Malware Analysis Report

2025-08-10 23:16

Sample ID 221101-ntfhasbee5
Target 6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d
SHA256 6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d

Threat Level: Known bad

The file 6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DCRat payload

Process spawned unexpected child process

DcRat

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:41

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:41

Reported

2022-11-01 11:43

Platform

win10-20220812-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\7a0fd90576e088 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\e6c9b481da804f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Microsoft Office\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\L2Schemas\taskhostw.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\L2Schemas\ea9f0e6c9e2dcd C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ELAMBKUP\cmd.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ELAMBKUP\ebf1f9fa8afd6d C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\dllhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\dllhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\dllhost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4248 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe C:\Windows\SysWOW64\WScript.exe
PID 4248 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe C:\Windows\SysWOW64\WScript.exe
PID 4248 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe C:\Windows\SysWOW64\WScript.exe
PID 3576 wrote to memory of 4496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3576 wrote to memory of 4496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3576 wrote to memory of 4496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4496 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1316 wrote to memory of 2500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2500 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2868 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2868 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1944 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 1944 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2056 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2056 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4688 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5024 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5024 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 5040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4568 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4568 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4644 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 4644 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3424 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3424 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3704 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3704 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3060 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\dllhost.exe
PID 1316 wrote to memory of 3060 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\dllhost.exe
PID 3060 wrote to memory of 5472 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 3060 wrote to memory of 5472 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 5472 wrote to memory of 5528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5472 wrote to memory of 5528 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5472 wrote to memory of 5704 N/A C:\Windows\System32\cmd.exe C:\providercommon\dllhost.exe
PID 5472 wrote to memory of 5704 N/A C:\Windows\System32\cmd.exe C:\providercommon\dllhost.exe
PID 5704 wrote to memory of 5812 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 5704 wrote to memory of 5812 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 5812 wrote to memory of 5868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5812 wrote to memory of 5868 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5812 wrote to memory of 5888 N/A C:\Windows\System32\cmd.exe C:\providercommon\dllhost.exe
PID 5812 wrote to memory of 5888 N/A C:\Windows\System32\cmd.exe C:\providercommon\dllhost.exe
PID 5888 wrote to memory of 5996 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 5888 wrote to memory of 5996 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 5996 wrote to memory of 6052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5996 wrote to memory of 6052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5996 wrote to memory of 6072 N/A C:\Windows\System32\cmd.exe C:\providercommon\dllhost.exe
PID 5996 wrote to memory of 6072 N/A C:\Windows\System32\cmd.exe C:\providercommon\dllhost.exe
PID 6072 wrote to memory of 5200 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 6072 wrote to memory of 5200 N/A C:\providercommon\dllhost.exe C:\Windows\System32\cmd.exe
PID 5200 wrote to memory of 5260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5200 wrote to memory of 5260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe

"C:\Users\Admin\AppData\Local\Temp\6993b53f85ba0f40bb7eb332e3eef3877751acd544a9b96f5792d23cde8fe44d.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\ELAMBKUP\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\ELAMBKUP\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\odt\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\odt\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\providercommon\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\csrss.exe'

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\dllhost.exe

"C:\providercommon\dllhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
NL 52.178.17.3:443 tcp
NL 178.79.208.1:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/4248-119-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-120-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-121-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-122-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-124-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-125-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-127-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-128-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-129-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-130-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-131-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-133-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-134-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-132-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-135-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-136-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-137-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-138-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-139-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-140-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-141-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-142-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-143-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-144-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-145-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-146-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-147-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-148-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-149-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-150-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-152-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-153-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-151-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-154-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-155-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-156-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-157-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-158-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-159-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-160-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-161-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-162-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-163-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-164-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-165-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-166-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-167-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-168-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-169-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-170-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-171-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-172-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-173-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-174-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-175-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-177-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-176-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-179-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-178-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-180-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-182-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/4248-181-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/3576-185-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/3576-184-0x0000000076E80000-0x000000007700E000-memory.dmp

memory/3576-183-0x0000000000000000-mapping.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4496-259-0x0000000000000000-mapping.dmp

memory/1316-282-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1316-285-0x0000000000540000-0x0000000000650000-memory.dmp

memory/1316-286-0x0000000000DE0000-0x0000000000DF2000-memory.dmp

memory/1316-287-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

memory/1316-288-0x0000000000E00000-0x0000000000E0C000-memory.dmp

memory/1316-289-0x0000000000E10000-0x0000000000E1C000-memory.dmp

memory/4980-292-0x0000000000000000-mapping.dmp

memory/1944-293-0x0000000000000000-mapping.dmp

memory/2868-291-0x0000000000000000-mapping.dmp

memory/2500-290-0x0000000000000000-mapping.dmp

memory/2820-295-0x0000000000000000-mapping.dmp

memory/2056-294-0x0000000000000000-mapping.dmp

memory/3904-296-0x0000000000000000-mapping.dmp

memory/3424-313-0x0000000000000000-mapping.dmp

memory/4644-308-0x0000000000000000-mapping.dmp

memory/4568-305-0x0000000000000000-mapping.dmp

memory/3704-314-0x0000000000000000-mapping.dmp

memory/3996-326-0x0000000000000000-mapping.dmp

memory/3972-321-0x0000000000000000-mapping.dmp

memory/5040-299-0x0000000000000000-mapping.dmp

memory/5024-298-0x0000000000000000-mapping.dmp

memory/4688-297-0x0000000000000000-mapping.dmp

memory/3060-370-0x0000000000000000-mapping.dmp

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2500-373-0x0000022EB8EA0000-0x0000022EB8EC2000-memory.dmp

memory/2500-377-0x0000022ED11C0000-0x0000022ED1236000-memory.dmp

memory/3060-431-0x0000000001030000-0x0000000001042000-memory.dmp

memory/5472-824-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

MD5 46253a1aade2967e02dd198fccaa7515
SHA1 72e8fa18f1b286c06eaa5e8809ad3c57be87b263
SHA256 24488651f168fddec4e341787288784df99fe548fc45d8b213e67da3ed5cc495
SHA512 560621708567a94eb4498f8ff7b8d698cc6d539d34827775b01a1811b2a85282815f4b0d05cd63aa7f5eafc0d3d36ea1f0725214a2b1a3bbdedff31e06409d45

memory/5528-826-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 84f0ee796ef63ebeb2840c0319b52514
SHA1 1cbe24f52959c91056b27e69dade88d59995f39e
SHA256 6dd0a6bf4fc0aae88b19eda65013b4852ed0366322b6e5ffb9032309f1838ed5
SHA512 68595ba944477478b2d87a4d4f630f71452423f688594c65330a3df2693c4b41a4b4c61a17744cedaa7c4f99dbfa019a1040edc30111c0701d6cf626ed742c87

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0254001c1d00e45465706c1ea9ba803f
SHA1 dcb753772f1c27fceb06a17ea7204dcca1d84663
SHA256 e36f91375f5774c5b0e62006fba90699e60b8c20676cb4955cf97cf245049c27
SHA512 f0b9870df6ec5c3a644685d36066409dfaa7db628b2db5f74965f961734bded2324340065fdc7e5719122bbecf22c5f90a46f2f83de1350cade1d6372bf35095

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b533160f31dbbb5a1826bc88d206d05b
SHA1 fa44f7b545ea8fcbdabc014b9a8c8e43637872a5
SHA256 7fdc4efd759f9c40f69634077dcccf70d6b786b69f39334b9fa96edce6d24c26
SHA512 583b31a73d1a074736f8027d038570150bd92153f6a03e7b668b7c6a9f7ba3d2699fd51bbeb282ae94992cf5e105e809c9dda1a43ae61ed4c6869661a2fdbe53

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b533160f31dbbb5a1826bc88d206d05b
SHA1 fa44f7b545ea8fcbdabc014b9a8c8e43637872a5
SHA256 7fdc4efd759f9c40f69634077dcccf70d6b786b69f39334b9fa96edce6d24c26
SHA512 583b31a73d1a074736f8027d038570150bd92153f6a03e7b668b7c6a9f7ba3d2699fd51bbeb282ae94992cf5e105e809c9dda1a43ae61ed4c6869661a2fdbe53

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 51b27223e327ca9e2c267cc869b6f5b1
SHA1 becbb554e2305e818331a7ba1e4703ffa12913f2
SHA256 c7aa373bea9de4ae95d4d202e5834b37c2529f8b20b995ae4692f85c92f1dfad
SHA512 f3e1da6fe772b0d1d37a7b613e50dd724f783a6e7651ecbab473b21a9c96d61aea806780816d550af4a3b38c0e70b0b0d1a6a9cff5cd7eacf3b9e4e791e9aaeb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 51b27223e327ca9e2c267cc869b6f5b1
SHA1 becbb554e2305e818331a7ba1e4703ffa12913f2
SHA256 c7aa373bea9de4ae95d4d202e5834b37c2529f8b20b995ae4692f85c92f1dfad
SHA512 f3e1da6fe772b0d1d37a7b613e50dd724f783a6e7651ecbab473b21a9c96d61aea806780816d550af4a3b38c0e70b0b0d1a6a9cff5cd7eacf3b9e4e791e9aaeb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 24cafba099dbe70d35438be636f9c629
SHA1 0fa52af1b1c4939d841c2ad37b19cbe692b7fdc7
SHA256 d16191dca2e343716f5919a12b2f9403b2949eb93880fd591afccea1575016f3
SHA512 df944cec6dfd5f9f2e44f4eeb39bccd42f5f0863df89a6ee110b7d8161fceed9f9a5293af7455d13593ae2d5b01e293c473642267c6f6c7b6dbbf387e645b5be

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ea8eb4c93b171a1bd8f78c2f8d3c5f91
SHA1 c974b8f55f8e9523e09efcca15e98bbc3fdaecf9
SHA256 c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa
SHA512 842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ea8eb4c93b171a1bd8f78c2f8d3c5f91
SHA1 c974b8f55f8e9523e09efcca15e98bbc3fdaecf9
SHA256 c28a2524ce1c2ae80134f7706c2635ebab867c3f72a765c379e52a39f6b33eaa
SHA512 842566248d47165c75a0c8a0c68a5c4a86b53dcaa847bc87e68f009a806cd985845976ae2a0268e7951f580f1cb850398a73e3c18be18d142619b23987b73878

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 13f2c453c15b89b97f1acb91f3534286
SHA1 b242be1472270a92e1e2d9301ddbf8381cdfcbad
SHA256 bf834352853ee87a849d402660e739c7fa7e601a238a387a19c3066c5005ba41
SHA512 e10e561ecb20f21f71ae64d296e74eb35ef8d10dd36bfaa87bdc3adc17fddfdf90fc0edee0433d16e9664e04283ec2cfc6a46d2e1b5dd9325e7082dd110b6766

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 13f2c453c15b89b97f1acb91f3534286
SHA1 b242be1472270a92e1e2d9301ddbf8381cdfcbad
SHA256 bf834352853ee87a849d402660e739c7fa7e601a238a387a19c3066c5005ba41
SHA512 e10e561ecb20f21f71ae64d296e74eb35ef8d10dd36bfaa87bdc3adc17fddfdf90fc0edee0433d16e9664e04283ec2cfc6a46d2e1b5dd9325e7082dd110b6766

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 763149d014a7ddf2ad863a0e819bd1c2
SHA1 f5de8a47c4f472156c9cf2074a1b1a29e47b1540
SHA256 91caad5c7b34eccb86cbb5b2b8b7f528f57b734613b0968d0789d8f56ff26dda
SHA512 7affb43ca2e83e785846365f62a5333ca4c4b7adb0983637705e88f20e6b37551610d6b0280197729d995089fd9480f849fc287d4eb93160e7e19157bfd86a3c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4fa1a5ed0b5a4405fd738cee04ab3ddc
SHA1 29aea989663d67ce25316f6c1ef2a7f827b919c7
SHA256 e88d533dd98636ff7d096c9e8718647b7d039e7d8a00a05651004c3d1fb153c4
SHA512 0e6f1cdafe07e675f7c01847437647ead27bf75297223ac13fa29235a77f7b2ad0fd67819e7efa150cf2b8e2233b163c07ef256cabf5883f9d99bc5487034035

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4fa1a5ed0b5a4405fd738cee04ab3ddc
SHA1 29aea989663d67ce25316f6c1ef2a7f827b919c7
SHA256 e88d533dd98636ff7d096c9e8718647b7d039e7d8a00a05651004c3d1fb153c4
SHA512 0e6f1cdafe07e675f7c01847437647ead27bf75297223ac13fa29235a77f7b2ad0fd67819e7efa150cf2b8e2233b163c07ef256cabf5883f9d99bc5487034035

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 374f110164d9beec260f38b402a46831
SHA1 2395c7f81b95b2e7869e3fd661327609e791ddb5
SHA256 ce6caa88628ce18c4bf6cc51c359eba292555a300f65e097b3127b392f2fe16c
SHA512 25215a37ef2208e9fc40814c3e9c65fe6e6cb4d08dbb0ae60688cc74fd90ac2424af55121a7d48057dd4e9d905cee30641c8d39ada6b5ca1d7a79728f0066381

memory/5704-859-0x0000000000000000-mapping.dmp

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/5704-862-0x00000000007A0000-0x00000000007B2000-memory.dmp

memory/5812-863-0x0000000000000000-mapping.dmp

memory/5868-865-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

MD5 5bb71e5aaeb8cb4b887ba0d7571c4e4c
SHA1 1fb0be7d8b6b0b848fa027b9b5a2e9959dd07ec8
SHA256 3f3c7968e8328abe7aa2112acbb2c2d5d370b19a52c6127db38ad23e4253883a
SHA512 f9260a50991f9bb3f0c90673afc1f529f1335268cb081199a9378e62bf16f387935641f8079de89c59ffcd294b75dc4de3b21cb10a77572b8ea76f9db14e961a

memory/5888-866-0x0000000000000000-mapping.dmp

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5888-868-0x0000000000960000-0x0000000000972000-memory.dmp

memory/5996-869-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

MD5 92f2df47aebdf101a031bc9165034f7b
SHA1 04939ec7074e06e13aeb635108f4f636f65881c6
SHA256 01269acbbb58419d195e7d880a65af9182f1a93f75816088131e7810269aae0e
SHA512 6b629e9278fb94ccc93933b51b188ee8a9d5815b816a7d8f787d28a3ea5173b4fb07c855c91ffe67e66c117d85cdc61eb076cdda814e12f962c1df265f203277

memory/6052-871-0x0000000000000000-mapping.dmp

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/6072-872-0x0000000000000000-mapping.dmp

memory/6072-874-0x0000000000B80000-0x0000000000B92000-memory.dmp

memory/5200-875-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\lLU0orPlEL.bat

MD5 524ba7d1f241d0ebc81dc96458de1cae
SHA1 48a8031332e17dcd42a7c083262891c13fcf9bc4
SHA256 ae0ed97eae4ee407c38e43f74fed33b50fa392dbcf36030d807d46862f3416ff
SHA512 3397be6ad91aa3b381178b46016394018f09f6cd63cb5b9231a16ccb1f91845f605a80ec4d0bea77567debeabd80cb2065554fe83bad765492a120c3d7d80435

memory/5260-877-0x0000000000000000-mapping.dmp

memory/5276-878-0x0000000000000000-mapping.dmp

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4716-880-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat

MD5 df52fc6ab41da3949bb7d2fbe457d77f
SHA1 89a55fdb9cadbe7119c5fdfde3a22d60ca78dfff
SHA256 45644411eb5a0081800a1efb1bc0b3a2d297423b485e7f9813cd4b1f57ae0918
SHA512 6706f55e765ccb60b25f562823b434c8465c3ceb8f243a8644ce7deca40880ada52dfecc1e83257a391a6890b2e7b356edca06a2fa746dcee6a7de1ec48bf1c7

memory/5344-882-0x0000000000000000-mapping.dmp

memory/5536-883-0x0000000000000000-mapping.dmp

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1464-885-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

MD5 288065600cb3e759be3df0543f2f8a16
SHA1 0d13e4a688106f01221ac2b0a9b0d1576a7afde3
SHA256 77bf94a48f3fb56b0360ab1a7cd0714d8b4f7e312414b3c73f18db5cd697dfc3
SHA512 c925a784071172963f4eebd94dffade9f845c48b1ad0bbcc597b5f3fd4da643027eba81ae7023eba2733d115b97b3e8ee8ccaed0da3855bf2b9c23042210ba54

memory/4448-887-0x0000000000000000-mapping.dmp

memory/4456-888-0x0000000000000000-mapping.dmp

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4456-890-0x0000000000A40000-0x0000000000A52000-memory.dmp

memory/3212-891-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

MD5 045ba6530ca6e9b502dc6645a47ee518
SHA1 29b76f83a95a42fe8c04633447dd7b1eea29211c
SHA256 1406bbfdcde2c6d608884b289ba7c55eb3f76cdd0ade2a0c4dae6b1f21f98970
SHA512 842551a34556c1d3b2228aab1755bf0e4ffb6354ef167924f59cb5a27fb4af73ab15269bce327accc6755409ebec97e6032093cc72f021e8460a7f3e594cd2e4

memory/4732-893-0x0000000000000000-mapping.dmp

memory/5600-894-0x0000000000000000-mapping.dmp

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5600-896-0x0000000002A70000-0x0000000002A82000-memory.dmp

memory/4076-897-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

MD5 b3cfbde2503a29d1c22bfeb58f72e377
SHA1 7c7138eb99515dbd35f5e2cb81878ca9cb74395b
SHA256 23e4b04f51326bb8b9bc9facc29d0d21e98f4b040381e09aad4134a9d5df4bcb
SHA512 e53d3b83337e6c4f1138c5c6b5a945114fe50b2e209f46a317ee0a22442decb26aab4c41c462e0cd25abaabce4676de3e6bf0a4baca27ff9ec0dbf07c89cb13d

memory/388-899-0x0000000000000000-mapping.dmp

memory/4676-900-0x0000000000000000-mapping.dmp

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5012-902-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat

MD5 b7aaae1a89ba2fbdfa88a27ea4df1eb7
SHA1 6b7de573a630a6f38a8466d514f2e426ba1e1b1c
SHA256 ea41674c77b4126cefcc79ea00521a1357a0c634c01ac3a20cd89ee9e234e550
SHA512 69994803c116affd5123f29a640cee4d6b6eec4baab73aca904115f0a2fc93ab0c04930e750c13ada8730a03f75a05d9ad052a8d5c9c9ba37dd76007c87cfbd2

memory/4904-904-0x0000000000000000-mapping.dmp

memory/1836-905-0x0000000000000000-mapping.dmp

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1836-907-0x0000000000F60000-0x0000000000F72000-memory.dmp

memory/696-908-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

MD5 2fec1a154b940e9c344f90e0ed3213ec
SHA1 e1132b2f9f9bdc18d0ea3ca4103bf2fa7dc4e09e
SHA256 2c1abba318dabe3a3d9a843e6c0deb8a864e28875de07c1a137195102d01365e
SHA512 f8ec89a5fc6aabab4f547c6b78fd0fc44cf12eeeeb1e8d5b4e44f580b3d9c486f80dd4ec515090ed7f422dc2b2ae9fb661c8e93779cd2914189eee0e36a6e64f

memory/3904-910-0x0000000000000000-mapping.dmp

C:\providercommon\dllhost.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3076-911-0x0000000000000000-mapping.dmp

memory/4544-913-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

MD5 26ee6df37223b5dc5dab7058ed3493d1
SHA1 43d7c938037168ab9fbc27903569da9bee42ed8b
SHA256 5159b4ed7cdf6fac09f16d09be7af42dc151fe0bface7530261fc72483bc7305
SHA512 27ff69be18258da1421a40020f012448519b36d9cdd096df1bbd2a0a0f1ca295b7ee07816cda412cb604bcecf75e15affabf36ec4ef1401c30d5ca340b6f39e0

memory/5068-915-0x0000000000000000-mapping.dmp