Malware Analysis Report

2025-08-10 23:16

Sample ID 221101-nstnjaceaj
Target 0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c
SHA256 0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c

Threat Level: Known bad

The file 0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

DCRat payload

Dcrat family

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:40

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:40

Reported

2022-11-01 11:42

Platform

win10v2004-20220812-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\odt\wininit.exe N/A
N/A N/A C:\odt\wininit.exe N/A
N/A N/A C:\odt\wininit.exe N/A
N/A N/A C:\odt\wininit.exe N/A
N/A N/A C:\odt\wininit.exe N/A
N/A N/A C:\odt\wininit.exe N/A
N/A N/A C:\odt\wininit.exe N/A
N/A N/A C:\odt\wininit.exe N/A
N/A N/A C:\odt\wininit.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\odt\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\odt\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\odt\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\odt\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\odt\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\odt\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\odt\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\odt\wininit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\odt\wininit.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Defender\fr-FR\taskhostw.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\taskhostw.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Defender\fr-FR\ea9f0e6c9e2dcd C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Mail\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\de-DE\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\de-DE\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\AppReadiness\services.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\AppReadiness\c5b4cb5e9653cc C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\InputMethod\SHARED\WmiPrvSE.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\InputMethod\SHARED\24dbde2999530e C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\odt\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\odt\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\odt\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\odt\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\odt\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\odt\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\odt\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\odt\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\odt\wininit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\odt\wininit.exe N/A
N/A N/A C:\odt\wininit.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\odt\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\odt\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\odt\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\odt\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\odt\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\odt\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\odt\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\odt\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\odt\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 988 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c.exe C:\Windows\SysWOW64\WScript.exe
PID 988 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c.exe C:\Windows\SysWOW64\WScript.exe
PID 988 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c.exe C:\Windows\SysWOW64\WScript.exe
PID 4992 wrote to memory of 792 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 792 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 792 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 792 wrote to memory of 4400 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4400 wrote to memory of 4340 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4340 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 2476 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 2476 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 2008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 2008 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 372 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 372 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3460 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3460 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4088 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4088 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4464 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4464 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3068 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3068 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 2592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 2592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3100 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3100 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4852 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4852 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 1436 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 1436 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4208 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4208 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 1788 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 1788 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 2492 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 2492 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4704 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4704 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3836 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3836 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3672 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 3672 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4400 wrote to memory of 4760 N/A C:\providercommon\DllCommonsvc.exe C:\odt\wininit.exe
PID 4400 wrote to memory of 4760 N/A C:\providercommon\DllCommonsvc.exe C:\odt\wininit.exe
PID 4760 wrote to memory of 6120 N/A C:\odt\wininit.exe C:\Windows\System32\cmd.exe
PID 4760 wrote to memory of 6120 N/A C:\odt\wininit.exe C:\Windows\System32\cmd.exe
PID 6120 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 6120 wrote to memory of 2388 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 6120 wrote to memory of 3516 N/A C:\Windows\System32\cmd.exe C:\odt\wininit.exe
PID 6120 wrote to memory of 3516 N/A C:\Windows\System32\cmd.exe C:\odt\wininit.exe
PID 3516 wrote to memory of 5652 N/A C:\odt\wininit.exe C:\Windows\System32\cmd.exe
PID 3516 wrote to memory of 5652 N/A C:\odt\wininit.exe C:\Windows\System32\cmd.exe
PID 5652 wrote to memory of 1380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5652 wrote to memory of 1380 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5652 wrote to memory of 3648 N/A C:\Windows\System32\cmd.exe C:\odt\wininit.exe
PID 5652 wrote to memory of 3648 N/A C:\Windows\System32\cmd.exe C:\odt\wininit.exe
PID 3648 wrote to memory of 672 N/A C:\odt\wininit.exe C:\Windows\System32\cmd.exe
PID 3648 wrote to memory of 672 N/A C:\odt\wininit.exe C:\Windows\System32\cmd.exe
PID 672 wrote to memory of 3492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 672 wrote to memory of 3492 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c.exe

"C:\Users\Admin\AppData\Local\Temp\0726a1ba5835a80a73e7a82de6cf5b3a29110c608fa8580c94c6237a9e7a3a7c.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fr-FR\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\fr-FR\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\odt\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\odt\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\odt\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\AppReadiness\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppReadiness\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\AppReadiness\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\InputMethod\SHARED\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\InputMethod\SHARED\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\Music\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\providercommon\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\providercommon\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\odt\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\odt\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\SHARED\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'

C:\odt\wininit.exe

"C:\odt\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\wininit.exe

"C:\odt\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\wininit.exe

"C:\odt\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\wininit.exe

"C:\odt\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\wininit.exe

"C:\odt\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\wininit.exe

"C:\odt\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\wininit.exe

"C:\odt\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\wininit.exe

"C:\odt\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\wininit.exe

"C:\odt\wininit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
IE 13.69.239.72:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/4992-132-0x0000000000000000-mapping.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/792-135-0x0000000000000000-mapping.dmp

memory/4400-136-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4400-139-0x0000000000E70000-0x0000000000F80000-memory.dmp

memory/4400-140-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4340-141-0x0000000000000000-mapping.dmp

memory/2476-142-0x0000000000000000-mapping.dmp

memory/2008-143-0x0000000000000000-mapping.dmp

memory/372-144-0x0000000000000000-mapping.dmp

memory/3460-145-0x0000000000000000-mapping.dmp

memory/4088-146-0x0000000000000000-mapping.dmp

memory/4464-147-0x0000000000000000-mapping.dmp

memory/2592-149-0x0000000000000000-mapping.dmp

memory/3068-148-0x0000000000000000-mapping.dmp

memory/3100-150-0x0000000000000000-mapping.dmp

memory/4852-151-0x0000000000000000-mapping.dmp

memory/1436-152-0x0000000000000000-mapping.dmp

memory/4208-153-0x0000000000000000-mapping.dmp

memory/1788-154-0x0000000000000000-mapping.dmp

memory/3892-156-0x0000000000000000-mapping.dmp

memory/2492-155-0x0000000000000000-mapping.dmp

memory/2476-158-0x0000023F9A1F0000-0x0000023F9A212000-memory.dmp

memory/4704-157-0x0000000000000000-mapping.dmp

memory/3836-159-0x0000000000000000-mapping.dmp

memory/3672-160-0x0000000000000000-mapping.dmp

memory/2476-161-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/2008-162-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/372-163-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4760-164-0x0000000000000000-mapping.dmp

C:\odt\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3460-167-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\odt\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4400-169-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/3068-168-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4464-170-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4088-171-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4340-172-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/2592-173-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/3100-174-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4852-175-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4208-176-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/1436-177-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/1788-178-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/3892-179-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4760-180-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/2492-181-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4704-182-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/3836-183-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/3672-184-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 61e06aa7c42c7b2a752516bcbb242cc1
SHA1 02c54f8b171ef48cad21819c20b360448418a068
SHA256 5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA512 03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

memory/372-194-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/3100-202-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

memory/4852-207-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/6120-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ecceac16628651c18879d836acfcb062
SHA1 420502b3e5220a01586c59504e94aa1ee11982c9
SHA256 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512 be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

memory/2492-219-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/2388-223-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

memory/3836-225-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

MD5 6c5a99750c6831635c5432e92d8a0be9
SHA1 5a2ed813bb704adeeac548ae6a14989880075479
SHA256 7cebc602577ae37f0279dc502baa6855a08ccb2e4d5819f4ef4e65996db0d3aa
SHA512 fc0a453aa0b475d0d8b2111d9f0978b755d64c7dbe1c712b8249207217a786a4aa2be0bdc305978361a419c7488967c75eaecfb85dadbe6685d50d9f97b1a692

memory/3672-221-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aaaac7c68d2b7997ed502c26fd9f65c2
SHA1 7c5a3731300d672bf53c43e2f9e951c745f7fbdf
SHA256 8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb
SHA512 c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

memory/4704-218-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/3892-215-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f0ddc7f3691c81ee14d17b419ba220d
SHA1 f0ef5fde8bab9d17c0b47137e014c91be888ee53
SHA256 a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5
SHA512 2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

memory/1788-213-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4208-212-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ecceac16628651c18879d836acfcb062
SHA1 420502b3e5220a01586c59504e94aa1ee11982c9
SHA256 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512 be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

memory/4760-226-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/1436-208-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/2592-206-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4340-205-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4464-201-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4088-200-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

memory/3068-198-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

memory/2008-196-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/2476-195-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 61e06aa7c42c7b2a752516bcbb242cc1
SHA1 02c54f8b171ef48cad21819c20b360448418a068
SHA256 5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d
SHA512 03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

memory/3460-193-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c97a801bb5d6c21c265ab7f283ba83e
SHA1 7c0a4cb73d63702a2d454268d983e0dcb36a8bf8
SHA256 69d9676a8c93686c904d9ce6193221476d6c72bc4d3250a232c03ccbeae380c7
SHA512 d3abd8bfccd3a3fec55c13e85e755fbd589e6ea04321169c7c8cf5badf7b6ffe96c0c2ed449a0b4a99ecfd1e7bb7edc3311d335c8956cf344c9584fb0bda50d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c97a801bb5d6c21c265ab7f283ba83e
SHA1 7c0a4cb73d63702a2d454268d983e0dcb36a8bf8
SHA256 69d9676a8c93686c904d9ce6193221476d6c72bc4d3250a232c03ccbeae380c7
SHA512 d3abd8bfccd3a3fec55c13e85e755fbd589e6ea04321169c7c8cf5badf7b6ffe96c0c2ed449a0b4a99ecfd1e7bb7edc3311d335c8956cf344c9584fb0bda50d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17fbfbe3f04595e251287a6bfcdc35de
SHA1 b576aabfd5e6d5799d487011506ed1ae70688987
SHA256 2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0
SHA512 449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

C:\odt\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3516-227-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/3516-230-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/5652-231-0x0000000000000000-mapping.dmp

memory/3516-232-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/1380-234-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

MD5 b082fc590652aedf587049c33bd1c50c
SHA1 c723616fd45f18b9810dc8b6cfe32ab871772960
SHA256 0bcac4f3175f15d6d9072bf671b7fddc2a9d1e06f98a0ad3f1c698043ccf06b9
SHA512 344cdf761a0988d50099d85ca83b7e788d46a76d16fbff9301088dfc1770d0700b8363cb3f9c8753b2fb33f81094130d84036b52cf3feb0841b6585b8264bccf

memory/3648-235-0x0000000000000000-mapping.dmp

C:\odt\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3648-237-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/672-238-0x0000000000000000-mapping.dmp

memory/3492-240-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat

MD5 9ec42c8532c00334f6bd03f9bf12af0f
SHA1 8846dc754ab2ea2c210e965c3ed7543530bf97e5
SHA256 f824907c40b151923da693dc8fe33d492fbfcb7bef7d97623c30ace59a5a5e6e
SHA512 a67e4a51341fdd5eedc5793d545d22951ed69d38658f622a74e6eac79624cfcf18d98f108a26807b3bfffab1ee94ad1896fd12b92a7fbaa16dcda05bd1cb6592

memory/3648-241-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/5484-242-0x0000000000000000-mapping.dmp

C:\odt\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5484-244-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/5704-245-0x0000000000000000-mapping.dmp

memory/5444-247-0x0000000000000000-mapping.dmp

memory/5484-248-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

MD5 e02867702c56151d5147d6ba944432c9
SHA1 e0a9b2043fd75145522663f6c749fd2ac656c1c3
SHA256 fc7ca8e0b0a7761076261ec30294f4cb72db8e3a13fb8ea1a4a375fb0a82ab2d
SHA512 1c787a7c0256f0a6f180df1655a3568d23db6a6c475154bec7024097773401d2a98f0fb2f2b7bda9f436fdff5d2127f4977b77b727fc929076bcde9f72c779b1

memory/1960-249-0x0000000000000000-mapping.dmp

C:\odt\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1960-251-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/1324-252-0x0000000000000000-mapping.dmp

memory/1960-253-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

C:\odt\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4932-255-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/8-256-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

MD5 3df2139395d681172129dc342c4f1106
SHA1 29226d099cb63843f007f69a9f319a0a73ae3088
SHA256 e73a7ee96cafc2294e9ae75eb325f4d8a7acf4c188fe59723d4bff1fae9e882d
SHA512 9eee1c463b4349ffcbf47b2d6e19d17153364199820f94aa9bce09cb250f840e1b665ed8c8dbaf8d619c674c4d74fdc638d14df699f35c0e9232708021b446b5

memory/3932-258-0x0000000000000000-mapping.dmp

memory/4932-259-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/3964-260-0x0000000000000000-mapping.dmp

C:\odt\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3964-262-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/5768-263-0x0000000000000000-mapping.dmp

memory/5508-265-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat

MD5 5d8805f520d62fa8aaf6030079d68f60
SHA1 85a5f0fbf5b1a89e65b4d18f8318ae2d26768033
SHA256 b8511feda08bd6d87dfc60057d940be45ad8311ab3cfefc479a55e36bf853b31
SHA512 b8f52044bca921faf76cc1ce4016ac8da9a880c04288aae48966692e8e20f5515e213d1ab69282aeaf889c84042468220df92be7148d1d00ccc3f2fe39294bdb

memory/3964-266-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4116-267-0x0000000000000000-mapping.dmp

C:\odt\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4116-269-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/1464-270-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat

MD5 3c0d1bd8d0471371f8e24fabe228f462
SHA1 7ce630b2176c838b1567d48640f3497a3d85300a
SHA256 0b9a50b46f1c7e8af6025ded549928eefb2ea4fa3cd57987f974a855452381ef
SHA512 3533b87aa3ce44f50d0790c74260fb35163957c26846c2638b099498577ca3d60dc37e09f2f2d11072b457f392666e22ca3384077e6d72806efb2983651df29c

memory/804-272-0x0000000000000000-mapping.dmp

memory/4116-273-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/1684-274-0x0000000000000000-mapping.dmp

C:\odt\wininit.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1684-276-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp

memory/4608-277-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

MD5 3b062e9b12a0fe5c8bb66803243c6648
SHA1 19fce0443be3775ddf819031445c6f542e9c93b1
SHA256 a6cdf6863c949c270cd4e12c44cb87a1c4e90ed9a12aa89f168b5b3ceb25867b
SHA512 47a1a7297933db3afdd64c0ce27a7ae9695beb17616f5f2c1948b94d3a80f1ddc65028d057501472e951b31080afee98d56e631124e932b3ef6b8d052b9d53f3

memory/5872-279-0x0000000000000000-mapping.dmp

memory/1684-280-0x00007FFDDFE90000-0x00007FFDE0951000-memory.dmp