Malware Analysis Report

2025-08-10 23:17

Sample ID 221101-ntpqzacebj
Target 6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707
SHA256 6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707

Threat Level: Known bad

The file 6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

DCRat payload

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:41

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:41

Reported

2022-11-01 11:44

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\providercommon\DllCommonsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\e1ef82546f0b02 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\c82b8037eab33d C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\debug\dwm.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\debug\6cb0b6c459d5d3 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\WinSxS\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\twain_32\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\twain_32\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
N/A N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4716 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707.exe C:\Windows\SysWOW64\WScript.exe
PID 4716 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707.exe C:\Windows\SysWOW64\WScript.exe
PID 4716 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707.exe C:\Windows\SysWOW64\WScript.exe
PID 2084 wrote to memory of 4208 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 4208 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 4208 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4208 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1508 wrote to memory of 3580 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3580 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3708 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3708 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 4404 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 4404 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3888 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3888 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3316 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3316 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 5020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 5020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 1044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 1044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 3172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 604 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 604 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1508 wrote to memory of 4092 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 1508 wrote to memory of 4092 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4092 wrote to memory of 5108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4092 wrote to memory of 5108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4092 wrote to memory of 4524 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 4092 wrote to memory of 4524 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 4524 wrote to memory of 776 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe
PID 4524 wrote to memory of 776 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe
PID 776 wrote to memory of 1040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 776 wrote to memory of 1040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 776 wrote to memory of 3216 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 776 wrote to memory of 3216 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 3216 wrote to memory of 4120 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe
PID 3216 wrote to memory of 4120 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe
PID 4120 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4120 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4120 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 4120 wrote to memory of 2796 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 2796 wrote to memory of 1712 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe
PID 2796 wrote to memory of 1712 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe
PID 1712 wrote to memory of 3936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1712 wrote to memory of 3936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1712 wrote to memory of 1088 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 1712 wrote to memory of 1088 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 1088 wrote to memory of 4060 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe
PID 1088 wrote to memory of 4060 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe
PID 4060 wrote to memory of 3804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4060 wrote to memory of 3804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4060 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 4060 wrote to memory of 2344 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 2344 wrote to memory of 1972 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe
PID 2344 wrote to memory of 1972 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe
PID 1972 wrote to memory of 1840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1972 wrote to memory of 1840 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1972 wrote to memory of 1460 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 1972 wrote to memory of 1460 N/A C:\Windows\System32\cmd.exe C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe
PID 1460 wrote to memory of 812 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe
PID 1460 wrote to memory of 812 N/A C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707.exe

"C:\Users\Admin\AppData\Local\Temp\6cbec9941f5fafdcaf533ec3f84e7346d7be7279733239ce9bd713195f140707.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\debug\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\odt\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\twain_32\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\providercommon\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default\Links\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Links\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\WaaSMedicAgent.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bpjIuqu03b.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

"C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 20.189.173.10:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/2084-132-0x0000000000000000-mapping.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4208-135-0x0000000000000000-mapping.dmp

memory/1508-136-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1508-139-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

memory/1508-140-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3580-141-0x0000000000000000-mapping.dmp

memory/4404-143-0x0000000000000000-mapping.dmp

memory/3708-142-0x0000000000000000-mapping.dmp

memory/3172-148-0x0000000000000000-mapping.dmp

memory/1044-147-0x0000000000000000-mapping.dmp

memory/5020-146-0x0000000000000000-mapping.dmp

memory/3316-145-0x0000000000000000-mapping.dmp

memory/3888-144-0x0000000000000000-mapping.dmp

memory/604-149-0x0000000000000000-mapping.dmp

memory/4092-150-0x0000000000000000-mapping.dmp

memory/3888-151-0x0000012124C50000-0x0000012124C72000-memory.dmp

memory/1508-152-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bpjIuqu03b.bat

MD5 7e8dae63c9e28df40f2ef94c6104364b
SHA1 26773af59e6c973f2c1a2840859f64934c516537
SHA256 4cdcdc8119f352574cbb4f345b082ff368d6c0c55af70fbd0350490dfe67a071
SHA512 720cf979b29f7090761db467ebb1a338eeef5ce6c391e3804bbddb83831c64215f2a8b8dc96e7dc57f21893debb63e630e2f38d351dddef0cdf933754dc05ae2

memory/5108-154-0x0000000000000000-mapping.dmp

memory/3580-155-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3708-156-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3888-157-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/4404-158-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3316-159-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/1044-160-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/5020-161-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3888-162-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/4404-170-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

memory/5020-177-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ecceac16628651c18879d836acfcb062
SHA1 420502b3e5220a01586c59504e94aa1ee11982c9
SHA256 58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9
SHA512 be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

memory/604-180-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3580-179-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3316-176-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

memory/604-172-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/1044-171-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/3708-169-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3172-168-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/4524-181-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4524-184-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/776-185-0x0000000000000000-mapping.dmp

memory/4524-186-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat

MD5 f4a83b4481b00a9927dde7bd3a1da57b
SHA1 c2dc1f38af38500d97cc05f9cd5a17d4b0e26670
SHA256 20e8cd79ecd9e49c50bdfb618b43b9e88e890ecb2a6e154c40aed19733e69199
SHA512 d475fe49a5898b831bc96e68156c4e449bab4f190e3c3f1b5ceaa1bba7deb4945874c410b9c00b7c05e09b3847732b765cba341abdbe637c52d1d29e885fbd9c

memory/1040-188-0x0000000000000000-mapping.dmp

memory/3172-189-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3216-190-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WaaSMedicAgent.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/3216-193-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/4120-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat

MD5 bcf2534e7cd1df3f4eeb791bd8fecf1f
SHA1 ffaeab1bf653848218464472b25dadca6b88a70b
SHA256 14c2c2c1da62a7669704013dbc8af27a571180d8bd14198194c6ae55d3ca0ef6
SHA512 6d6c752bc338872c32fa01e3596516d037be307db4d7b8bc1dd8a9a3355f6da38c80447abd7e8f32896511339d7be4736659e52e1eb1bf7c443d9b0b90636a9d

memory/1748-196-0x0000000000000000-mapping.dmp

memory/3216-197-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/2796-198-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2796-200-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/1712-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

MD5 163b52f05bec58933cd93cabd5710180
SHA1 f25f733800ae2ef29588539471e9b08784cf033d
SHA256 8a7bc8a95286a71d1d70a415a9d3dabfb83718c84909c8a564852494cc3a476c
SHA512 e09a336d5393146669521332db6be7dde0dacf17d3e01969ec289e1c44bae6433e1b5f808dc9ede3ed9d86c9f5b1ed66db7c726aba039700c925c18fd6a3cb8f

memory/2796-204-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3936-203-0x0000000000000000-mapping.dmp

memory/1088-205-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1088-207-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/4060-208-0x0000000000000000-mapping.dmp

memory/3804-210-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

MD5 763e09377433edba9216b0d4328d8b77
SHA1 150152eda346d330e4172cac3fa1ed04b5f94768
SHA256 5ab3945a55e94a144ede526f023cefb9b2dcc2510c98a8e5842d0671009acfcf
SHA512 13e55c37fc83b144210d56e75fd5ce97ee499d92a7adabc21e68799bef848ec6fa8ad017b023291cd780d63b22645834fc769923a6efa217f3ff044f9229192e

memory/1088-211-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/2344-212-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2344-214-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/1972-215-0x0000000000000000-mapping.dmp

memory/1840-217-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

MD5 3382d9be6547439f364d69e3bb0cb68f
SHA1 c1fcd2a10352473e2a6a070e5c7535caeb09b16f
SHA256 7f9afb6f1b58f8181107be280d0708e739c7ada48df42bb6893cab66f7f14c56
SHA512 c4fc98ba0c6c5514c84e1429cfb860efa1162df7ce81bd8ab63d48997f2dfd44ff7fa36ab2adf1570997222481fd9c3561438e202c009610b2afe066243bca3e

memory/2344-218-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/1460-219-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1460-221-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/812-222-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

MD5 4760213db290dce96fa8b23175a4eb6a
SHA1 892560ac9d3d2dfa200c7b54f432c21a59263a87
SHA256 b1fee69a7fd8ae1e6c732c8432d3533172dcfad5cafc9b41be0e22fc0538a9d1
SHA512 09660b1f1abc730f173335eaa4fdca913ff551900a634e3a0646f43e885124c016ab76596fb94f903928ed829534f5003060deb6df7629b0cf703da25bd5217e

memory/4188-224-0x0000000000000000-mapping.dmp

memory/1460-225-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/4316-226-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4316-228-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/4152-229-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\D2zd9hDRps.bat

MD5 eea8f4c4ebb26cdf378be3d8bf784525
SHA1 7df6287ec7e0a1d7ae34171cd9009abc3add5737
SHA256 e2cd9c912ac4570b6a700d10cd830c36496409c4214339a169e9570ba8c82739
SHA512 5d73adabac0e29e5afcc96e6044e8715771c42b05a108f3d84729e6b5630f962662126778faa480904aa19f9a3ef3fb41bf909d8db1e4e0f3a73ae956a078631

memory/1808-231-0x0000000000000000-mapping.dmp

memory/4316-232-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2904-233-0x0000000000000000-mapping.dmp

memory/2904-235-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3656-236-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat

MD5 e11aea85caae56275626b1bf827e17f0
SHA1 08291c048e5eb5d0f45cc56c157dbc67f1690a7a
SHA256 8347091c0f23ca76f60200b907c47f3187a5716dea5807ac0a5ebd7356769b21
SHA512 873717b4f32ac927d142217cb51708c5b3c87dafe0e5398094fc250e9737f57f279458050f4560d04fcc2973b56ea31302c1baa369b188030927d99d55288529

memory/4684-238-0x0000000000000000-mapping.dmp

memory/2904-239-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/204-240-0x0000000000000000-mapping.dmp

memory/204-242-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/4904-243-0x0000000000000000-mapping.dmp

memory/4760-245-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

MD5 01253554cda946c9ce18fdfa20d2de34
SHA1 01a4b432df0e32070eafd28b49c4575f756050a6
SHA256 895b36b615446c1ee8eccda3dbbf0fb912328c282521dfc9a956db409bea607e
SHA512 b9202021f0f7cfcf259a212137e6b0e284b9b530036ca2d11e4a23678870db6886581090a356cc64f0f07c997c5469dfb550cbac0e7018cf6d0bae39638b25f6

memory/204-246-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3980-247-0x0000000000000000-mapping.dmp

memory/3980-249-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/5076-250-0x0000000000000000-mapping.dmp

memory/3980-251-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

memory/3216-253-0x0000000000000000-mapping.dmp

memory/3980-254-0x00007FF8145A0000-0x00007FF815061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

MD5 b2cfe522672dfb2db39952adc426e0f2
SHA1 196d3ee16b1d5edc56b41154b352668377b4a89e
SHA256 659517431e9a5694cda7803927cf8a1501fe44a430214e347b2acc92669ce028
SHA512 ec2a159870bc80cdffe661d9bf6e1c477eb5f33e6cadfeba06960ae2b430a2c9892209912a8be7b4249e2ef03e47173a54b8f813cea13d430e285373ef2e9264

memory/1748-255-0x0000000000000000-mapping.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\WaaSMedicAgent.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394