Malware Analysis Report

2025-08-10 23:16

Sample ID 221101-nsb4gsbed4
Target f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f
SHA256 f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f

Threat Level: Known bad

The file f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

DCRat payload

Dcrat family

DcRat

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:39

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:39

Reported

2022-11-01 11:41

Platform

win10-20220812-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\explorer.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\7a0fd90576e088 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Mail\en-US\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Internet Explorer\de-DE\ebf1f9fa8afd6d C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\fr-FR\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Boot\Resources\dwm.exe C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files\MSBuild\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files\MSBuild\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files\MSBuild\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files\MSBuild\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files\MSBuild\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files\MSBuild\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files\MSBuild\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files\MSBuild\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files\MSBuild\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files\MSBuild\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Program Files\MSBuild\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\MSBuild\dwm.exe N/A
N/A N/A C:\Program Files\MSBuild\dwm.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\MSBuild\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4696 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe C:\Windows\SysWOW64\WScript.exe
PID 4696 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe C:\Windows\SysWOW64\WScript.exe
PID 4696 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe C:\Windows\SysWOW64\WScript.exe
PID 5056 wrote to memory of 3556 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 3556 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5056 wrote to memory of 3556 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3556 wrote to memory of 4772 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4772 wrote to memory of 2720 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2720 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3912 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3476 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 3476 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4012 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4012 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4448 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2648 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4764 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4764 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2188 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 2188 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 1920 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 1920 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4200 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4200 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 1284 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 1284 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4864 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4864 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4220 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4220 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4412 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4412 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4772 wrote to memory of 4900 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\MSBuild\dwm.exe
PID 4772 wrote to memory of 4900 N/A C:\providercommon\DllCommonsvc.exe C:\Program Files\MSBuild\dwm.exe
PID 4900 wrote to memory of 5244 N/A C:\Program Files\MSBuild\dwm.exe C:\Windows\System32\cmd.exe
PID 4900 wrote to memory of 5244 N/A C:\Program Files\MSBuild\dwm.exe C:\Windows\System32\cmd.exe
PID 5244 wrote to memory of 5160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5244 wrote to memory of 5160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5244 wrote to memory of 5980 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\dwm.exe
PID 5244 wrote to memory of 5980 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\dwm.exe
PID 5980 wrote to memory of 6100 N/A C:\Program Files\MSBuild\dwm.exe C:\Windows\System32\cmd.exe
PID 5980 wrote to memory of 6100 N/A C:\Program Files\MSBuild\dwm.exe C:\Windows\System32\cmd.exe
PID 6100 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 6100 wrote to memory of 4528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 6100 wrote to memory of 4476 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\dwm.exe
PID 6100 wrote to memory of 4476 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\dwm.exe
PID 4476 wrote to memory of 4304 N/A C:\Program Files\MSBuild\dwm.exe C:\Windows\System32\cmd.exe
PID 4476 wrote to memory of 4304 N/A C:\Program Files\MSBuild\dwm.exe C:\Windows\System32\cmd.exe
PID 4304 wrote to memory of 3260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4304 wrote to memory of 3260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4304 wrote to memory of 396 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\dwm.exe
PID 4304 wrote to memory of 396 N/A C:\Windows\System32\cmd.exe C:\Program Files\MSBuild\dwm.exe
PID 396 wrote to memory of 5400 N/A C:\Program Files\MSBuild\dwm.exe C:\Windows\System32\cmd.exe
PID 396 wrote to memory of 5400 N/A C:\Program Files\MSBuild\dwm.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe

"C:\Users\Admin\AppData\Local\Temp\f71939c2246ae67bffba66e1363d80d059971cceea4f5b356c0ffd0e3927103f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\odt\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 12 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\odt\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\odt\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Users\Admin\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\SearchUI.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchUI.exe'

C:\Program Files\MSBuild\dwm.exe

"C:\Program Files\MSBuild\dwm.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\dwm.exe

"C:\Program Files\MSBuild\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\dwm.exe

"C:\Program Files\MSBuild\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\dwm.exe

"C:\Program Files\MSBuild\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\dwm.exe

"C:\Program Files\MSBuild\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\dwm.exe

"C:\Program Files\MSBuild\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\dwm.exe

"C:\Program Files\MSBuild\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\dwm.exe

"C:\Program Files\MSBuild\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\dwm.exe

"C:\Program Files\MSBuild\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\dwm.exe

"C:\Program Files\MSBuild\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\MSBuild\dwm.exe

"C:\Program Files\MSBuild\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 20.42.65.84:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 209.197.3.8:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/4696-119-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-120-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-121-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-122-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-124-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-125-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-127-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-128-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-129-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-130-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-131-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-132-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-133-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-134-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-135-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-136-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-137-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-138-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-139-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-140-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-141-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-142-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-143-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-144-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-145-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-146-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-147-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-148-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-149-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-150-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-151-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-152-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-153-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-154-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-155-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-156-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-158-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-157-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-159-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-160-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-161-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-162-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-163-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-164-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-165-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-166-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-167-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-168-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-169-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-170-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-171-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-172-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-173-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-174-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-175-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-176-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-177-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-178-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-179-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-180-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-181-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/4696-182-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/5056-183-0x0000000000000000-mapping.dmp

memory/5056-184-0x0000000077740000-0x00000000778CE000-memory.dmp

memory/5056-185-0x0000000077740000-0x00000000778CE000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/3556-259-0x0000000000000000-mapping.dmp

memory/4772-282-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4772-285-0x00000000009D0000-0x0000000000AE0000-memory.dmp

memory/4772-286-0x0000000000FE0000-0x0000000000FF2000-memory.dmp

memory/4772-287-0x0000000001010000-0x000000000101C000-memory.dmp

memory/4772-288-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

memory/4772-289-0x0000000001020000-0x000000000102C000-memory.dmp

memory/2720-290-0x0000000000000000-mapping.dmp

memory/2520-291-0x0000000000000000-mapping.dmp

memory/3912-293-0x0000000000000000-mapping.dmp

memory/2448-292-0x0000000000000000-mapping.dmp

memory/3476-294-0x0000000000000000-mapping.dmp

memory/4012-295-0x0000000000000000-mapping.dmp

memory/4448-296-0x0000000000000000-mapping.dmp

memory/592-297-0x0000000000000000-mapping.dmp

memory/2648-298-0x0000000000000000-mapping.dmp

memory/2188-305-0x0000000000000000-mapping.dmp

memory/4764-301-0x0000000000000000-mapping.dmp

memory/1920-309-0x0000000000000000-mapping.dmp

memory/1284-318-0x0000000000000000-mapping.dmp

memory/4200-312-0x0000000000000000-mapping.dmp

memory/4900-346-0x0000000000000000-mapping.dmp

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4412-330-0x0000000000000000-mapping.dmp

memory/4220-328-0x0000000000000000-mapping.dmp

memory/4864-321-0x0000000000000000-mapping.dmp

memory/2720-373-0x00000291E9620000-0x00000291E9642000-memory.dmp

memory/4900-388-0x0000000000FB0000-0x0000000000FC2000-memory.dmp

memory/1920-418-0x000001CBF89A0000-0x000001CBF8A16000-memory.dmp

memory/5244-824-0x0000000000000000-mapping.dmp

memory/5160-858-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

MD5 7db8a8e4ba082515d2ba89a386caacfd
SHA1 05afc9082e37c1e90a91139149ac17963398b03d
SHA256 341c4bbc8ced38be49120599fd92257fc418824217001007a944a93a35087f80
SHA512 e11d4a56cd8b8085327e19cb3c5bb0a8a6bd9de76bd52c1d1d0aeb2651a5d2087da2b3491dd2d0bc1446154ed894e7826472bfe5a3b405fd28852dbc2f6e6923

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 94aca9ba1f84a489b4e97898bca4539b
SHA1 32bb3571fe4739ace62cf8704e039bbeead2939f
SHA256 17c0363e17f591bf9f53fab05ff46b37ea6a6d78c807b05ce07367c065286e79
SHA512 7430b7583ac55ee15f6c4bf8ae32d486dc6f0e187a040738e8e53785c4df1b722103eebb7970a985b96b5ae9746478376815913ba7d4a2a9e1029c4910af47be

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bcd75daea7963167d3f8e40ba986ee7e
SHA1 6e0535c54ab8f7708932ba2f9674a2a6962c3943
SHA256 99e82cbcc52a5f6b16bba8994228c35dba87abb8f047c5a210959b24c1f9b88f
SHA512 38b27ccf948d4a81eaff88b8358cd5ec1e4ed688c743436302eaa39866ffdade4b4d5567b146211d633d3d64626899de7637e4780d5b6412c19cdebc4edc2268

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d95a9865506ac32268c0388f8549a004
SHA1 30d102f0d293abe78b4594933dfceaaed69c2706
SHA256 17b28959d997b5a2e0d6a7ab08798a76e7a7c3b37ed1a6494a5e90ddb844e08f
SHA512 ff4fddb63ec196a5e0851866df4dc322ceb9e3c5b3817c30fc481b9acbaa9404479dcb990b935fb330e525fa90896852b35533a470dba9036483239fb87c482e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aca575bb5b733dafbdc71372e52547ef
SHA1 ed6bb9828fdf19693a86e6d74a0c7915be8d67e5
SHA256 e9be6f64f6ef44b4e30ae07d77ad7dcb41c1c1c3afe5da15c5c016d11eb8bd7f
SHA512 149bed98bc521acdc7392315c5b2bc132dff649ee6873f20c9bf7239100abbe12a61c767f094aa8c93e26b06a2ebbaa5938c669cc655f9dca0d38a5cfe02c493

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1aada366135da6f493d1fb63feaefe9e
SHA1 7a2e7a5dfb5c0374b719c7b050b0adaf48d451aa
SHA256 8f8fd98c392da6385211f970c638104f11407dcf935b062bb5f333d8daf46391
SHA512 bd88dc26e7f615e3aa02cf7dcc88a103b1c7df3b40abd6795b08964a15dc0b0a61554a33d2b280a1cebc01b0e0f3af05b22e63c5701c4ef18d18ef58d819b33e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1aada366135da6f493d1fb63feaefe9e
SHA1 7a2e7a5dfb5c0374b719c7b050b0adaf48d451aa
SHA256 8f8fd98c392da6385211f970c638104f11407dcf935b062bb5f333d8daf46391
SHA512 bd88dc26e7f615e3aa02cf7dcc88a103b1c7df3b40abd6795b08964a15dc0b0a61554a33d2b280a1cebc01b0e0f3af05b22e63c5701c4ef18d18ef58d819b33e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aca575bb5b733dafbdc71372e52547ef
SHA1 ed6bb9828fdf19693a86e6d74a0c7915be8d67e5
SHA256 e9be6f64f6ef44b4e30ae07d77ad7dcb41c1c1c3afe5da15c5c016d11eb8bd7f
SHA512 149bed98bc521acdc7392315c5b2bc132dff649ee6873f20c9bf7239100abbe12a61c767f094aa8c93e26b06a2ebbaa5938c669cc655f9dca0d38a5cfe02c493

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ce3ed4732ea2563a7d5e88d3da49cd3
SHA1 a2f686162e1e8b28fd5bb1dcbae15b4110f34100
SHA256 e0e7157657b14528b91ee8d0b04bd16cabd21cbd00a97a5c35ec0d773931cc02
SHA512 79db38e035fe56d1de5942c9941951c3bd564f13f871d32de50a626d7695be133cbae0cf63b56770f29f8016a25951a8bb7700934f48deb778c3418de3d1910c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ce3ed4732ea2563a7d5e88d3da49cd3
SHA1 a2f686162e1e8b28fd5bb1dcbae15b4110f34100
SHA256 e0e7157657b14528b91ee8d0b04bd16cabd21cbd00a97a5c35ec0d773931cc02
SHA512 79db38e035fe56d1de5942c9941951c3bd564f13f871d32de50a626d7695be133cbae0cf63b56770f29f8016a25951a8bb7700934f48deb778c3418de3d1910c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6451f086db7687095451e197015c8d10
SHA1 a2c5fd63d4679e7ba4cafec585bd3aaf212d2476
SHA256 be28a4bf8dc8962d3a3fd92bab88af741b57b571d507da5e6d73e2ced22b537d
SHA512 6be7e42d2c7c72653b1b1f360f8252f3f3a4f703129ea5072998422243cb8a95f2402fc92a77a846f5a5843b92a74949b9287019d3b8bb28fa3ef6c71f29e692

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d95a9865506ac32268c0388f8549a004
SHA1 30d102f0d293abe78b4594933dfceaaed69c2706
SHA256 17b28959d997b5a2e0d6a7ab08798a76e7a7c3b37ed1a6494a5e90ddb844e08f
SHA512 ff4fddb63ec196a5e0851866df4dc322ceb9e3c5b3817c30fc481b9acbaa9404479dcb990b935fb330e525fa90896852b35533a470dba9036483239fb87c482e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e9ba28f2d4217a343c8648d22fbe9737
SHA1 07b1892d6330f61f2ead872cd41a60ab19f403a0
SHA256 da824bc99d5c24d7ca83e1e1cfee8288b7ad61736c3f143d816171b2044a4b73
SHA512 29e202086d319135bb79ffd233e7b58eab0e7888485baaece1bc3a478b862c712ce061d1dd29017cb67ef0fe66037ec725996e19203a3f046ee46f94cfa35c35

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 94aca9ba1f84a489b4e97898bca4539b
SHA1 32bb3571fe4739ace62cf8704e039bbeead2939f
SHA256 17c0363e17f591bf9f53fab05ff46b37ea6a6d78c807b05ce07367c065286e79
SHA512 7430b7583ac55ee15f6c4bf8ae32d486dc6f0e187a040738e8e53785c4df1b722103eebb7970a985b96b5ae9746478376815913ba7d4a2a9e1029c4910af47be

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a664255c97733804f7f63100d93cbd6
SHA1 a3075d899b36ee98e9cc2f85c9eb8df3a20abcf9
SHA256 ab128874f205d3d7c305b6a8ab946e8268da98093110046ec42693e563040dce
SHA512 3a36b4e8c6a1e8376ba667813a87f615deeb0b533d52a38941a0cd23b57fe10a8c2b12db6828d7c7ce345527eb1a45c64adf4bcd46d77576288d2b4b946dc813

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a664255c97733804f7f63100d93cbd6
SHA1 a3075d899b36ee98e9cc2f85c9eb8df3a20abcf9
SHA256 ab128874f205d3d7c305b6a8ab946e8268da98093110046ec42693e563040dce
SHA512 3a36b4e8c6a1e8376ba667813a87f615deeb0b533d52a38941a0cd23b57fe10a8c2b12db6828d7c7ce345527eb1a45c64adf4bcd46d77576288d2b4b946dc813

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4dd63e07607ba0ddffea2322a093b96a
SHA1 388b4318a9662adb8b08b11a58e021d479f97ae9
SHA256 c0ad0fc641c5a85a002805a44b1412ee20e6982517b51927e2adb48606cc920c
SHA512 38e975456e95ea2b1acebf92e6baedac67801454d0f9a487939f5b57d1ad14c16c825c152a922a0d609f69241d78abfed2a73bcad8257d65d2017efa0218293d

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/5980-913-0x0000000000000000-mapping.dmp

memory/6100-916-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

MD5 00a7d2623671304e88923e97e449aade
SHA1 1364efd78d24e1e8153aaadaf2def767717aa130
SHA256 c95b5e1165bd305657aed3278499e3536587b8ae65cf8aaa99a8c30904d865a7
SHA512 a1f8b444aa9a5d06ed21e38dd844ffcafdd6dc1f480414b41cc9d2c637984407633555f50a864da375048a5b2069b3713786976cc46ec6621eced4f925e9ecce

memory/4528-918-0x0000000000000000-mapping.dmp

memory/4476-919-0x0000000000000000-mapping.dmp

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4304-921-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AvSbArq942.bat

MD5 fcb02c8d1310b991994a853fbc77f907
SHA1 a40f1b5403bbf05ed8194854be55fa2aed93a271
SHA256 c4fb72fefdf1411abcf347db5d002a6fef2559ab6c00065a72f9ff90376dff20
SHA512 93ba1ef90582fc3375049c5e9d2df818f6e91ab7f01a88e00fbe7872a00d9046166a7508d38172e72da257badf1b7f4742606d5b782da3f7f1573418a61f2e73

memory/3260-923-0x0000000000000000-mapping.dmp

memory/396-924-0x0000000000000000-mapping.dmp

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/396-926-0x00000000028D0000-0x00000000028E2000-memory.dmp

memory/5400-927-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

MD5 5f34dd91b67e3e6cce9bff23023fba1e
SHA1 6e1c508d36895de29d7f822950c5418e3669d7f4
SHA256 2e5c642c995124b651def3c03d99b7d911f0dbfeb15952a79a36753a24abf762
SHA512 de7b1a2559f098c6370c0d1db1bdd3bff7c8338f28ec3e4d7fe66828b512c4a9002e1971d983cc42f9d372768776739160f6bd28648505b71fd5918456a3239e

memory/4188-929-0x0000000000000000-mapping.dmp

memory/5568-930-0x0000000000000000-mapping.dmp

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5304-932-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat

MD5 4d4247814705e009157329a520f9e3b3
SHA1 7cfa598425716ff5c42ed51122f32131c6d4daa6
SHA256 3ec0eb5c5b71f1ad28b4392c52dbb52ac0ba119e6af18f5fef17c146af49c045
SHA512 fb5f1f5983d91dc48f37e10647236278d0f1274aa73686a027730e87bce9b07ad6e9ad5e0fa54becee850f0b33b3b3ed090ccd0b80a731c0e6adb48a7455d76c

memory/4232-934-0x0000000000000000-mapping.dmp

memory/412-935-0x0000000000000000-mapping.dmp

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/412-937-0x00000000009E0000-0x00000000009F2000-memory.dmp

memory/4248-938-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\p6CE4ikEee.bat

MD5 87252dedc67e686a8047ac03ecd2310e
SHA1 b9973782e07c20e5b389d9a19baa39309b6a07fd
SHA256 d63e5da2af9a93aed6b873fa2bf798ca754bbd360c60415b4e26a3eaef3daf21
SHA512 a96acae6a507894172646861132ad708665145d8fed2a8ff406a4567521f8d49e2dd60409753badd86f65ffd79745e9384b9c7b635a2ec9378305472a21d063a

memory/4716-940-0x0000000000000000-mapping.dmp

memory/364-941-0x0000000000000000-mapping.dmp

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/364-943-0x0000000001760000-0x0000000001772000-memory.dmp

memory/3816-944-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

MD5 3fe4dc2bc049629dcf4a8aa5eea56e59
SHA1 11f38aef6314fa5663b41354c0fd47ac38d4dc9a
SHA256 600821eff272a1d3b102977888a930e55430d5d8200157ba1dc44903ba6487a8
SHA512 39af477bbe44cd8259777cb6a9b1e39404368d00ea096d6d4bfc705bbb03906dbb6fd1fc5a66e7e3cfa3cd06c465c1b953b62aaa6bbf0222da34d12b8764d81c

memory/5800-946-0x0000000000000000-mapping.dmp

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2612-947-0x0000000000000000-mapping.dmp

memory/4776-949-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

MD5 399924d5ceaded76fc71ddc01192ca5b
SHA1 adf654ba327349b572f6703c9fbd482659591829
SHA256 b07c9606420b77a721404206b43cf47eb1a4a185181c8c2d03a8130c9a110242
SHA512 a05261b00c7f850dccda5a466ab55f307f74156ee7e1ddf3562e257219b424840f2c28473fc5ba1b3c70287da1bf127d6cae86d7bffba80bdf91e84d46a33d78

memory/2232-951-0x0000000000000000-mapping.dmp

memory/4540-952-0x0000000000000000-mapping.dmp

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1224-954-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

MD5 1de03e5acfa59717c6b97693f4c16438
SHA1 77ac6d79588b0f06fb5f9b28a03915ddcd5b7808
SHA256 809b7412b35b7ba8c2aabb48f659d90db58264c5f930dd0ec341b95d655a9181
SHA512 5f224684ac1085094eec4d2216a8450bae791510e32ad5ed9d28dde6f464e7ba105891a62aeed284478ae8019529b1d11ba9990665c3a90b677ebb45d2c5ad8a

memory/3724-956-0x0000000000000000-mapping.dmp

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4312-957-0x0000000000000000-mapping.dmp

memory/3800-959-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat

MD5 0b982405a999928e2ccbe8427bd714e3
SHA1 ab7528f5d605efa4d0630272cc6055951d8f3306
SHA256 2b6649a587c39b9d53559d8a1b4a09d7aa72664ea8b29f7d55a763635a94bc21
SHA512 ccd54ffe25c36ad3e10f083fb88e1b766a17b555283fa7de18454158df09b1e005f1f0de8a4b032afdc406e0bd17accd86282b68670758a22b3f38211ea75ecd

memory/1120-961-0x0000000000000000-mapping.dmp

memory/4700-962-0x0000000000000000-mapping.dmp

C:\Program Files\MSBuild\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4700-964-0x0000000001090000-0x00000000010A2000-memory.dmp

memory/2392-965-0x0000000000000000-mapping.dmp

memory/4912-967-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

MD5 54fbf3131a7a654b542fda33da55a207
SHA1 48e9d33d10484efa36edbc696692eec402fb3fcc
SHA256 64b6de21a44c7a9904505311ac5f0d4f85e0947604f94e6c3b9e51f047e481fd
SHA512 9992b88c803b7b35c1171e6a67619254749af39084a141e82e8e24dda22428ef73f5630284d06c4ae8fe067f0d8895d77f722156344c34effec6cce6a980b24b