Malware Analysis Report

2025-08-10 23:16

Sample ID 221101-nt6z9abef3
Target bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86
SHA256 bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86

Threat Level: Known bad

The file bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DcRat

DCRat payload

Dcrat family

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:42

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:42

Reported

2022-11-01 11:45

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\smss.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\smss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\69ddcba757bf72 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\smss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\smss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4816 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86.exe C:\Windows\SysWOW64\WScript.exe
PID 4816 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86.exe C:\Windows\SysWOW64\WScript.exe
PID 4816 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86.exe C:\Windows\SysWOW64\WScript.exe
PID 4992 wrote to memory of 1320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 1320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 1320 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1320 wrote to memory of 3680 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3680 wrote to memory of 2528 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2528 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2788 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2788 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 3724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 3724 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 5108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 5108 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3680 wrote to memory of 2680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3680 wrote to memory of 2680 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2680 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2680 wrote to memory of 4936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2680 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 2680 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 2904 wrote to memory of 4544 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 2904 wrote to memory of 4544 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 4544 wrote to memory of 1724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4544 wrote to memory of 1724 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4544 wrote to memory of 5000 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 4544 wrote to memory of 5000 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 5000 wrote to memory of 1660 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 5000 wrote to memory of 1660 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1660 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1660 wrote to memory of 4332 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 1660 wrote to memory of 4332 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 4332 wrote to memory of 3544 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 4332 wrote to memory of 3544 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 3544 wrote to memory of 216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3544 wrote to memory of 216 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3544 wrote to memory of 576 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 3544 wrote to memory of 576 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 576 wrote to memory of 1432 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 576 wrote to memory of 1432 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 1432 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1432 wrote to memory of 2288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1432 wrote to memory of 1484 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 1432 wrote to memory of 1484 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 1484 wrote to memory of 3732 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 1484 wrote to memory of 3732 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 3732 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3732 wrote to memory of 2332 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3732 wrote to memory of 4616 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 3732 wrote to memory of 4616 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 4616 wrote to memory of 2196 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 4616 wrote to memory of 2196 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 2196 wrote to memory of 4588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2196 wrote to memory of 4588 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2196 wrote to memory of 1824 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 2196 wrote to memory of 1824 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\smss.exe
PID 1824 wrote to memory of 2928 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 1824 wrote to memory of 2928 N/A C:\Program Files\Common Files\microsoft shared\smss.exe C:\Windows\System32\cmd.exe
PID 2928 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2928 wrote to memory of 1816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86.exe

"C:\Users\Admin\AppData\Local\Temp\bd9616ddf76a94040da1e28c70b7ed082ae87891b1d54bdfbc5d1bec02352b86.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\StartMenuExperienceHost.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5GqN7CVuU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\smss.exe

"C:\Program Files\Common Files\microsoft shared\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\smss.exe

"C:\Program Files\Common Files\microsoft shared\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\smss.exe

"C:\Program Files\Common Files\microsoft shared\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\smss.exe

"C:\Program Files\Common Files\microsoft shared\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\smss.exe

"C:\Program Files\Common Files\microsoft shared\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\smss.exe

"C:\Program Files\Common Files\microsoft shared\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\smss.exe

"C:\Program Files\Common Files\microsoft shared\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\smss.exe

"C:\Program Files\Common Files\microsoft shared\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\smss.exe

"C:\Program Files\Common Files\microsoft shared\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\smss.exe

"C:\Program Files\Common Files\microsoft shared\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\smss.exe

"C:\Program Files\Common Files\microsoft shared\smss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
NL 95.101.78.82:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 20.42.65.85:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/4992-132-0x0000000000000000-mapping.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/1320-135-0x0000000000000000-mapping.dmp

memory/3680-136-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3680-139-0x0000000000480000-0x0000000000590000-memory.dmp

memory/3680-140-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/2788-142-0x0000000000000000-mapping.dmp

memory/2688-144-0x0000000000000000-mapping.dmp

memory/3724-143-0x0000000000000000-mapping.dmp

memory/2528-141-0x0000000000000000-mapping.dmp

memory/5108-145-0x0000000000000000-mapping.dmp

memory/2680-146-0x0000000000000000-mapping.dmp

memory/2788-147-0x00000285F3360000-0x00000285F3382000-memory.dmp

memory/3680-148-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p5GqN7CVuU.bat

MD5 8c1a31ad2bad4489e6da14b5c1249dc2
SHA1 335f5a2ab2ff34ce6d8fcc1dae1d870ef6ee832e
SHA256 c541cd89dd8a1ec91537810e41e4dcd75604d985284f12785b0d11eb6bc33506
SHA512 101a06b317abe3bcee19cf4a25943f618bddbfb085b77c4442a47c127e7df10c2b10d84c0a275d368f33f857c5ccee6c950382b92382eed4662467cf97cff6cb

memory/4936-150-0x0000000000000000-mapping.dmp

memory/2788-151-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/3724-152-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/2688-153-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/2688-156-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/3724-158-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/5108-157-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/2528-159-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/5108-162-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/2788-163-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/2528-165-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2904-166-0x0000000000000000-mapping.dmp

memory/2904-169-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/4544-170-0x0000000000000000-mapping.dmp

memory/1724-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

MD5 0e5e09ff829a15f91634f815465515bf
SHA1 8ff69fd20b9bd0e49008c7f31f0f439f30858eb2
SHA256 495c6316cc8654be17de3d63c77c6efd9af0ed25cd8d5d52cf125fe018c8c725
SHA512 b63cf75dd7064bad1030e73c5015eff143932db28963704528a896447c882a237b82fd4056176a3329ce396278d1aa8a80b510567b76883a28eb31e8dfb2bc09

memory/2904-173-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/5000-174-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/5000-177-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/1660-178-0x0000000000000000-mapping.dmp

memory/3052-180-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat

MD5 5b6464c1d9ceef86d153c92083ed9e17
SHA1 1d5a7db5027603e25f8a0d65ce3c5061c055ccd8
SHA256 b825813306ed93664ffbba95cd5404512efe050ec47643d01122187ebd042e4d
SHA512 3e51ac49aff5bc539246671e37a76311831f6db4a8aa3dc79719a2a0f48e12a1f340c349fbd63b80a622cdc2e0509042bd9c70402664d08e85ed4dd972723b90

memory/5000-181-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4332-182-0x0000000000000000-mapping.dmp

memory/4332-184-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/3544-185-0x0000000000000000-mapping.dmp

memory/216-187-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

MD5 2b3fe5e110f5fd1dd3a799c287909f03
SHA1 d6fa527ecb40763074fd03c8fc710f72d8e3d897
SHA256 bb9af21c735a6b96a09502c4634b82da3e8506168fdfdd72c2f10b5a85c0f2e9
SHA512 f67746e5f3c0ebbf8fad57cfaa35eeb08d9f434455f727dfe8486e65e8dd7fa5b51f36765a23f592a4e9fb2e72738bf31b9960fb522fc981768e9d100e95807d

memory/4332-188-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/576-189-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/576-191-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/1432-192-0x0000000000000000-mapping.dmp

memory/2288-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat

MD5 7d040730c12622f9879ea68743318d3f
SHA1 4fc6d058b8a55ec37539d698e2ae5e9591e1f922
SHA256 7ff5ed75640edc24d3fc84eb36885bc8e56922902085a8635d5e721f035317df
SHA512 7644c3f1d1a7f376ee891d538b89dddfac2f189961120a87d565333576a7a7abbf939f9756d30bcc0e43695e470510d7eaf87115614bfc024b90022253af6541

memory/576-195-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/1484-196-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1484-198-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/3732-199-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\FBiR4PpyYA.bat

MD5 87cefdfa8cd905e8cd6d87726a2788c5
SHA1 f167c1ea057b6d15be144c86821d63e2fb8ae709
SHA256 d1f26d3f020e77d968233158299c9c0238e8476e290d5f7c6a45de60d6d68f72
SHA512 d0dc54ffb63a0440af49eb8e20bc615e95c7759f619dab4184f67db2c2c3f6ac82a910fe7340109f6328811b1c91758b6bfb6cfa809bb6360d62f71e4282f7c6

memory/2332-201-0x0000000000000000-mapping.dmp

memory/1484-202-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/4616-203-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4616-205-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/2196-206-0x0000000000000000-mapping.dmp

memory/4588-208-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat

MD5 57f7ee9720e840f6cef568571726eb29
SHA1 f57e0f5178742787d0ab05c685979234606d12a2
SHA256 8f198cb4ddd70c2747cefc5852606ddd03a6f33bac6fdb4af1c9a1ec8e2a0b3f
SHA512 6f89d2fa9eb5f4ecb262e7e922181738d33d088b71781d68832326b243e8c393d8a9093c9ba00960d7360c61ec0e66f56a85f88dffaafa4fd34f4b60a6c3fa14

memory/4616-209-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/1824-210-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1824-212-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/2928-213-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

MD5 4254dc969c693db1ba9c7938ac909852
SHA1 f146b5e1c6a910e6e5fcc1ecc26d83871faa6ca3
SHA256 06b011642e857f68a1992b7546410fab995ebfd3400255f7e1186a630d87e11b
SHA512 8d3afbc2f2b1e5908afae6156db6408df00559e0f3fb1dd0eed0492ba774149a7295247c6eb93ba2b5d9102ff408eb0c77887ec535143536126a956672e4054d

memory/1816-215-0x0000000000000000-mapping.dmp

memory/1824-216-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/4872-217-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4872-219-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/2744-220-0x0000000000000000-mapping.dmp

memory/4872-221-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

MD5 ac3fb522192f7ab149465234cfc567cc
SHA1 e406fcf6981c27af6786984210c5d19bfca56e04
SHA256 472f4d095f8b48b0c65d4165fd719d7e21956ba9819d041d2ced146da7647069
SHA512 1de4a5dc7344754b949027af0026c81bc3697590c06b918440d968ada387f1b6526db3dd32827825440e01e01f803d5fa7244312b37633cabd407d9da52375e6

memory/5048-223-0x0000000000000000-mapping.dmp

memory/2276-224-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2276-226-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/1328-227-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

MD5 4254dc969c693db1ba9c7938ac909852
SHA1 f146b5e1c6a910e6e5fcc1ecc26d83871faa6ca3
SHA256 06b011642e857f68a1992b7546410fab995ebfd3400255f7e1186a630d87e11b
SHA512 8d3afbc2f2b1e5908afae6156db6408df00559e0f3fb1dd0eed0492ba774149a7295247c6eb93ba2b5d9102ff408eb0c77887ec535143536126a956672e4054d

memory/2276-230-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/1344-229-0x0000000000000000-mapping.dmp

memory/3636-231-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3636-233-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/3008-234-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

MD5 4df09838e6062c870b890f0e03b010f4
SHA1 399e5ca76fd9dcbc955cc72d1e6b5f8f5526862b
SHA256 f47c1ee620afec63586d3969637463cb747822ec3b69770d33398500899bc058
SHA512 7954b0c650203951fe0acc6eb61d9117463a8c5126d2cafaf9a5756ac464e0d8a2956d2dff2afa9d377f1b06764c6b2ad7c4a1a11ef5fe4723ebc6d184049e7a

memory/3632-236-0x0000000000000000-mapping.dmp

memory/3636-237-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/3716-238-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\smss.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3716-240-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp

memory/3664-241-0x0000000000000000-mapping.dmp

memory/1416-243-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

MD5 d5accbf759b699e47468780c432d41aa
SHA1 177a558a67ad1679c9a907f0990436ce68aea63b
SHA256 e129dd0996a42b30e5d4507ffd7509eac14f0bfbe6fc1ece968a951a67c39495
SHA512 692f028f483a66f29a8e6d74013854754d1c6e311c60ed43849619cb209afa0f3af7e488cf46518b46a9dfa9d4edc0ba93e85cd597fdc1290d9bd640dcf241f7

memory/3716-244-0x00007FF8D0450000-0x00007FF8D0F11000-memory.dmp