Malware Analysis Report

2025-08-10 23:16

Sample ID 221101-nvp35acebr
Target d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad
SHA256 d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad

Threat Level: Known bad

The file d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

Dcrat family

DCRat payload

DcRat

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:43

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:43

Reported

2022-11-01 11:45

Platform

win10-20220812-en

Max time kernel

146s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RemotePackages\RemoteDesktops\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\RemotePackages\RemoteDesktops\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default User\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default User\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default User\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default User\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default User\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default User\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default User\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default User\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default User\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default User\dwm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default User\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default User\dwm.exe N/A
N/A N/A C:\Users\Default User\dwm.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default User\dwm.exe N/A
N/A N/A C:\Users\Default User\dwm.exe N/A
N/A N/A C:\Users\Default User\dwm.exe N/A
N/A N/A C:\Users\Default User\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe C:\Windows\SysWOW64\WScript.exe
PID 2692 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe C:\Windows\SysWOW64\WScript.exe
PID 2692 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe C:\Windows\SysWOW64\WScript.exe
PID 4836 wrote to memory of 4232 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 4232 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 4232 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4232 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4984 wrote to memory of 996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 996 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 860 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 860 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 1808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 1808 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 4584 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 4584 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 3312 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 3312 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 3308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 3308 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 2204 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 2204 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 2892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 2892 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 640 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 1876 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 1876 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 2980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 2980 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4984 wrote to memory of 4448 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Default User\dwm.exe
PID 4984 wrote to memory of 4448 N/A C:\providercommon\DllCommonsvc.exe C:\Users\Default User\dwm.exe
PID 4448 wrote to memory of 4684 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe
PID 4448 wrote to memory of 4684 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe
PID 4684 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4684 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4684 wrote to memory of 1684 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\dwm.exe
PID 4684 wrote to memory of 1684 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\dwm.exe
PID 1684 wrote to memory of 4288 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe
PID 1684 wrote to memory of 4288 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe
PID 4288 wrote to memory of 4316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4288 wrote to memory of 4316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4288 wrote to memory of 1448 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\dwm.exe
PID 4288 wrote to memory of 1448 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\dwm.exe
PID 1448 wrote to memory of 1780 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe
PID 1448 wrote to memory of 1780 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe
PID 1780 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1780 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1780 wrote to memory of 4240 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\dwm.exe
PID 1780 wrote to memory of 4240 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\dwm.exe
PID 4240 wrote to memory of 984 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe
PID 4240 wrote to memory of 984 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe
PID 984 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 984 wrote to memory of 2096 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 984 wrote to memory of 3896 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\dwm.exe
PID 984 wrote to memory of 3896 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\dwm.exe
PID 3896 wrote to memory of 3320 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe
PID 3896 wrote to memory of 3320 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe
PID 3320 wrote to memory of 3768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3320 wrote to memory of 3768 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3320 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\dwm.exe
PID 3320 wrote to memory of 1152 N/A C:\Windows\System32\cmd.exe C:\Users\Default User\dwm.exe
PID 1152 wrote to memory of 5112 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe
PID 1152 wrote to memory of 5112 N/A C:\Users\Default User\dwm.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe

"C:\Users\Admin\AppData\Local\Temp\d294e4e7f1ced0ec206420b3815c1323e5482dd0ae06f0300f8c1fde37443cad.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\odt\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\odt\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\conhost.exe'

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default User\dwm.exe

"C:\Users\Default User\dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 20.42.65.89:443 tcp
US 93.184.221.240:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/2692-115-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-130-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-140-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-141-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-142-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-148-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-149-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-152-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-153-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-154-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-156-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-162-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-167-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-168-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-170-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-171-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-172-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-173-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-174-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-175-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-176-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-177-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/2692-178-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/4836-179-0x0000000000000000-mapping.dmp

memory/4836-180-0x0000000077C70000-0x0000000077DFE000-memory.dmp

memory/4836-181-0x0000000077C70000-0x0000000077DFE000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4232-255-0x0000000000000000-mapping.dmp

memory/4984-278-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4984-281-0x0000000000E50000-0x0000000000F60000-memory.dmp

memory/4984-282-0x00000000013B0000-0x00000000013C2000-memory.dmp

memory/4984-283-0x00000000016A0000-0x00000000016AC000-memory.dmp

memory/4984-284-0x0000000001690000-0x000000000169C000-memory.dmp

memory/4984-285-0x000000001B9D0000-0x000000001B9DC000-memory.dmp

memory/996-286-0x0000000000000000-mapping.dmp

memory/4584-289-0x0000000000000000-mapping.dmp

memory/3312-290-0x0000000000000000-mapping.dmp

memory/3308-291-0x0000000000000000-mapping.dmp

memory/1808-288-0x0000000000000000-mapping.dmp

memory/2204-292-0x0000000000000000-mapping.dmp

memory/860-287-0x0000000000000000-mapping.dmp

memory/1876-295-0x0000000000000000-mapping.dmp

memory/640-294-0x0000000000000000-mapping.dmp

memory/2892-293-0x0000000000000000-mapping.dmp

memory/2980-297-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Default User\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4448-315-0x0000000000000000-mapping.dmp

memory/996-343-0x00000218F0740000-0x00000218F0762000-memory.dmp

memory/4448-346-0x0000000002870000-0x0000000002882000-memory.dmp

memory/996-348-0x00000218F0A70000-0x00000218F0AE6000-memory.dmp

memory/4684-607-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

MD5 9e04d28a7ab8c30cfb95f3c32a6ce159
SHA1 c955ed3b088d65603195ad6870adf36eea5ed9d1
SHA256 7ee12c49e8cc8e9b3f73dc48b9d285f5cce56ef63c5869c6f8d623630a2ea0d7
SHA512 217d24296e8e990b5deeaceca48dbea3e277ca7c367f2630e8eae7a6ec67372eda9a2749e2a116630e52dcd2391f5f9d3ca3c9038f286c5fd84339deb46abe81

memory/4644-625-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17ff2cda63c3ff833d82d7091b117676
SHA1 e02aca278ef80f24b59dd1b9a7040e27f3f260ff
SHA256 5c7267f685c849537ccb0f45303ece85ba686305cdac8bbfc0e3f492d36f209b
SHA512 73c39c8204114f61bbc1b3a63a6bde57e8718de28260af7bc457746934cd84568b63591a8e5bb2fb61ac313e880b90dda09cc5a9961d3051772e90eb9d0a7694

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 17ff2cda63c3ff833d82d7091b117676
SHA1 e02aca278ef80f24b59dd1b9a7040e27f3f260ff
SHA256 5c7267f685c849537ccb0f45303ece85ba686305cdac8bbfc0e3f492d36f209b
SHA512 73c39c8204114f61bbc1b3a63a6bde57e8718de28260af7bc457746934cd84568b63591a8e5bb2fb61ac313e880b90dda09cc5a9961d3051772e90eb9d0a7694

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 770e25deb575e0b7e12440d1daaae11c
SHA1 007ff4a515f085813f700f2ac58c4ce89cfdcffb
SHA256 1726ed716cbceb42987e47e89e84f56442b0a97a218135c29e80a7a20e3a6f92
SHA512 d44f2d5c3994611ff65288578e46aecf7148b5171d77c25f076a612d9211c3430fa1b4943adde91c9b872cc9f78eb07417f448390a19c05ee51c89230074d599

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 770e25deb575e0b7e12440d1daaae11c
SHA1 007ff4a515f085813f700f2ac58c4ce89cfdcffb
SHA256 1726ed716cbceb42987e47e89e84f56442b0a97a218135c29e80a7a20e3a6f92
SHA512 d44f2d5c3994611ff65288578e46aecf7148b5171d77c25f076a612d9211c3430fa1b4943adde91c9b872cc9f78eb07417f448390a19c05ee51c89230074d599

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c0b6c977cd8160ea1d032de187f5edc2
SHA1 f2c68d0e4069a8473a6f5ef405f28bdc8cf26b41
SHA256 cc61b7579677c0ded5496afaa7575ee665bd4e89d291e8968cae5568bd1445c3
SHA512 08b2d4a330a42090fc1ef07785478e418df7c477fb5354359c5aa36050c84dabf2a5ea98720434588f542cd25a361242a4898d5a0aed0e534b366adf151b0ca9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3985020ab434157da02385c52ec285e6
SHA1 2e3e913f675ca3585637428eaf63820e5ba88049
SHA256 99fbfced2673a0f470413a1d07378952c4bb56951bd15173f5c94cf7f3a2d3d7
SHA512 89d5f3de0d6f0fffdefe8921805e31f60d9c17f65191ff2deefdb8edfdd8e08cf3d67053454209ca157edb48de3e1ef7f55b9112702eafa0748e53c14645ba37

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3985020ab434157da02385c52ec285e6
SHA1 2e3e913f675ca3585637428eaf63820e5ba88049
SHA256 99fbfced2673a0f470413a1d07378952c4bb56951bd15173f5c94cf7f3a2d3d7
SHA512 89d5f3de0d6f0fffdefe8921805e31f60d9c17f65191ff2deefdb8edfdd8e08cf3d67053454209ca157edb48de3e1ef7f55b9112702eafa0748e53c14645ba37

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 85227c7d04950473b8a39335a5d5d180
SHA1 60e5fe87e9396864884a4a0ae2817c93fdcb4066
SHA256 4087649b14677ee586718b826d1de8b3c79b6562295fcade372936bbe63ec93b
SHA512 1d45f3c818c64cab0dad91bc0bf64bce160bf35662e3eda9e5c1e6c156dc6f22009d13a88f4a33ea0bdb95ec328269612cdfd95d917590b17223e89d632349f7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5dd00c7ba9f272b7f4c57f468c41b93d
SHA1 15782aca42890803597aaebf2a45b8cbfbfc8729
SHA256 3155b21e853a00cb37cb5c56d9a1cfad02f27325c29edd49aeb934e2b5e30d09
SHA512 2741d6fef900f3a80381420ecb112c3f73fc9d3b6f78ba2a0e90d8081d1ef202319fca67aa713fb87607913f7d404714cb61a8e7b4bffabfc29df8c3ece04c95

memory/1684-666-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/1684-669-0x00000000022C0000-0x00000000022D2000-memory.dmp

memory/4288-670-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

MD5 8eaade41e684463c9b93bb92421b8279
SHA1 38548fecfc349b79462d58397a5cbf532aa4cd29
SHA256 73205143e2a24566d29fd0cad1594e82a9a268d99ea73ad40a446251807e7b59
SHA512 0574c841c5cb1dc3226fd889f7f88b90ccd462452fd10395cd7689df49c6ce49bff357dd41ea43dc655b6a2a4864f9b4df885daf22b72ce2b3b085fb149aec78

memory/4316-672-0x0000000000000000-mapping.dmp

memory/1448-673-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1780-675-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat

MD5 954e8e2d19ad41a101c20ee8282ef6a4
SHA1 e700643bc5ae16c11cddc3cddaa3ca3a46527d02
SHA256 19248ded61a3ab46dd62feeb25ac9d76505a134add7afc47cdb2dd1a9a29ce1a
SHA512 0a2821b80d7293414ec15f3592082ff26151feae7277170f44caf0c52dd986a48930b8717558a305d9c31db0ab9ef0680d3a4c914d4cdb982bc7ddb579dff5d8

memory/1108-677-0x0000000000000000-mapping.dmp

memory/4240-678-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/984-680-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat

MD5 d9d80d20110f3c63629454c8813104a3
SHA1 1e5131b32f16f215b917fa6489557b03e83e7c03
SHA256 7bfadaeb5da17ad334bc8186e07352edbe4b1dfd013dd69a0573d703119fa81a
SHA512 91bc82b1d0a7d215b12561afd9e9f4f959b87cd83c03591b8b2ad65060de8138fb590b3839506bd8aa4ad1827c31dd41a1c0b236c51cb5db62c311824e0be732

memory/2096-682-0x0000000000000000-mapping.dmp

memory/3896-683-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3320-685-0x0000000000000000-mapping.dmp

memory/3768-687-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat

MD5 6d8c63418c2eee313755a943d87f0844
SHA1 11c75c446b177406e045b2c16fa39c4e4bb94751
SHA256 bf68d79c6422632d1ed34b810f9cf19a2c611e07a936d612cbec41d7e11c9938
SHA512 91754098553b38a4ac02e8fab725418cda31a0939898465ab823b6690a109ab1d0fb26e5344e49d8bce62617cd95f44074740d5f38ffd45a3d55df45cbc40692

memory/1152-688-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5112-690-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

MD5 f180b4aa885cec7de334bb81ee482bf9
SHA1 d887016220db2cba6fe22fd7779926160b45b2e0
SHA256 df47d40b0dcd29f35faf794d18a43d719bb648510e0add40f87b19e83719a963
SHA512 80a1d90249e15b2bf3d23bcd75727a82390e19d1dacab167865b732e8ab4eedf721dfe3586fd301a848e854cfbf6da532242076919e621a9383c5ad6e378be9e

memory/4280-692-0x0000000000000000-mapping.dmp

memory/4884-693-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4884-695-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

memory/3668-696-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat

MD5 be1e81f24f40a40b7d0c0f16f0129965
SHA1 752659fcbd4b5573f9b159f72940f7ada96bf493
SHA256 2701fbfeb4f31d6672d55fb1515ed8ebff1d360013e9af56bdcfcc17b827b40a
SHA512 dca32b4b48b60fb27237b7ddea473815be1f56703763260865ef0b5f55bd5464a24085306fc6a0c9db336d3fbfa2c18d7402043527d77b74ad9d19b08ce31dbb

memory/4444-698-0x0000000000000000-mapping.dmp

memory/4228-699-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2136-701-0x0000000000000000-mapping.dmp

memory/2368-703-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

MD5 da3939045d8a4d5bfd6bc2dbad6da27b
SHA1 96ad34d7e6d5f9bd87569596542a0fddd1da03fe
SHA256 bb51a9f95bc97d807b3cd6dca42d2e065ba0af927f17c4a63fcc049c55a63c9b
SHA512 0fb4e7b30025a727a11ee7d61991bcf3c877508b4292a407227f12ae5598b4c1860f4d2270bcb51b898540b05a7cdd9b387fd3d8bbcbb8c2b06f4c71e2a9fa86

memory/4640-704-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/676-706-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

MD5 20f7c485b03cc57ad6f7cbefdb37bb7c
SHA1 0b21875774ee80dde89019ee4c4e8c3227418eb3
SHA256 964047e7f05d197b9940bb8076bd6d49ad0d45b75500f5fedf19de0de180065f
SHA512 92e87d15064694dd29fcbee49ffce49aeb6e19314a3ef2b8410d2047f97142a902ac11968cdea66ffa373caac1a0852d1e7f0f4c4ba70d8642f984c4c93c5e47

memory/4332-708-0x0000000000000000-mapping.dmp

memory/860-709-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4676-711-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat

MD5 82fdb3d21a86f08857c35643740be813
SHA1 2febcd7bcbecf0f90455537f56b34c1ae4eb8cca
SHA256 74a7b3f25d90e08aa363cf102066265a40da64ec10481397aaaf3dcb4c4a0333
SHA512 fe86ef71a2b73b87a433cc97191424c752279cee8aee5b86cf94c1a1c3db33cef59327dc593dc481579f2edd964ea8d51345f7849d88ec5a2f39d3ebd0868c58

memory/820-713-0x0000000000000000-mapping.dmp

memory/3508-714-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3948-716-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

MD5 20f7c485b03cc57ad6f7cbefdb37bb7c
SHA1 0b21875774ee80dde89019ee4c4e8c3227418eb3
SHA256 964047e7f05d197b9940bb8076bd6d49ad0d45b75500f5fedf19de0de180065f
SHA512 92e87d15064694dd29fcbee49ffce49aeb6e19314a3ef2b8410d2047f97142a902ac11968cdea66ffa373caac1a0852d1e7f0f4c4ba70d8642f984c4c93c5e47

memory/4852-718-0x0000000000000000-mapping.dmp

memory/4232-719-0x0000000000000000-mapping.dmp

C:\Users\Default\dwm.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394