Malware Analysis Report

2025-08-10 23:16

Sample ID 221101-nq347abec7
Target 76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6
SHA256 76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6

Threat Level: Known bad

The file 76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Dcrat family

Process spawned unexpected child process

DCRat payload

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:37

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:36

Reported

2022-11-01 11:39

Platform

win10-20220901-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\f8c8f1285d826b C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\L2Schemas\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\CSC\OfficeClickToRun.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\L2Schemas\csrss.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A
N/A N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe C:\Windows\SysWOW64\WScript.exe
PID 1304 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe C:\Windows\SysWOW64\WScript.exe
PID 1304 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe C:\Windows\SysWOW64\WScript.exe
PID 3572 wrote to memory of 5092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 5092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 5092 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 5092 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4448 wrote to memory of 2684 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 2684 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 1804 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 1804 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 1596 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 1596 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 4672 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 4672 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 4416 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 4416 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 1680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 1680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4448 wrote to memory of 2500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4448 wrote to memory of 2500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2500 wrote to memory of 1484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2500 wrote to memory of 1484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2500 wrote to memory of 4532 N/A C:\Windows\System32\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2500 wrote to memory of 4532 N/A C:\Windows\System32\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4532 wrote to memory of 3928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 3928 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 3296 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 3296 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 2252 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 2252 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4532 wrote to memory of 812 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 812 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 812 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 812 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe
PID 812 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe
PID 4936 wrote to memory of 2648 N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe C:\Windows\System32\cmd.exe
PID 4936 wrote to memory of 2648 N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe C:\Windows\System32\cmd.exe
PID 2648 wrote to memory of 932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2648 wrote to memory of 932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2648 wrote to memory of 1164 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe
PID 2648 wrote to memory of 1164 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe
PID 1164 wrote to memory of 4576 N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe C:\Windows\System32\cmd.exe
PID 1164 wrote to memory of 4576 N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe C:\Windows\System32\cmd.exe
PID 4576 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4576 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4576 wrote to memory of 1716 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe
PID 4576 wrote to memory of 1716 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe
PID 1716 wrote to memory of 4572 N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe C:\Windows\System32\cmd.exe
PID 1716 wrote to memory of 4572 N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe C:\Windows\System32\cmd.exe
PID 4572 wrote to memory of 4616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4572 wrote to memory of 4616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4572 wrote to memory of 696 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe
PID 4572 wrote to memory of 696 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe
PID 696 wrote to memory of 1004 N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe C:\Windows\System32\cmd.exe
PID 696 wrote to memory of 1004 N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe C:\Windows\System32\cmd.exe
PID 1004 wrote to memory of 4664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1004 wrote to memory of 4664 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1004 wrote to memory of 4416 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe
PID 1004 wrote to memory of 4416 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe
PID 4416 wrote to memory of 2112 N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe C:\Windows\System32\cmd.exe
PID 4416 wrote to memory of 2112 N/A C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe

"C:\Users\Admin\AppData\Local\Temp\76b19dd372be0e7905a17871c99ebe48712907e77ca4c8246740adc5f2f51df6.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\odt\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\csrss.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qPLI9iz0EO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0K0D7YH1jo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

"C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 13.89.179.9:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 93.184.221.240:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/1304-120-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-121-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-122-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-123-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-125-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-126-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-128-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-129-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-130-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-131-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-132-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-133-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-135-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-134-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-136-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-137-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-138-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-139-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-140-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-141-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-142-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-143-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-144-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-145-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-146-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-147-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-148-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-149-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-150-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-151-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-152-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-153-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-154-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-155-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-156-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-157-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-158-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-159-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-160-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-161-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-162-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-163-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-164-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-165-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-166-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-167-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-168-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-169-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-170-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-171-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-172-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-173-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-174-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-175-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-176-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-177-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-178-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-179-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-180-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-181-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-182-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/1304-183-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/3572-184-0x0000000000000000-mapping.dmp

memory/3572-186-0x0000000077D10000-0x0000000077E9E000-memory.dmp

memory/3572-185-0x0000000077D10000-0x0000000077E9E000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/5092-260-0x0000000000000000-mapping.dmp

memory/4448-283-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4448-286-0x0000000000F80000-0x0000000001090000-memory.dmp

memory/4448-287-0x00000000031D0000-0x00000000031E2000-memory.dmp

memory/4448-288-0x000000001BAD0000-0x000000001BADC000-memory.dmp

memory/4448-289-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

memory/4448-290-0x000000001BAF0000-0x000000001BAFC000-memory.dmp

memory/2684-291-0x0000000000000000-mapping.dmp

memory/1804-292-0x0000000000000000-mapping.dmp

memory/1596-293-0x0000000000000000-mapping.dmp

memory/4672-294-0x0000000000000000-mapping.dmp

memory/4416-295-0x0000000000000000-mapping.dmp

memory/1680-296-0x0000000000000000-mapping.dmp

memory/2500-317-0x0000000000000000-mapping.dmp

memory/1596-322-0x00000153C2AF0000-0x00000153C2B12000-memory.dmp

memory/1596-327-0x00000153C2CA0000-0x00000153C2D16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qPLI9iz0EO.bat

MD5 6af9b240a6f5b2f552a23dc0c9722d02
SHA1 9b131c364eec4ba7b9f30c10fc270755fd2eb054
SHA256 5d8baaf0f76257775b5be71799e328eff684cbf8cfd50821c99a06086978a69d
SHA512 8f3c19ec79938356f7be85ebea6c85a84fda642471d8bd6b77849af2753ba1e72d52f39856533969604d74603d9990933cb862dc165055dcc710bbc1e0eda9e9

memory/1484-337-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2edf7195b4af61d86c245c1879382438
SHA1 bd3c0f6a67ac894171fe98f08edfc39035360717
SHA256 49c84d55f435f1e6db2b5689d43512bb7884bfd25c5b9b2c63e33bda0cf84f5b
SHA512 500abf55be744605622b1e7f8c93a74b05ce5f5bafca55ff18589580af55af63be8d2899c34daf93d8bef7f8b9e8c68b285dc84e6a00debae6ef48486705ffe1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2edf7195b4af61d86c245c1879382438
SHA1 bd3c0f6a67ac894171fe98f08edfc39035360717
SHA256 49c84d55f435f1e6db2b5689d43512bb7884bfd25c5b9b2c63e33bda0cf84f5b
SHA512 500abf55be744605622b1e7f8c93a74b05ce5f5bafca55ff18589580af55af63be8d2899c34daf93d8bef7f8b9e8c68b285dc84e6a00debae6ef48486705ffe1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 81cabd8f3d4314a3845b469c34e3470d
SHA1 dba95d59050661ba208a5100207e32498e07954b
SHA256 9b1757f539bbbe0f66070b6302a018c79e8c572dfe35c51743a40d3da6bd790e
SHA512 3e2d3b35908fff4ace2e050290913e5eacd6985ced7c4cfa4565d946ab3aa48f6b65dcef59a7558d9939601bc38cbc988a58f9987a22ff48974b0591985fcfdc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60b8075d8ec7f73e08aa14f440ce3131
SHA1 83d048202894aac134d1f0a7f182b38b8f453a89
SHA256 c6be9b1041f920e4e7a7e54b5dfd5e356f4ece39b7f1a5510e0b8a357a12b3b9
SHA512 9fd8502d7b9305e99cf58514e40e8247a2ec59b2790bfd8c8d2553b94c0a1ac0cbf236ad7426f5d8a180dcf7f0c95e43e0c750abaea4325238432377ca16aace

memory/4532-505-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

MD5 b4268d8ae66fdd920476b97a1776bf85
SHA1 f920de54f7467f0970eccc053d3c6c8dd181d49a
SHA256 61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879
SHA512 03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

memory/4532-508-0x0000000001360000-0x0000000001372000-memory.dmp

memory/3928-509-0x0000000000000000-mapping.dmp

memory/3296-510-0x0000000000000000-mapping.dmp

memory/2252-511-0x0000000000000000-mapping.dmp

memory/812-519-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60b8075d8ec7f73e08aa14f440ce3131
SHA1 83d048202894aac134d1f0a7f182b38b8f453a89
SHA256 c6be9b1041f920e4e7a7e54b5dfd5e356f4ece39b7f1a5510e0b8a357a12b3b9
SHA512 9fd8502d7b9305e99cf58514e40e8247a2ec59b2790bfd8c8d2553b94c0a1ac0cbf236ad7426f5d8a180dcf7f0c95e43e0c750abaea4325238432377ca16aace

C:\Users\Admin\AppData\Local\Temp\0K0D7YH1jo.bat

MD5 ad28bbb01eea72f4af4f64a34d20cd81
SHA1 e8dfb44fbdca9fecdcd5bf88cd189610368e91d5
SHA256 55fa3ebdd20c4ea6f5ca75b3050631cf6a41e398953d6cb25d0c9143497de521
SHA512 04e8b96842528cc13a3e8fb5df0fea5a35f5f030b0ae0969a09e2eeb1bff3e71034aa1df4221632a9b2a840fbe917343e4e1ceeaafc2b9bee1825ee33ddaede1

memory/4324-529-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 72751016449554c65e5d030793919e1c
SHA1 59661aa97479b5043cf56679460e86de9d3b2bfb
SHA256 2def307675a11f533e2dc3f161ace66de1fb8bf4291ca132c1c3917e30d11ba0
SHA512 69149229effd9f6eb61dcee6ad96342c8bfded0db031f1819533920e4f1362229b45e31633a49ddadf910582eecf836456ab84862ef19ec337c7117d931b398e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7fd0a47a05c42d774b5c32af215ea1db
SHA1 96ca3f285deaa49352a2ac9ad14f94e2ff65cc48
SHA256 68b8db7c493aec1ea317d4a6574a852d696f742d693455741d82ae81690cee57
SHA512 456b86ba9c1d644e55e7ab203f2c6272ca69f4e700be4d02047a01b842975d2abfae5ca1000a1cce2f4d50482000ad530227dc0b69b555f6e018ef007b408103

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4936-617-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4936-620-0x00000000015E0000-0x00000000015F2000-memory.dmp

memory/2648-621-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat

MD5 ea3d52e7094b84782dc45b87c1609867
SHA1 b7b952c3d7eba3ddc4a4df556dde85974cd4b2dd
SHA256 274e63a1d2f689d1de6a7e6a89a4fd6f7cf4a100cee2d718a1bd3841411f45b5
SHA512 90acbccf98b4faab93d50c777abe7e257751464fe7aede432feeca915c74e28acec88587747a6ec5caa2618734778cec643052e08ce3d59db617cb86027c1958

memory/932-623-0x0000000000000000-mapping.dmp

memory/1164-624-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ShellExperienceHost.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/1164-627-0x0000000002FC0000-0x0000000002FD2000-memory.dmp

memory/4576-628-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

MD5 226ac412c5782c8bf8afe2d2182fa01c
SHA1 70d6f80171ef006644384a3c4a0ec1bced1e41f8
SHA256 d8e41a7868d80116fdbe7161730222040d9a794d204b9fa196b74c776d8de20e
SHA512 f76ea888f78fa28d60bd0a0b9661db6044a5c3ed1914d26ceb632d4174a75f010904dca6a33aba8dffd176e0fe450ba34a8e6d80011eb8500c116871655722b3

memory/4644-630-0x0000000000000000-mapping.dmp

memory/1716-631-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4572-633-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat

MD5 4567a4e4f0d2b9bdba3bd52b49662c57
SHA1 ecb620eb8e2a184d849bdfcd1609214cceb8b070
SHA256 495405a6e404e0b2e25010bd44deb0d568c37d72d6324e856425814c35d81c29
SHA512 babe8094ac45c4e6fc1cee778500e24fe6254deb8e0cdf4a128e459094901f8b13cac7ce59b7902bfa7e6eb04d7d4ef2b3f0b921744078ef6460589b076d84f0

memory/4616-635-0x0000000000000000-mapping.dmp

memory/696-636-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1004-638-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\x7ZYnkvAkq.bat

MD5 dac341710b5a589eb5efc4eebbbc515b
SHA1 e185fc82faa76bae52e395540a46a6619073be6e
SHA256 d3a18c78b1c4adae125770a1ce4e312953495ce67912710f595ef63dd5ab3a93
SHA512 80c299e0484946ecd5ec52b5af0f1114a7953a7ffb6c797eeebb7aafc13398ee59f8f832423122f03373688a6cd5409dbda2bf21c203a57f2cfde0873c00f3b0

memory/4664-640-0x0000000000000000-mapping.dmp

memory/4416-641-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4416-643-0x0000000001850000-0x0000000001862000-memory.dmp

memory/2112-644-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

MD5 7461b83fe7d281aa320abdd964609871
SHA1 dfadaa6c03032f3f82d950679961972104044c4d
SHA256 c6110470d235c297a9219bac3815a633570c25074e76180d7f28a1b33eccd104
SHA512 dd3ec7d220089d23e6d9bfcc06bd198a352615a49550b0c7f91f2e5d2072eb78f7cf1972c7f78139718b1fc909773803ced07c27cce93bfbaa1198ca83bcbb05

memory/608-646-0x0000000000000000-mapping.dmp

memory/1652-647-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1616-649-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat

MD5 3d689395c47fe1108aecc82d2f51c544
SHA1 8aacde0b64667644fbb1597fc6220ff334688b29
SHA256 c90a4412f53a73416b7e1e67563286ba835136a1b7ae1e8a10a094bfe88e33cf
SHA512 15e90373324fd6f90983a8b4630453a371bf7d3a94c3c91422e677367a8565e988e1e96c471734e13241e3cca1ed27be3af121f1eaacb69968739f1445c279c9

memory/2468-651-0x0000000000000000-mapping.dmp

memory/4080-652-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1212-654-0x0000000000000000-mapping.dmp

memory/3488-656-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat

MD5 244145b0f3c40f293e3860e1aeac4909
SHA1 c9aa7d80e37dd6c5362f82d833c0d1f03742e3db
SHA256 366da3f512bdd2b8c532066c0e15b37c01e3400adb0670ed0de7f2b7d0071bc5
SHA512 b15d90c6b4298ca62973078c792f3e4f82aa0493216e8ec6793902a69b055fdeaba0cbe8092635188b5460a1cff813e83b4cb9c8088de7c969a5242e3ecf3748

memory/4260-657-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4260-659-0x00000000021D0000-0x00000000021E2000-memory.dmp

memory/432-660-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat

MD5 06c72c005edc2f4e7e3ffef7527a29e9
SHA1 2fb20e550cdcacb7b193406a5b2391f52735478f
SHA256 f821d818cbcf48975abb60cc7936e009ec0a229abcefb85dd5893cb0a6e4f83a
SHA512 ce08749c736e2ab08d1bfa35d4e0cc64df1763a8904e52c270dc536f79100106911eb6d8d6d5fc4432e3a60aea6f9fbdbf0a59e7258c735e13e83add7aa322e6

memory/4764-662-0x0000000000000000-mapping.dmp

memory/2644-663-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/496-665-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

MD5 9fd61b89684da0b62829495413b83ba4
SHA1 95533bd744739f8dfe1a06a3c75d0e72641e46b0
SHA256 b9e917f1e10b45a25ead68e785252c4c6608f1c7330f5c6f263f741446ab0c3f
SHA512 1946e96c346b3b1dfbcf7547418f971b9d1dabbeedba8a6443ee3e0baad488a4d0310df19cbdb92678ca9859c48355e20d0e07e5159c5b4416df7c8c91c84956

memory/2724-667-0x0000000000000000-mapping.dmp

memory/3928-668-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4920-670-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WVE2eLfZN7.bat

MD5 e37e9c64986fc9e585aca0247214b403
SHA1 b9225bdfd48f8b772fcedef30ff511e733aa08f1
SHA256 1ba2c9d24d996ec98444de7b4a10dec6a3db6fb1c7f1ac24d32a2eb5864c490a
SHA512 da85e1fd988b30fb0ad8f29beb1c92e3f136c8a8c0f1bdba0c4cddcba84b98a2c0478c632f60840ac42093e49b4724e6083f6d69b69ddaf86e44d82cc2b97720

memory/4796-672-0x0000000000000000-mapping.dmp

memory/2100-673-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\ShellExperienceHost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/188-675-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat

MD5 9ee406112f1becb828159cab9c5c2d1b
SHA1 46e04c98742fce48475d6e2e9a78627ea9def73c
SHA256 42fc30c0fdf78c8c0c0f188a540d54729c416f59314b16280c3f3910af198b77
SHA512 c7d623ab0b2c0f9f5b9b5faad7ef8254bf3984b5319a4bdd006ac42dfa862adf13ed053f4eab08aa06cf887c7b59210539b327de97e065eab8c4b19215cd83f5

memory/364-677-0x0000000000000000-mapping.dmp