d4
SHA1 882fa652ca3ca05f93f383057b9937cf8bff704e
SHA256 42e02d0d8a7ea1446fadc3a43297652904bb326b3d2d961d83783fb0b47d3d50
SHA512 5da2d97fe178b9764c51599f1410f0bb41f5bd7dd37b027f00b378a5d12be57b72dcf9e4800e765384fbf17c784876b5783b08fa940d1db44cfb928ea391bb00

memory/1352-228-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 06ac741759229a7560289a6696924995
SHA1 e1808432385699095a0761c601437ebe3e0ec256
SHA256 d1d2ad030d1a8aee9d8147ea16c8753c946155300339c6e63803a5f7419f9e3d
SHA512 3f97e1649f3241a64f6cc0e80e9d605c36b5ab658f766066a9326b93db3703710e2bb9e2dd1398bd45a7a854533fed4475d9a61f52d9f092fcb9307853599e85

memory/5060-225-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 76de0d381ca270b0d7daa729b8040090
SHA1 3aefa584da0da87c1ef7b24b5eff0fca29348f54
SHA256 01768f5b8af8d74fe499a48537bf897f995ebab0ce3054c3a54fb48d2d7e7d93
SHA512 c305a3a6193bef8766e90e378735b2e343fa22134c177f977a1ccd6394717b33d523071374dcca5759cf7050745d496995f0c9eed944550d44cfe7b7766e01d7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 76de0d381ca270b0d7daa729b8040090
SHA1 3aefa584da0da87c1ef7b24b5eff0fca29348f54
SHA256 01768f5b8af8d74fe499a48537bf897f995ebab0ce3054c3a54fb48d2d7e7d93
SHA512 c305a3a6193bef8766e90e378735b2e343fa22134c177f977a1ccd6394717b33d523071374dcca5759cf7050745d496995f0c9eed944550d44cfe7b7766e01d7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 76de0d381ca270b0d7daa729b8040090
SHA1 3aefa584da0da87c1ef7b24b5eff0fca29348f54
SHA256 01768f5b8af8d74fe499a48537bf897f995ebab0ce3054c3a54fb48d2d7e7d93
SHA512 c305a3a6193bef8766e90e378735b2e343fa22134c177f977a1ccd6394717b33d523071374dcca5759cf7050745d496995f0c9eed944550d44cfe7b7766e01d7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 99aebd528b6ee6438ec4cf3d359e6282
SHA1 8ac7eaf39b888096411cbb0cc4bf5a8dcd9db119
SHA256 43399ded0e3ab3e7593e2e967f8a997b891aaf97440cb0ebcb990b14262fa809
SHA512 96ba280b7ae5af9e304c22b7ff1a921937889b7d4b07a7b8bd0b8c8fbfb6d5ad545027ebabb994d1002699e7156341444572fa627d373eb7d534a960be1d6cfb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aba273eeba4876ea41ee0e64b4cbb51d
SHA1 bef5f75b81cf27268dc0d0f30f00b022f9288db9
SHA256 67fc3f5c3407858793c6fac6131b0f340667ffc567fa76b43245ecf2621322c9
SHA512 23dc2f0cfc68194dcbf407a6528cf9f9a8aa89f4821be22413bde036ae5ca44144b568aa3160372b9741f3d0f5baa48dff8a8b582bdedc3ad3fb121af340c0ae

memory/4616-217-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0a7dafd4af6ce4631e060c6f6896935e
SHA1 6d56bec43b43f2141b581c28d1928689b556df25
SHA256 ca04a16d6f41b98c5df52fe878d44d913c7b4400497441e6d11a1b41d4298119
SHA512 8159d4de8ff4f425b3ffbede9b420f749f0394183df823e39dba01e1d511b697ed4b60f84c46f7165c473610e1699882b4109af5c4ccfafa000c3846a08d3fac

memory/996-246-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/5908-247-0x0000000000000000-mapping.dmp

C:\ProgramData\explorer.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\All Users\explorer.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5908-250-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/1076-251-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat

MD5 cafb4e10f47797b8124fd3e1139f4f8b
SHA1 f7d4370c75cfa6468311d467a3de5c5c1db41030
SHA256 87002b8cbb23856c04273b446ba148f154039bb98a2a963d0bb90678611b73c2
SHA512 2f84394259a04eb1cfa2a4ce0fd67f304d040290ce78f47a3ed09bcf307997f17e03f96c5878ccd9c8423e608d43f5db91ac66b9e5c5cb18333be2c31ffaa635

memory/5908-254-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/5408-253-0x0000000000000000-mapping.dmp

C:\ProgramData\explorer.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2372-255-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/2372-258-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/224-259-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6raUEgr1vJ.bat

MD5 607c568a20437e0c2c9ef1bc00085fe0
SHA1 b580b81e9fdfbc7b0207978af9cf7c4cf50bf764
SHA256 b2bc1e08c5caab28d8e8934e68b0aabe06007b67278169d560e6bef6a9b2ef97
SHA512 21a24cbf2bbf1447e022d66daa71081677fb1d31920e442f1c90a4397553ba024b3a37100331ad25b1bffe168ee61348a6d8f82384444287797b1492ee477917

memory/5604-261-0x0000000000000000-mapping.dmp

memory/2372-262-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4432-263-0x0000000000000000-mapping.dmp

C:\ProgramData\explorer.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4432-265-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4420-266-0x0000000000000000-mapping.dmp

memory/2260-268-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat

MD5 701856cf58e14b02dc897053f2b0a4f5
SHA1 5b4b209e14c13bfdd5738bdff355effd8062b5e6
SHA256 309c5ef4890985b38419145421ea161a6830c64f801a7542cb08908253a44d1a
SHA512 f4ba0513b1f9288f5420678bf7c881541aa2917e611ab5c5737b50d8f58c8fff60b6a2c394be043eea0e7d78746211049050cb2a68261163719a9171cd0ea231

memory/4432-269-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/5640-270-0x0000000000000000-mapping.dmp

C:\ProgramData\explorer.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5640-272-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/4008-273-0x0000000000000000-mapping.dmp

memory/4116-275-0x0000000000000000-mapping.dmp

memory/5640-276-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat

MD5 239ad0065c79c3402bd0f1dad345212f
SHA1 458ddcfc19de5db899736a9c4d5e3c75864f3e8a
SHA256 9293a998760b499766b0eb830e91b00615c7a5945cd1b4324c789322d3876ac3
SHA512 68045c5ec06b3640c6916954b9a3365c2e643c292410a8ca1b5e620f3532c65360d77a0a56b48d679abcacbae698a0363d84ae356157dd74e5e4da8b255db9b8

memory/5660-277-0x0000000000000000-mapping.dmp

C:\ProgramData\explorer.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5660-279-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/5660-280-0x00007FF82DF10000-0x00007FF82E9D1000-memory.dmp

memory/3448-281-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

MD5 8ede41a9a2bd07c61e2f619c851d491c
SHA1 ea4e647e248ad717e06505e34edba840127dd6f3
SHA256 2984bb1cef903a2be4aa89367aef4d459ee8422ca192f803e0a60a0b7afd0012
SHA512 7bae6043093845fb5724f00b0b703041583a9f0fa08794ba69ce36a20a66d15ba559c529e5335f754c775de43ce5d9519c2cc414a95f861a786114c4e9aaebb8

memory/5196-283-0x0000000000000000-mapping.dmp

memory/1264-285-0x0000000000000000-mapping.dmp

C:\ProgramData\explorer.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1748-288-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

MD5 01fa0fdca9205ed3bb522c7446ed9e4c
SHA1 26f424c71a7867c6bf9188eb2462d2dd3e960534
SHA256 4e9cdc3fbeafb7c553c23e8842a9694beff2f6235dbf5c83b264e655b1be44e2
SHA512 8757b0e84fa9a42e82d39847e69883892a956da7b1926ff7e32b01791bf9c0621efb3c0d3c4f4eed903e10b41d7ce13da4ddec05dc1032eb4b4db0c4631c3ff2

memory/4424-290-0x0000000000000000-mapping.dmp

memory/2204-292-0x0000000000000000-mapping.dmp

C:\ProgramData\explorer.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394