Malware Analysis Report

2025-08-10 23:17

Sample ID 221101-nrccvscdgl
Target ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c
SHA256 ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c

Threat Level: Known bad

The file ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

Dcrat family

DCRat payload

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:37

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:37

Reported

2022-11-01 11:40

Platform

win10-20220812-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\odt\csrss.exe N/A
N/A N/A C:\odt\csrss.exe N/A
N/A N/A C:\odt\csrss.exe N/A
N/A N/A C:\odt\csrss.exe N/A
N/A N/A C:\odt\csrss.exe N/A
N/A N/A C:\odt\csrss.exe N/A
N/A N/A C:\odt\csrss.exe N/A
N/A N/A C:\odt\csrss.exe N/A
N/A N/A C:\odt\csrss.exe N/A
N/A N/A C:\odt\csrss.exe N/A
N/A N/A C:\odt\csrss.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Mail\en-US\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\en-US\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\it-IT\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\it-IT\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\debug\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\debug\a76d7bf15d8370 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\TAPI\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\TAPI\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\odt\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\odt\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\odt\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\odt\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\odt\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\odt\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\odt\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\odt\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\odt\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\odt\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\odt\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\odt\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2836 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe C:\Windows\SysWOW64\WScript.exe
PID 2836 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe C:\Windows\SysWOW64\WScript.exe
PID 2836 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe C:\Windows\SysWOW64\WScript.exe
PID 1620 wrote to memory of 2976 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2976 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2976 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2976 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3960 wrote to memory of 564 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 564 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 1932 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 1932 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2420 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2408 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2408 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2268 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2268 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 3784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 3784 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 3340 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 3340 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 4772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 4772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 1924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 1924 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 4800 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 4800 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 1580 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 1580 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 4400 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 4400 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2800 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 2800 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3960 wrote to memory of 5116 N/A C:\providercommon\DllCommonsvc.exe C:\odt\csrss.exe
PID 3960 wrote to memory of 5116 N/A C:\providercommon\DllCommonsvc.exe C:\odt\csrss.exe
PID 5116 wrote to memory of 160 N/A C:\odt\csrss.exe C:\Windows\System32\cmd.exe
PID 5116 wrote to memory of 160 N/A C:\odt\csrss.exe C:\Windows\System32\cmd.exe
PID 160 wrote to memory of 800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 160 wrote to memory of 800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 160 wrote to memory of 3892 N/A C:\Windows\System32\cmd.exe C:\odt\csrss.exe
PID 160 wrote to memory of 3892 N/A C:\Windows\System32\cmd.exe C:\odt\csrss.exe
PID 3892 wrote to memory of 5444 N/A C:\odt\csrss.exe C:\Windows\System32\cmd.exe
PID 3892 wrote to memory of 5444 N/A C:\odt\csrss.exe C:\Windows\System32\cmd.exe
PID 5444 wrote to memory of 5500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5444 wrote to memory of 5500 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5444 wrote to memory of 5524 N/A C:\Windows\System32\cmd.exe C:\odt\csrss.exe
PID 5444 wrote to memory of 5524 N/A C:\Windows\System32\cmd.exe C:\odt\csrss.exe
PID 5524 wrote to memory of 5624 N/A C:\odt\csrss.exe C:\Windows\System32\cmd.exe
PID 5524 wrote to memory of 5624 N/A C:\odt\csrss.exe C:\Windows\System32\cmd.exe
PID 5624 wrote to memory of 5680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5624 wrote to memory of 5680 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5624 wrote to memory of 5700 N/A C:\Windows\System32\cmd.exe C:\odt\csrss.exe
PID 5624 wrote to memory of 5700 N/A C:\Windows\System32\cmd.exe C:\odt\csrss.exe
PID 5700 wrote to memory of 5800 N/A C:\odt\csrss.exe C:\Windows\System32\cmd.exe
PID 5700 wrote to memory of 5800 N/A C:\odt\csrss.exe C:\Windows\System32\cmd.exe
PID 5800 wrote to memory of 5856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5800 wrote to memory of 5856 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe

"C:\Users\Admin\AppData\Local\Temp\ba665578392cebad6c0225ffd7da0e4d2b85691f9a979a19d366626393d1684c.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\odt\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\odt\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\en-US\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\it-IT\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\debug\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Videos\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchUI.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ShellExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\sppsvc.exe'

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\smss.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\csrss.exe

"C:\odt\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 52.168.117.169:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.253.208.121:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/2836-115-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-116-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-117-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-118-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-120-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-121-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-123-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-124-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-125-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-126-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-127-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-128-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-129-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-130-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-131-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-132-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-133-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-134-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-135-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-136-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-137-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-138-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-139-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-140-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-141-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-142-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-143-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-144-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-145-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-146-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-147-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-148-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-149-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-150-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-151-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-152-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-153-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-154-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-155-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-157-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-158-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-156-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-159-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-160-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-161-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-162-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-163-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-164-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-166-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-165-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-167-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-168-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-169-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-170-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-171-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-172-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-173-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-174-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-175-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-176-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-177-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/2836-178-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/1620-179-0x0000000000000000-mapping.dmp

memory/1620-180-0x00000000771B0000-0x000000007733E000-memory.dmp

memory/1620-181-0x00000000771B0000-0x000000007733E000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/2976-255-0x0000000000000000-mapping.dmp

memory/3960-278-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3960-281-0x0000000000FC0000-0x00000000010D0000-memory.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3960-282-0x0000000001820000-0x0000000001832000-memory.dmp

memory/3960-283-0x0000000001840000-0x000000000184C000-memory.dmp

memory/3960-284-0x0000000001850000-0x000000000185C000-memory.dmp

memory/3960-285-0x0000000001A00000-0x0000000001A0C000-memory.dmp

memory/564-286-0x0000000000000000-mapping.dmp

memory/1932-287-0x0000000000000000-mapping.dmp

memory/2044-288-0x0000000000000000-mapping.dmp

memory/2408-290-0x0000000000000000-mapping.dmp

memory/2268-291-0x0000000000000000-mapping.dmp

memory/2420-289-0x0000000000000000-mapping.dmp

memory/3784-292-0x0000000000000000-mapping.dmp

memory/3340-294-0x0000000000000000-mapping.dmp

memory/2924-293-0x0000000000000000-mapping.dmp

memory/1924-299-0x0000000000000000-mapping.dmp

memory/4772-296-0x0000000000000000-mapping.dmp

memory/1580-307-0x0000000000000000-mapping.dmp

memory/2816-312-0x0000000000000000-mapping.dmp

memory/2800-323-0x0000000000000000-mapping.dmp

memory/5116-344-0x0000000000000000-mapping.dmp

memory/4400-318-0x0000000000000000-mapping.dmp

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/564-367-0x00000134C2CE0000-0x00000134C2D02000-memory.dmp

memory/4800-302-0x0000000000000000-mapping.dmp

memory/5116-370-0x0000000001860000-0x0000000001872000-memory.dmp

memory/2420-373-0x000001FFF9830000-0x000001FFF98A6000-memory.dmp

memory/160-476-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

MD5 4d00dc1326c359289baf6301b8df5b9a
SHA1 091525f2ca119b2882dcee79ce72eddd5637a496
SHA256 34062c0cb1b44b951bff0a64f03f0af4233f1707d0aff98f25ce9ae414dae199
SHA512 f6cabf7d4c367aa3c55e44f3e574926d10c5a4ba6b28eb4262f71fab3e8393822ec46d7c4d33807cb5b0e97956f5a507aaf228b118b1902566b91c2d7f731b13

memory/800-541-0x0000000000000000-mapping.dmp

memory/3892-784-0x0000000000000000-mapping.dmp

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e186e7843427f675720aa5a44346fcc5
SHA1 61e2258b3f3134a2e59cb7c702cc42f016d365e5
SHA256 60cdf598b71610e2ddc0ad3dd8ae885b6857a37ec076dee33e619a9161d1f103
SHA512 2d81c68a9efb1b402d74756d8a7d2aa1e37c0c7d6fdf15aea621792ef8673a9bfdbcbd032bf813ea917dc4167f441307bcf1d17cc0dac1fc14f2d1e6247fc396

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e186e7843427f675720aa5a44346fcc5
SHA1 61e2258b3f3134a2e59cb7c702cc42f016d365e5
SHA256 60cdf598b71610e2ddc0ad3dd8ae885b6857a37ec076dee33e619a9161d1f103
SHA512 2d81c68a9efb1b402d74756d8a7d2aa1e37c0c7d6fdf15aea621792ef8673a9bfdbcbd032bf813ea917dc4167f441307bcf1d17cc0dac1fc14f2d1e6247fc396

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9dae9b10fed8464da520d9f01d3ea2f9
SHA1 77dc9f45640dbf10aff6965f3c28c7ae24f99213
SHA256 ca2de87fede2a4569fc09b5409edbb344d8b7e1e0e2bd606ee3ce201f6586d7d
SHA512 b71ef41da8ab9df34b7498f5a6d8cc47e21a983b6d8fe4085167f251ef974783eb9fe0e67b8df9dd9de0a1e101cf2beaec822e828cdcf2aa505fb24ffd6eed1e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5c441da4958f384fd8d1766ecbe94e2e
SHA1 c011ba96e01475dae49b26989af1ef101c566257
SHA256 db930b7eebc26051c4271be1d3b4283a74ae543680112f66db90f941c2ab042e
SHA512 cca99d0ac36896f50b949b7bd14e6837251145fc3bc142d6974cbb95771adfcf31885333aa8b309dcfe602b46b799ecb2030eee33b40ffb285693384ec08b892

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8720ec8dc9cf5a8dccd0791358ef583a
SHA1 ad7749c1185d6907c45fc608ecb8da473203ebc8
SHA256 ffb97d747261a663800ba0410abe104f6e9ed4d78d007ae571adcfd258aaefec
SHA512 19ff1289ad07a54fd8c662a71948145a50c33443481db81f2f76cb02dac4b9c1562f8bec2c7d32f996a38510ca0746584e5d1a1617fb6b841da467cdf5cf6626

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8720ec8dc9cf5a8dccd0791358ef583a
SHA1 ad7749c1185d6907c45fc608ecb8da473203ebc8
SHA256 ffb97d747261a663800ba0410abe104f6e9ed4d78d007ae571adcfd258aaefec
SHA512 19ff1289ad07a54fd8c662a71948145a50c33443481db81f2f76cb02dac4b9c1562f8bec2c7d32f996a38510ca0746584e5d1a1617fb6b841da467cdf5cf6626

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ebea9b8d2699f2183c589dd046404b99
SHA1 cb2142ccfbbc0bbbe4d012f3700296ef75b5a59c
SHA256 4ae97535e164335db434c0a153d9d1700c8bcfca80066838417bec82569df35a
SHA512 061d1dd947bdf30623aaa7d829f965bfb5a8a41bd9867af561b3bde0ba5018386c7d1c48757652f7c40e608f45ac9fd602fa31364446db85d226860b27fbb090

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 71247185f6b866ae1fcef07c5ed12a60
SHA1 2a692d071d38555652d307dbb26c07e29db64370
SHA256 899b324db83a40fb10277e23a768ab250400c4a12a77ccce098286fa4b585d0e
SHA512 2206be9b365cf28169cc696122cd1bb82b00c74ebc7afe7588b8d30ef6aa7460c5ab948acaec6f75eaffbc962a2223fa6fa5442b6a5e09da2b446ea62bbcfb89

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ebea9b8d2699f2183c589dd046404b99
SHA1 cb2142ccfbbc0bbbe4d012f3700296ef75b5a59c
SHA256 4ae97535e164335db434c0a153d9d1700c8bcfca80066838417bec82569df35a
SHA512 061d1dd947bdf30623aaa7d829f965bfb5a8a41bd9867af561b3bde0ba5018386c7d1c48757652f7c40e608f45ac9fd602fa31364446db85d226860b27fbb090

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d5b3e713e95ad7f721b9441b7e629f00
SHA1 69a0060ffb4023d110f70baa89f531b46b759069
SHA256 79388600e027cddfabc1115e55817017032efe5639b19954903540642d0183c5
SHA512 176e1d2e58f0d43558c14117ec84781d9c2f5ff1799ec7055877cd537f61007b2919a198546c392dee0117e58f95d22537a48c1a0015332a11713d07355ad167

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d5b3e713e95ad7f721b9441b7e629f00
SHA1 69a0060ffb4023d110f70baa89f531b46b759069
SHA256 79388600e027cddfabc1115e55817017032efe5639b19954903540642d0183c5
SHA512 176e1d2e58f0d43558c14117ec84781d9c2f5ff1799ec7055877cd537f61007b2919a198546c392dee0117e58f95d22537a48c1a0015332a11713d07355ad167

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c43c0d4fde4864fe02f74f8e7d1dbed0
SHA1 437121eb2ef581abd93ff3eea4151f6f54194944
SHA256 58aa6cab35d66524c851e9ec29d0e26bc37d34b2a39b732902b802dbf92193a2
SHA512 46c508b2c5cc05176c0a99fdf6831082c397646e55cc2653f6f593e8f7b592e8adba87d3f5056c45e2308c7951f45ff0520c130fa1dc17c85d06284cb6c860da

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c43c0d4fde4864fe02f74f8e7d1dbed0
SHA1 437121eb2ef581abd93ff3eea4151f6f54194944
SHA256 58aa6cab35d66524c851e9ec29d0e26bc37d34b2a39b732902b802dbf92193a2
SHA512 46c508b2c5cc05176c0a99fdf6831082c397646e55cc2653f6f593e8f7b592e8adba87d3f5056c45e2308c7951f45ff0520c130fa1dc17c85d06284cb6c860da

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5ea4596c843e578b58231cafa1f02eb5
SHA1 31c589fc1f649847f046959e3791316dc802b711
SHA256 23a9f71024fb4774c6ee83600330ee2b9a4825bab2f82e5edd462e4f46ff16fe
SHA512 37be98a97779d1bf97f469be9e84eae3bb4cc9e140bf489b1d0c3afaf9cb11b4e8d7fc91a77e4aa36266f882e831a2dea3ff4a35fbc241ff0061dc3f3ddb1509

memory/5444-857-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

MD5 6742f2f77f4e921ad233a4a23f3c1d15
SHA1 fc3212770e8183369ebbf8014f60401e548fe79b
SHA256 3e1434c758488bdea24194fab134d672352ee822abee2786435e9767e102f6c4
SHA512 add3ca18a9b6d87b383b87c76c0247f6d0e24b2cdc317d53a047bc5f3934b044ed448dc156aa5ae3a31c1616b060c6f4adc7d6f6f10ac86d1f94490d6e01d914

memory/5500-859-0x0000000000000000-mapping.dmp

memory/5524-860-0x0000000000000000-mapping.dmp

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5624-862-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

MD5 88ee88e10178c76a0dc36186abeadf57
SHA1 819900b12ea256256252668cc78dd7e6fd923cdf
SHA256 dd5fb40a06164a1ab768a8a704a508a53629fda6760c09d366b1e63c17121bf5
SHA512 ebcf3ee19932df33813d9f3ae99b32e1986edf96b5d1627e7d2267a619392fe36bb8a2bb01dfa2c5cedd71c11978b4547bd03783446e815e9a05def81de6fea9

memory/5680-864-0x0000000000000000-mapping.dmp

memory/5700-865-0x0000000000000000-mapping.dmp

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5856-869-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat

MD5 77c1227097c246a32cbcf7635fdc7c4c
SHA1 7d4c498278df2d6b98e29c97482956c16b597be4
SHA256 99b44adc2f056d42da296940b4d07a0fe8cae207aec7a3ae0a424a85312cf5b1
SHA512 d2525945e196fb3316a90b409931a1064a7d41b182321b340a9725927705efdfed2c9b24e589c23c8eae3d8025274fea64145a74c5bd2fce6e74e3f513930bc3

memory/5800-867-0x0000000000000000-mapping.dmp

memory/5876-870-0x0000000000000000-mapping.dmp

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5980-872-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jhJpXqSaXt.bat

MD5 0f1821761000a82bb2dcdbe01e064b61
SHA1 039f363971f1b022f8f13791086b83c7ea4c3654
SHA256 be6167cdf4fef6b2a89f3d91df4f6498225fecb325fbc8713a4cef017d4063f9
SHA512 b7f60fb116e346760d80a0e842d43f9c9eecb5de93dd1529d18c1610ec00ef05a78c11ecef0e91ee50aa9752035e6a2aed225cba1036d9b728373b97f42220d4

memory/6036-874-0x0000000000000000-mapping.dmp

memory/6056-875-0x0000000000000000-mapping.dmp

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/160-877-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

MD5 5e6c3d183d01926c819f8df45fac43e5
SHA1 8044142c024c2dd5c33905c6231918c1123f6ecc
SHA256 d5c46b393618e947e9efb35bacd039096fe4317a866ab064b6883a7f455ae8e9
SHA512 4c7dc0817358e5a9026070b31449dade01ed848dd0c65463e09b6ae02147238aa0a5838ae850ef14f1229e66c47d3f1f5ba601f7ff866c22a24a0f27e92d7609

memory/5184-879-0x0000000000000000-mapping.dmp

memory/3116-880-0x0000000000000000-mapping.dmp

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5112-882-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat

MD5 77c1227097c246a32cbcf7635fdc7c4c
SHA1 7d4c498278df2d6b98e29c97482956c16b597be4
SHA256 99b44adc2f056d42da296940b4d07a0fe8cae207aec7a3ae0a424a85312cf5b1
SHA512 d2525945e196fb3316a90b409931a1064a7d41b182321b340a9725927705efdfed2c9b24e589c23c8eae3d8025274fea64145a74c5bd2fce6e74e3f513930bc3

memory/2436-884-0x0000000000000000-mapping.dmp

memory/2928-885-0x0000000000000000-mapping.dmp

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2928-887-0x0000000001250000-0x0000000001262000-memory.dmp

memory/5276-890-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

MD5 6c571904eccf059df2a2b9c7c5e14599
SHA1 e83281f57d14ee5c430205d99943f1b162342aab
SHA256 30f4987c39271b2931b08666914bb8aa9a9a692f52050750b11f840fefecf6d3
SHA512 741f4c0cd93d91a07ff34d25662dadc0c66d850958095d50096a1a4995d8d4564455ad9aa650eb28c6ec54a67d2f5baabae08a7036509a8e8f55e65ea2858306

memory/648-888-0x0000000000000000-mapping.dmp

memory/4372-891-0x0000000000000000-mapping.dmp

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3288-893-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

MD5 a20c831336ba3de2a5c3fdec2fdde2a7
SHA1 52f2a5ba3f7caf86b2bd695344bd9b73069236be
SHA256 9af74507f52ddc135f9cbd76feb93ed352be88ad795575c89911bd59fe9c4676
SHA512 1f05df52a96fc79814e9ac003240048aa0fd5b727badb1b2754ce34d74223109387e70c97812a14279b2c408bb42fe32bd217e470047a69fb3a80522c7ad7827

memory/2648-895-0x0000000000000000-mapping.dmp

memory/2280-896-0x0000000000000000-mapping.dmp

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2280-898-0x00000000014F0000-0x0000000001502000-memory.dmp

memory/1928-899-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat

MD5 dd5820c15338e2ca87339f68cc708bf9
SHA1 daf8d84aeba52eab407bc6efbbd2f43ac4265eac
SHA256 408bf189d2fddebbd224b1f2f151b699c1a906b4a65b65e362654814880b0075
SHA512 3052bf45b1495951b4289eba108c2c18d2c31635aefb9347b121c25d801afc3c11152c34d7ee7d16337fe0313f096445e723b01c05087cfa0d1134c5572dbb4a

memory/5076-901-0x0000000000000000-mapping.dmp

memory/3956-902-0x0000000000000000-mapping.dmp

C:\odt\csrss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3956-904-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

memory/2596-905-0x0000000000000000-mapping.dmp

memory/1932-907-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

MD5 f41f55ea42384a397b2014a1d2b3f8fe
SHA1 7fb0b3a88a1b2da28d06354ef71b9afa26c672ab
SHA256 7c93ebc15d6f85b113e411b0ee1f873b9a6ea085537b2dfc7f3528d9252984dc
SHA512 30f1fbaacc51c1f137e86a1b119b33c56c39fcc8445ac5bf704e2c9fb4adb1f17e51c4a32699086bb6748bb1a624117f2860a21375d48f149575c3a2219078f3