Malware Analysis Report

2025-08-10 23:16

Sample ID 221101-nrlljabec8
Target f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8
SHA256 f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8

Threat Level: Known bad

The file f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

Dcrat family

DcRat

DCRat payload

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:37

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:37

Reported

2022-11-01 11:40

Platform

win10-20220901-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.8.0_66\bin\6203df4a6bafc7 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\en-US\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\en-US\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\Office16\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\Office16\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Provisioning\Cosa\OEM\winlogon.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Provisioning\Cosa\OEM\cc11b995f2a76d C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A
N/A N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe C:\Windows\SysWOW64\WScript.exe
PID 1980 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe C:\Windows\SysWOW64\WScript.exe
PID 1980 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe C:\Windows\SysWOW64\WScript.exe
PID 3512 wrote to memory of 5100 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 5100 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3512 wrote to memory of 5100 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 5100 wrote to memory of 4616 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4616 wrote to memory of 1280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1180 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1180 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1772 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 1500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 880 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 880 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4200 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4200 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3312 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3312 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 208 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 208 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 3264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2232 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 2232 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4616 wrote to memory of 4408 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4616 wrote to memory of 4408 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4408 wrote to memory of 768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4408 wrote to memory of 768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4408 wrote to memory of 4692 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe
PID 4408 wrote to memory of 4692 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe
PID 4692 wrote to memory of 4812 N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe C:\Windows\System32\cmd.exe
PID 4692 wrote to memory of 4812 N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe C:\Windows\System32\cmd.exe
PID 4812 wrote to memory of 4844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4812 wrote to memory of 4844 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4812 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe
PID 4812 wrote to memory of 4472 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe
PID 4472 wrote to memory of 4800 N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe C:\Windows\System32\cmd.exe
PID 4472 wrote to memory of 4800 N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe C:\Windows\System32\cmd.exe
PID 4800 wrote to memory of 1980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4800 wrote to memory of 1980 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4800 wrote to memory of 1304 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe
PID 4800 wrote to memory of 1304 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe
PID 1304 wrote to memory of 2932 N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe C:\Windows\System32\cmd.exe
PID 1304 wrote to memory of 2932 N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe C:\Windows\System32\cmd.exe
PID 2932 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2932 wrote to memory of 2688 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2932 wrote to memory of 1016 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe
PID 2932 wrote to memory of 1016 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe
PID 1016 wrote to memory of 1296 N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe C:\Windows\System32\cmd.exe
PID 1016 wrote to memory of 1296 N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe C:\Windows\System32\cmd.exe
PID 1296 wrote to memory of 1576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1296 wrote to memory of 1576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1296 wrote to memory of 4264 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe
PID 1296 wrote to memory of 4264 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe
PID 4264 wrote to memory of 2164 N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe C:\Windows\System32\cmd.exe
PID 4264 wrote to memory of 2164 N/A C:\Program Files (x86)\MSBuild\Microsoft\System.exe C:\Windows\System32\cmd.exe
PID 2164 wrote to memory of 3788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2164 wrote to memory of 3788 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2164 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe
PID 2164 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\MSBuild\Microsoft\System.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe

"C:\Users\Admin\AppData\Local\Temp\f6d8d45ee3eec21b23f3c43324baa937b2364cce5e0748b50cbb1661d5a8b2f8.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office16\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\providercommon\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\en-US\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.8.0_66\bin\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Provisioning\Cosa\OEM\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dwm.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8sB0Cn4pv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

"C:\Program Files (x86)\MSBuild\Microsoft\System.exe"

Network

Country Destination Domain Proto
NL 87.251.72.33:443 tcp
DE 136.244.80.197:80 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 20.44.10.122:443 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 93.184.221.240:80 tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 185.199.111.133:443 raw.githubusercontent.com tcp

Files

memory/1980-120-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-121-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-122-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-123-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-125-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-126-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-128-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-129-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-130-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-131-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-132-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-133-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-134-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-135-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-136-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-137-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-138-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-139-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-143-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-142-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-141-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-140-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-144-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-145-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-146-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-147-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-148-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-149-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-150-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-151-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-152-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-153-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-154-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-155-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-156-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-157-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-158-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-159-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-160-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-162-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-161-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-163-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-164-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-165-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-166-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-167-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-168-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-169-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-171-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-170-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-172-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-173-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-174-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-175-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-176-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-177-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-178-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-179-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-180-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-181-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-182-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/1980-183-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3512-184-0x0000000000000000-mapping.dmp

memory/3512-185-0x0000000077460000-0x00000000775EE000-memory.dmp

memory/3512-186-0x0000000077460000-0x00000000775EE000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/5100-260-0x0000000000000000-mapping.dmp

memory/4616-283-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4616-286-0x0000000000EF0000-0x0000000001000000-memory.dmp

memory/4616-287-0x0000000001510000-0x0000000001522000-memory.dmp

memory/4616-288-0x00000000017C0000-0x00000000017CC000-memory.dmp

memory/4616-289-0x00000000017A0000-0x00000000017AC000-memory.dmp

memory/4616-290-0x00000000017B0000-0x00000000017BC000-memory.dmp

memory/1500-294-0x0000000000000000-mapping.dmp

memory/1772-293-0x0000000000000000-mapping.dmp

memory/1180-292-0x0000000000000000-mapping.dmp

memory/1280-291-0x0000000000000000-mapping.dmp

memory/880-295-0x0000000000000000-mapping.dmp

memory/4200-296-0x0000000000000000-mapping.dmp

memory/3312-297-0x0000000000000000-mapping.dmp

memory/208-298-0x0000000000000000-mapping.dmp

memory/3264-299-0x0000000000000000-mapping.dmp

memory/2232-300-0x0000000000000000-mapping.dmp

memory/4408-330-0x0000000000000000-mapping.dmp

memory/1180-341-0x000001BC0C4A0000-0x000001BC0C4C2000-memory.dmp

memory/1280-358-0x0000014BFED90000-0x0000014BFEE06000-memory.dmp

memory/768-365-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\d8sB0Cn4pv.bat

MD5 4a7951267e8ff4bc00e1827e437b7485
SHA1 30ded6defac1a366d6dd9b4f567b965a20d77af8
SHA256 aee9ba502ee5496e1ebe71928077ac7ab030d05e3948bd34732596d19e287334
SHA512 7ddd53c8b8ca3a17598220ffc8465b528a85e8015471d81cce4952e83e5f78fe7748a1849ed41544b0a6dd9e8f72822cc41cbb40f66e4f3bd608f68250078447

memory/4692-612-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4692-627-0x0000000000F50000-0x0000000000F62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0bdfaa14d7814b541a77f4e97920dfd6
SHA1 c239720eee47db7f7136bb78e37c539b9e735c4c
SHA256 4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272
SHA512 dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 abf7fc04f64886ca908084fdacf6b490
SHA1 6e54771bf8208d50eb2e28f19fbc39a89d73e177
SHA256 1bdeec29a69dc2353c6fb83a30ef8e4c261ea619d52e59f46bd1171cc6b2603d
SHA512 7baebde225b8510c43452a61695c14d85432ada4d568e2432775b04a90a912e7238b717d60397f6cd48409bf808c91e13489383b08ead8d5aada439d026183c9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 abf7fc04f64886ca908084fdacf6b490
SHA1 6e54771bf8208d50eb2e28f19fbc39a89d73e177
SHA256 1bdeec29a69dc2353c6fb83a30ef8e4c261ea619d52e59f46bd1171cc6b2603d
SHA512 7baebde225b8510c43452a61695c14d85432ada4d568e2432775b04a90a912e7238b717d60397f6cd48409bf808c91e13489383b08ead8d5aada439d026183c9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 16702505b6f5af88f06aa6619382bf9a
SHA1 4b64f968c4a7889b5078a5ab44ced78813153db4
SHA256 78a9f48ea9f2dc8e634ef056f2a976f7405cd4175bada9f5cbc0daf992da742c
SHA512 a05a3937e8b49854ddf78c93ca35235ceb9f72ab67af36d00c268db28aff86e5120e4505eff0fa0adbd12298deca1515069f993a5f766353404f4723a6bb65d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 edf66e57ae463c5ef325c9c4c1387a42
SHA1 9cbe9222c0234720109eb65e8f08e6248a55331c
SHA256 cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260
SHA512 a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 edf66e57ae463c5ef325c9c4c1387a42
SHA1 9cbe9222c0234720109eb65e8f08e6248a55331c
SHA256 cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260
SHA512 a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 edf66e57ae463c5ef325c9c4c1387a42
SHA1 9cbe9222c0234720109eb65e8f08e6248a55331c
SHA256 cc3587d30b9ca51a23d728d13a73edaa23cc91d786eda692fc7b938c1393c260
SHA512 a9f99e62b3be13bf872558fa95e681122dae948c85534f698369dc648393982ca146d26a804bc9d4cd7bb2823f1f5adc8d05329bd83e20e8c31889009e090afd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 29b209d9727cbb94862959a28841f6a8
SHA1 dee0f0b5396aa5ef76f6b57e3882cb839d5b5c9c
SHA256 cd1f4392ee8bb902981eff13c269ebc12130925aafab6826588f02b9339d2892
SHA512 c326f8c3a27636a21323b1f9a1c55b49aa5760a4548a2208254143df51b6c822ee4cf1d6d7977f9864dd4e38373da9e90a50337172333d5cdc6adea1e4eea57d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 29b209d9727cbb94862959a28841f6a8
SHA1 dee0f0b5396aa5ef76f6b57e3882cb839d5b5c9c
SHA256 cd1f4392ee8bb902981eff13c269ebc12130925aafab6826588f02b9339d2892
SHA512 c326f8c3a27636a21323b1f9a1c55b49aa5760a4548a2208254143df51b6c822ee4cf1d6d7977f9864dd4e38373da9e90a50337172333d5cdc6adea1e4eea57d

memory/4812-669-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

MD5 3ed2fe80a84d683cd56eb73d9a3681e6
SHA1 f4c16e2024877802fa183a27f07b07e282fa6a55
SHA256 a4baf1ea979bdec8fe986fe1028bf7f81ecee6e6fa53588664061dc0085f0acc
SHA512 8518f4cfcfba920ae0ac795f78d9ba82fafb26aca6ab10fb7f1c142f48f93ac4a6c40af4f9a74988d01781614e135d238fb2e75cdbbad53f0556c8bd2a6228b6

memory/4844-671-0x0000000000000000-mapping.dmp

memory/4472-672-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/4800-675-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

MD5 d64dcb4f2e0cc43a77f6662be41773d2
SHA1 f34a62f0198f7a792bf3b9435587294a32b40e3c
SHA256 8bbc252ec1c568ec22a3c61d1fa923a71a9973569dd495299d1b7a074cdc2640
SHA512 9e0ee12550eafdfbaf00d83fae9293516f1d8bf6dbb0e1470d96689f3f2e082492dbfac75a1f0dad611ec57ebe4c0a805d499504cf6122a96041384b3a8d067a

memory/1980-677-0x0000000000000000-mapping.dmp

memory/1304-678-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1304-680-0x0000000000F90000-0x0000000000FA2000-memory.dmp

memory/2932-681-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

MD5 a93422901e3b8c87e18da23a8d19291c
SHA1 2dbac899a2dd51f52097fbe53b93929c3d5b1c37
SHA256 161d1fb4c39df0b031b5fb5e1decaa0368abc05858ce8cdd3b07da9ffb4094e4
SHA512 6a841f4d99972b001e9e08cd4ab499c7ef19f4283a4fa91903c2baad6670f1135225100645428dfe8b91cb30d01a77a7602723613e48c2a6cb258b2d458b2849

memory/2688-683-0x0000000000000000-mapping.dmp

memory/1016-684-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1296-686-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hevtjRcN1r.bat

MD5 2b27069a4eb0d4b4651d092e495f7939
SHA1 620fdd482ef7318e89c07fd524e4877894480160
SHA256 c698ac62e9896f4c2e0cbc23d804c730962ab5be5d8df975954f91ce7468129c
SHA512 4d7cb0870f07279c117aad0a2686fef3917e993b7193319063efcfd7a5325c7eea8bef2371f1ce79131a965ab0fbb7f3c9dcca74ac01d34f4c7a841b3326ae06

memory/1576-688-0x0000000000000000-mapping.dmp

memory/4264-689-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2164-691-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

MD5 45889d1187ae42ea09e11c9181e92305
SHA1 285246e52208a22e683394c3eafb22ea4018fc55
SHA256 1d9e6e578418b7ea2be8322dbc8d10158a3042a277509551ce54e9ee3eee7b17
SHA512 63c6347445193bbb5e77fa5fa466c3d53d0fad01beee309327f7fb4a3167d5d1d4ae41fa3df209cd3bae991c96f2e4f84536462c668bf8ddcb55675813776cb2

memory/3788-693-0x0000000000000000-mapping.dmp

memory/2288-694-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/364-696-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

MD5 7e5b4012fa636bc4a1cd12bc0b85a945
SHA1 1a10b718fff8381ab3716ec33bca7290ab560b26
SHA256 3fb03f1bbd57e962cfa49464501a2db59f913a10131c750ab0c3b559c8e29d99
SHA512 84778dc91f640ff95a1196dd129adbb0417bf9612305eef3e5df1424765514f71e00cff7551224378b4d9fe9c11cd3f64095508ee3534096038c331930117c64

memory/3276-698-0x0000000000000000-mapping.dmp

memory/2780-699-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3488-701-0x0000000000000000-mapping.dmp

memory/656-703-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

MD5 1fda1ee45b830ae50b6a80ba6a98e869
SHA1 d8ee1db1147d079390af15c795f4016fd6b19bf6
SHA256 19fa24203dbccf01c388dec7ae3af84e3e948d368cf89d115fb6c57c55450b11
SHA512 7be4a326681c0a473e09cfde1fc462d652bf11794ec28522afbfdced7db8083760b944ec2a4b458b97b911bb170a8d1bf623584d741c6c43025105ceb67b1f13

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4028-704-0x0000000000000000-mapping.dmp

memory/4028-706-0x00000000026F0000-0x0000000002702000-memory.dmp

memory/1556-707-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat

MD5 befcb53f41f729946fd4ee4dd08f85ee
SHA1 26e2ecb0e57888e01d268663d687e28e3d208c43
SHA256 f0b24bbcfec58d1355ae10da3d3d822fda9633593982c6cad8a2148a701efd95
SHA512 f3ed8f8ee70a9e4959c865ccb56e078adbab5a84987b2ae527dfbc880f6b373b206162ff3a95ed2d2664639813ee852318f06168ab5a7a708737d0aa59d6b568

memory/4508-709-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/416-710-0x0000000000000000-mapping.dmp

memory/416-712-0x0000000000720000-0x0000000000732000-memory.dmp

memory/4700-713-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat

MD5 69efed9115a94abf1d518ae2378de5fd
SHA1 5cd8e8d2193769e7acf8f53a800695c500bd6360
SHA256 7dda6460cdbec09f0f7ba9b24312d5897815c35eb6a46c589fc1cdf59ef2d5ca
SHA512 ace971a606dc0ac5aa100d62bc7da2d3334bd3aec2dc5a9e7976f099f57109969486f8385b2d1998b6de21081f18623f6059503a88d70191ffc46435c296b26b

memory/4616-715-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/524-716-0x0000000000000000-mapping.dmp

memory/4220-718-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

MD5 d3544c44a7bb5b918122465af4ff2083
SHA1 1706b4f6a1428f0a1aa882b669c02351315b5133
SHA256 14630635d69f1efa5a56695b79bbf94a1588942ab03e5120353356e8706a619f
SHA512 5360249959b58e4e04a150d68f8f62553c22c41180c67ccc43c2be270f54e4165c848f39b6b0766aa905789595454ecfdf653cf3046334d43a8a4099376e9ba4

memory/5052-720-0x0000000000000000-mapping.dmp

memory/4276-721-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/768-723-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat

MD5 bcad8f63bf49e1f04c7ed57f496269a1
SHA1 3ddde6230dfe21d802808253366f5e55b9b79642
SHA256 918ae2ef1897af6a54b54ed74c1cdabc1d23c66e6a9391ecb27b13586165e73e
SHA512 4e1c724b0e4de99bc08551dd13fbf7cd302f7bf9233b3bba09bce3a216afa40b1077f8f7048ace322c06b5f1d1f0b9bc94cf6f9f07c8916b1fc3b9fcf8d4697d

memory/3332-725-0x0000000000000000-mapping.dmp

memory/5020-726-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\MSBuild\Microsoft\System.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394