Malware Analysis Report

2025-08-10 23:16

Sample ID 221101-nqlj5scdfm
Target c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b
SHA256 c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b

Threat Level: Known bad

The file c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DCRat payload

Process spawned unexpected child process

Dcrat family

DcRat

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:36

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:36

Reported

2022-11-01 11:38

Platform

win10-20220812-en

Max time kernel

148s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Speech_OneCore\Engines\Lexicon\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\addins\sihost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\addins\66fc9ff0ee96c2 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Windows\addins\sihost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A
N/A N/A C:\Windows\addins\sihost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe C:\Windows\SysWOW64\WScript.exe
PID 4236 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe C:\Windows\SysWOW64\WScript.exe
PID 4236 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe C:\Windows\SysWOW64\WScript.exe
PID 3576 wrote to memory of 4496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3576 wrote to memory of 4496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3576 wrote to memory of 4496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4496 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1316 wrote to memory of 1048 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1048 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3408 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3408 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3388 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 204 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 204 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3344 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3344 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2508 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2508 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2624 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2624 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1212 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1212 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4164 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4164 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1316 wrote to memory of 4592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4592 wrote to memory of 4612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4592 wrote to memory of 4612 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4592 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\sihost.exe
PID 4592 wrote to memory of 2224 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\sihost.exe
PID 2224 wrote to memory of 5112 N/A C:\Windows\addins\sihost.exe C:\Windows\System32\cmd.exe
PID 2224 wrote to memory of 5112 N/A C:\Windows\addins\sihost.exe C:\Windows\System32\cmd.exe
PID 5112 wrote to memory of 3832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5112 wrote to memory of 3832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5112 wrote to memory of 3676 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\sihost.exe
PID 5112 wrote to memory of 3676 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\sihost.exe
PID 3676 wrote to memory of 4684 N/A C:\Windows\addins\sihost.exe C:\Windows\System32\cmd.exe
PID 3676 wrote to memory of 4684 N/A C:\Windows\addins\sihost.exe C:\Windows\System32\cmd.exe
PID 4684 wrote to memory of 4340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4684 wrote to memory of 4340 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4684 wrote to memory of 4696 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\sihost.exe
PID 4684 wrote to memory of 4696 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\sihost.exe
PID 4696 wrote to memory of 4408 N/A C:\Windows\addins\sihost.exe C:\Windows\System32\cmd.exe
PID 4696 wrote to memory of 4408 N/A C:\Windows\addins\sihost.exe C:\Windows\System32\cmd.exe
PID 4408 wrote to memory of 3672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4408 wrote to memory of 3672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4408 wrote to memory of 3680 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\sihost.exe
PID 4408 wrote to memory of 3680 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\sihost.exe
PID 3680 wrote to memory of 5088 N/A C:\Windows\addins\sihost.exe C:\Windows\System32\cmd.exe
PID 3680 wrote to memory of 5088 N/A C:\Windows\addins\sihost.exe C:\Windows\System32\cmd.exe
PID 5088 wrote to memory of 2052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5088 wrote to memory of 2052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5088 wrote to memory of 3388 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\sihost.exe
PID 5088 wrote to memory of 3388 N/A C:\Windows\System32\cmd.exe C:\Windows\addins\sihost.exe
PID 3388 wrote to memory of 4052 N/A C:\Windows\addins\sihost.exe C:\Windows\System32\cmd.exe
PID 3388 wrote to memory of 4052 N/A C:\Windows\addins\sihost.exe C:\Windows\System32\cmd.exe
PID 4052 wrote to memory of 1280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4052 wrote to memory of 1280 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe

"C:\Users\Admin\AppData\Local\Temp\c3696a495682e0596f2cef84c0cc2050db2a6b1845a16cf23ce16b4c1c3d384b.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\odt\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\addins\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\DllCommonsvc.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TeQomSDh46.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\conhost.exe'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\odt\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\providercommon\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\odt\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Favorites\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchUI.exe'" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\addins\sihost.exe

"C:\Windows\addins\sihost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
NL 52.178.17.3:443 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
NL 178.79.208.1:80 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

memory/4236-120-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-121-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-122-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-125-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-128-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-127-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-133-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-135-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-134-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-138-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-140-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-139-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-137-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-136-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-132-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-141-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-131-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-130-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-142-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-143-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-144-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-129-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-147-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-150-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-151-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-152-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-153-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-154-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-149-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-148-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-146-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-145-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-124-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-119-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-155-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-156-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-157-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-159-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-161-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-162-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-160-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-158-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-163-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-164-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-165-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-166-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-167-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-169-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-171-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-173-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-172-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-170-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-168-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-174-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-175-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-177-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-176-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-178-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-179-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-180-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-182-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4236-181-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/3576-185-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/3576-184-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/3576-183-0x0000000000000000-mapping.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

memory/4496-259-0x0000000000000000-mapping.dmp

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1316-285-0x0000000000920000-0x0000000000A30000-memory.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1316-282-0x0000000000000000-mapping.dmp

memory/1316-286-0x0000000001140000-0x0000000001152000-memory.dmp

memory/1316-287-0x0000000002A80000-0x0000000002A8C000-memory.dmp

memory/1316-289-0x0000000002AA0000-0x0000000002AAC000-memory.dmp

memory/1316-288-0x0000000002A90000-0x0000000002A9C000-memory.dmp

memory/1212-300-0x0000000000000000-mapping.dmp

memory/4164-303-0x0000000000000000-mapping.dmp

memory/2624-298-0x0000000000000000-mapping.dmp

memory/1908-346-0x0000024E25CC0000-0x0000024E25CE2000-memory.dmp

memory/4592-343-0x0000000000000000-mapping.dmp

memory/1048-353-0x0000021C282D0000-0x0000021C28346000-memory.dmp

memory/4612-348-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\TeQomSDh46.bat

MD5 71690e3cefbb38040ca32a39d0f58772
SHA1 dbebc5a01c065d1732684a57e06c59161592f5ff
SHA256 295fbd6cc95bedba7589150dcfe4346c9f1c57d9b77c0eae2dc0541e824ebb5a
SHA512 35005cf28f6e5de331e97785fb4d618f9094b0697fda78c1bd11a891fdab7b4a0158b05db33459f569a6a4d173b6f0447a66a27e88a62e59a1abfc50c4cd9c29

memory/2508-297-0x0000000000000000-mapping.dmp

memory/3344-296-0x0000000000000000-mapping.dmp

memory/204-295-0x0000000000000000-mapping.dmp

memory/3388-294-0x0000000000000000-mapping.dmp

memory/3408-293-0x0000000000000000-mapping.dmp

memory/816-292-0x0000000000000000-mapping.dmp

memory/1908-291-0x0000000000000000-mapping.dmp

memory/1048-290-0x0000000000000000-mapping.dmp

memory/2224-606-0x0000000000000000-mapping.dmp

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2224-639-0x00000000015F0000-0x0000000001602000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fa366de96c6a8b5fa476a522d53296c5
SHA1 327cb5c81735f30b5d41a8ed9b469aff827227e9
SHA256 84a1fa9bf57ff953b568802272747a3f8749678da78cd3b3ad3ae7a6d19caf22
SHA512 f93a42a1222f55c2f5456f9577d6bb88442ce12897025a0e72665a39eaa303679d9417e7f0269f07433d1b62edca52c8c9d554c630f56c31cfb7596638e44c6b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 438866b18db37c0a6cce03c7a9dc8efe
SHA1 10334348f0535618938fa9de9d966aea941f8ac9
SHA256 147f32eeb82d505e18d7c1db7adfde57e0ee95b5ebb5083b50f329e0030d3b6b
SHA512 3b93c8db469c873a190cd69b5cc21d9a57eea95f4c728bb46ebd2e07646ebe93234fdb588b20ae6a3643956699065d7666954b3968bd86713ab4bdc69388e854

memory/3832-685-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

MD5 df0d72e6751ede3d32d0d6e337f9875f
SHA1 25a5e29b6c9b70648d484865853b93c05c844bc9
SHA256 7de1f1bcfc34a65d66feab9a19e6e2612ec5f111430e1b68ac64cba4643ad1ab
SHA512 c345a95fcdd6f1b77da4f8d64f6e67bf11456c94ffdb7097832c4f1585a6e3ed3d0fdba5a81d48ec6f611fe51bc98322648513744e1a487b285509abf85c88c2

memory/5112-682-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17e952dd76815c2779e2b07c8b4a74af
SHA1 660be13fca327bcb5766849be6d864c30ab7c546
SHA256 8a824e0a3dcea2dff871a45f9104d7f569cf2137a7d733ab425c3a860e334db9
SHA512 0002b5fe0866b5cf0a7f2c7751a763be62ba92eeb52811819045e781f2d29a73619b6cc6574afe496590522473f66a823bbf89b2295ff58348dd79e9563e481b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 91481f12aabf4281c70a4c021d394fce
SHA1 f80242317d997c130ac1575147232d84fb148ab0
SHA256 60562bc49975a547b33c20ad9d6e08df9d0b15bddc417ec1a8c1f39c36a88bc5
SHA512 f96221f33a3a5923cd857a9982a4070335e9582a09a1e0d406380dee4ecfa6f74a2c815a0c1b6208d917ffd8f9d0c3afc1adc536589e019344986947e6b46536

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 91481f12aabf4281c70a4c021d394fce
SHA1 f80242317d997c130ac1575147232d84fb148ab0
SHA256 60562bc49975a547b33c20ad9d6e08df9d0b15bddc417ec1a8c1f39c36a88bc5
SHA512 f96221f33a3a5923cd857a9982a4070335e9582a09a1e0d406380dee4ecfa6f74a2c815a0c1b6208d917ffd8f9d0c3afc1adc536589e019344986947e6b46536

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ad6ce0f6cc83faff98595c7e1f17b896
SHA1 7914de44c8a333a3df38eb79620b3f08858fa4ad
SHA256 b8e57cc7e51f60ca79334054f1edf60d4dd4476282890f4810a65eb6378f0079
SHA512 c70acc8c01b65f72207b7a6d93921c41d89d2b0c41973274d8680bdf09160354fd958cc72b41ef414b367e017e4be71f5c8c0ba85c4e4ab85c590ebac0150719

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 325ba7c3266373711c72fa591e381ca3
SHA1 d16f8386bd2e3792a56dc50569266877f65cc0c1
SHA256 71df852f809578511b4edfc899edd474e540742be217ec5af6c13c0623051242
SHA512 97c0dd863c22d902c3cbc994b055ec0cabfc4176555a0c4e73a05989d1485175f4e5ae094dc92e99f6342d0cdfb64e5e94c3604104c6d074d8001e2aa7db8c63

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 325ba7c3266373711c72fa591e381ca3
SHA1 d16f8386bd2e3792a56dc50569266877f65cc0c1
SHA256 71df852f809578511b4edfc899edd474e540742be217ec5af6c13c0623051242
SHA512 97c0dd863c22d902c3cbc994b055ec0cabfc4176555a0c4e73a05989d1485175f4e5ae094dc92e99f6342d0cdfb64e5e94c3604104c6d074d8001e2aa7db8c63

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 02a019f0a061d1a48d160465b5e632de
SHA1 240081b27e884c8f7b2038929a743e53b6a14ac7
SHA256 be0143a8383b2ad9b23331773e4cf85cfdd61c34a02fd68563e30ea40fa9287f
SHA512 09740cab0be6760f3aebae6cb9de1eb317030cbbf19a4785ddcbf9d7023c5beeb45b6a8cd695cbbe56c44665b13b2949e214da6653ca2f05b63e6a03907118ec

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3676-686-0x0000000000000000-mapping.dmp

memory/3676-689-0x0000000000C20000-0x0000000000C32000-memory.dmp

memory/4684-690-0x0000000000000000-mapping.dmp

memory/4340-692-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

MD5 ca98d0d30b65b9a90928a5db8c1c0dd9
SHA1 cf64fb1145eec1fe817925aa948e801f131f616c
SHA256 e33fc417e02b03a758f52e56dd918a9423bda1f253fd908c69c0593e77ffced1
SHA512 16ce23d992101d79ab9c17b493fc453b0897e1a443aa2fb8fcaf665056420b149f3fd34436120c7fb825d8c92c1c4ee1e08519d843e46dfa199fff0105f4fcff

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4696-693-0x0000000000000000-mapping.dmp

memory/4696-695-0x0000000000820000-0x0000000000832000-memory.dmp

memory/4408-696-0x0000000000000000-mapping.dmp

memory/3672-698-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

MD5 df0d72e6751ede3d32d0d6e337f9875f
SHA1 25a5e29b6c9b70648d484865853b93c05c844bc9
SHA256 7de1f1bcfc34a65d66feab9a19e6e2612ec5f111430e1b68ac64cba4643ad1ab
SHA512 c345a95fcdd6f1b77da4f8d64f6e67bf11456c94ffdb7097832c4f1585a6e3ed3d0fdba5a81d48ec6f611fe51bc98322648513744e1a487b285509abf85c88c2

memory/3680-699-0x0000000000000000-mapping.dmp

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5088-701-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

MD5 20a15bea2af2bbee568898a0f3889e02
SHA1 22730eebc0f4bbeca1e38a82e98cc893ea223f70
SHA256 0ba59b55ea723021c9237f9fbea5b107d86eee67a7db3e4a1f8680d4ee8334bf
SHA512 152abdb0f4143366f7c7a99544ec1624b2ea056d202dd8a89313b0a60a5da80a49fad7ed78e77156dfcc0370776c90d6c7117000904189e90fd942520c8e4cc6

memory/2052-703-0x0000000000000000-mapping.dmp

memory/3388-704-0x0000000000000000-mapping.dmp

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4052-706-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

MD5 f34daa47e943522c0f3ad5287863f7bc
SHA1 b2e4f9c75573a225929de89d898fe127875f0133
SHA256 3cf0bbe2ee0b1ee409d82a22002bedcbb3c691fc2783a33cdf5ccbf9197fbba0
SHA512 c8d6452b6805c4fb60459e0de4512c082af9ffbb6a7b35bfa290e66d06d0e0ce068f187bbda87331057eee0f9ac83e4edfbb76ad3274b51461d55436d1ec6b2a

memory/1280-708-0x0000000000000000-mapping.dmp

memory/1220-709-0x0000000000000000-mapping.dmp

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4716-711-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

MD5 e35bf0f3a67c910f59264a0f0fe7b92b
SHA1 2bfa071ea51aef75644ca42b2e88f6b98d2c81b6
SHA256 10b51a2efa4ecac4e5165ded7f50f450d858507d1a3dad6f2184fcdee4c0a460
SHA512 d55f9fa5473603e7c945dcd0f37f046381dd33d4441f282dbcf9a256d773f43e74af57b20dcd19310bec52da759c7937253c47690be41cd3d4dbdcf2023a9d14

memory/3688-713-0x0000000000000000-mapping.dmp

memory/416-714-0x0000000000000000-mapping.dmp

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2724-716-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat

MD5 934889a4e1fb725807bac0e6482492b3
SHA1 bee0b2f446f19f8bb31363063e1a024b2e827fc9
SHA256 0e1c91530655e242750c083bf1a0f49ad1236d23aafe8de67e6aa4f66c34bd77
SHA512 712ab20d007f72d9fd599b3c0c36139642f34b43e34e407eda14715509322d6fd8890026f746f7198c6dfeded451bcee27b633b5b2ff94510f6d9065823c0fc2

memory/1748-718-0x0000000000000000-mapping.dmp

memory/4712-719-0x0000000000000000-mapping.dmp

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5032-721-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

MD5 237561babddf8d638a30baec71d52fa3
SHA1 5f681941f767c865a93e28152c6b75d1edf901d5
SHA256 c8cfa62d55233d5ba7f59f474ead575f65fd8322b776c409084f466bb416ab65
SHA512 ab5db6539da2b9e4bc2ab2a51380201204e37d3aed9ddbdb5db8d6e723118177e80f79ea4059d07affd77ebca951c072c65d9c3862cf84d64a0b7b017d2c9bde

memory/2468-723-0x0000000000000000-mapping.dmp

memory/4584-724-0x0000000000000000-mapping.dmp

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4584-726-0x0000000001620000-0x0000000001632000-memory.dmp

memory/32-727-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

MD5 0a4215511608b8893b6158e46327c860
SHA1 17e538a3d698f52028f35d3e33f48efcb70f0892
SHA256 f89adffec88786018758be9a1637fdc81f9278b797925a7ed831472aa26478c2
SHA512 4fee364d4ffad0599b174e717614b4f24f80c2732262151bf0ca09176578bd22e26f4c4ca4342e595eceeb7bb99361423efa3a378491c53176d3909b6d43b8e8

memory/4024-729-0x0000000000000000-mapping.dmp

memory/3316-730-0x0000000000000000-mapping.dmp

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4912-732-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

MD5 da578db8e7b1bbec052458ada2354a03
SHA1 dc48c6cac634ef0c9d5dcd64b925664de3d48ebe
SHA256 ea623f3f959758328560064b7f2f8dc97a448dd5b8bf6356d55e616decd08128
SHA512 dd573f8a3bb5dfc1eaf4fc3ea6e5146af05212cbc9620cf66774576d3c969bf27c7ccad2e41c86900e1fcce610cc5da88c65eb71ed8ade6f517a711acd489422

memory/2224-734-0x0000000000000000-mapping.dmp

memory/3460-735-0x0000000000000000-mapping.dmp

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3524-737-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

MD5 7bc7e4b5924094ee62b95fb0d6eb855e
SHA1 acfe8493715eac24eee9d8aee16fda24939d9b8b
SHA256 41f1bf4396e999468648e4132fe5c4a33d0e227bb52b7733b2b825914a6f7131
SHA512 03afde1a043c30a01400ca14108bc35f166791dd5a94f26234300b8b5d090681a613417da5910a4f6f27174302c9117b6ba2c999cd9c1a7b9828a724f2f76731

memory/1624-739-0x0000000000000000-mapping.dmp

memory/4512-740-0x0000000000000000-mapping.dmp

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4512-742-0x0000000001660000-0x0000000001672000-memory.dmp

memory/4684-743-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

MD5 68d7058740841eb184f3e1ce5d8eb796
SHA1 99263232d574cb9aae2e2e4a3269e36575219be0
SHA256 030ea6e015b0b3285d9550ee9a3de60ca5f6c7fa5dedfdb6f158c77f8980a59f
SHA512 8335184816f2d0667e51cc4f8449cf27b866cdb496a1376b2a1fab00977f6e5bc49930c76429f55689db98906236f0a7537308eed214ba7c9451ba71bc2d4975

memory/4596-745-0x0000000000000000-mapping.dmp

memory/4396-746-0x0000000000000000-mapping.dmp

C:\Windows\addins\sihost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4396-748-0x0000000002B40000-0x0000000002B52000-memory.dmp