Malware Analysis Report

2025-08-10 23:16

Sample ID 221101-nwfabacecn
Target 6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c
SHA256 6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c

Threat Level: Known bad

The file 6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

DcRat

Dcrat family

DCRat payload

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:44

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:44

Reported

2022-11-01 11:47

Platform

win10-20220812-en

Max time kernel

146s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Java\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Java\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VC\powershell.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VC\e978f868350d50 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\a76d7bf15d8370 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\it-IT\SearchUI.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\AppPatch\conhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\DigitalLocker\en-US\56085415360792 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Branding\ShellBrd\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\DigitalLocker\en-US\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File opened for modification C:\Windows\DigitalLocker\en-US\wininit.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Branding\ShellBrd\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\it-IT\dab4d89cac03ec C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\dllhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\5940a34987c991 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\AppPatch\088424020bedd6 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Default\Cookies\Idle.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Default\Cookies\Idle.exe N/A
N/A N/A C:\Users\Default\Cookies\Idle.exe N/A
N/A N/A C:\Users\Default\Cookies\Idle.exe N/A
N/A N/A C:\Users\Default\Cookies\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3876 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe C:\Windows\SysWOW64\WScript.exe
PID 3876 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe C:\Windows\SysWOW64\WScript.exe
PID 3876 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe C:\Windows\SysWOW64\WScript.exe
PID 4612 wrote to memory of 4708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4612 wrote to memory of 4708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4708 wrote to memory of 2512 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 2512 wrote to memory of 4896 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 4896 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 5084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 5084 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 4904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 4904 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 4820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 4820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 820 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 908 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 5052 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe
PID 2512 wrote to memory of 5052 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\DllCommonsvc.exe
PID 5052 wrote to memory of 4000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4000 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 3824 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 3824 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 2140 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 2140 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1564 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1564 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4040 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 780 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 780 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1336 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1336 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1304 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1304 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1280 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 5052 wrote to memory of 4520 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4520 wrote to memory of 4244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4520 wrote to memory of 4244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4520 wrote to memory of 4752 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Cookies\Idle.exe
PID 4520 wrote to memory of 4752 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Cookies\Idle.exe
PID 4752 wrote to memory of 400 N/A C:\Users\Default\Cookies\Idle.exe C:\Windows\System32\cmd.exe
PID 4752 wrote to memory of 400 N/A C:\Users\Default\Cookies\Idle.exe C:\Windows\System32\cmd.exe
PID 400 wrote to memory of 2504 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 400 wrote to memory of 2504 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 400 wrote to memory of 3284 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Cookies\Idle.exe
PID 400 wrote to memory of 3284 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Cookies\Idle.exe
PID 3284 wrote to memory of 2848 N/A C:\Users\Default\Cookies\Idle.exe C:\Windows\System32\cmd.exe
PID 3284 wrote to memory of 2848 N/A C:\Users\Default\Cookies\Idle.exe C:\Windows\System32\cmd.exe
PID 2848 wrote to memory of 1836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2848 wrote to memory of 1836 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2848 wrote to memory of 2476 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Cookies\Idle.exe
PID 2848 wrote to memory of 2476 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Cookies\Idle.exe
PID 640 wrote to memory of 1616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 640 wrote to memory of 1616 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 640 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Cookies\Idle.exe
PID 640 wrote to memory of 1108 N/A C:\Windows\System32\cmd.exe C:\Users\Default\Cookies\Idle.exe
PID 1108 wrote to memory of 1548 N/A C:\Users\Default\Cookies\Idle.exe C:\Windows\System32\cmd.exe
PID 1108 wrote to memory of 1548 N/A C:\Users\Default\Cookies\Idle.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe

"C:\Users\Admin\AppData\Local\Temp\6a04fa1d56d2202c1a8a06c0a7d2d6022fbcbcd9b71c8c162a8e1a4c32bc336c.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\Windows\it-IT\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\it-IT\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\NetworkService\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\DllCommonsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\DllCommonsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\conhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\SearchUI.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\conhost.exe'

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Java\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\ShellBrd\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\ShellBrd\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\microsoft shared\VC\powershell.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\VC\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\VC\powershell.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Cookies\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Cookies\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\VC\powershell.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\Idle.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\68z4f957pf.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Users\Default\Cookies\Idle.exe

"C:\Users\Default\Cookies\Idle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 52.168.112.66:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/3876-115-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-116-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-117-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-118-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-120-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-121-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-123-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-124-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-125-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-127-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-128-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-126-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-130-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-129-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-131-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-132-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-133-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-134-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-135-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-136-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-137-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-138-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-139-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-140-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-141-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-142-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-143-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-144-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-145-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-146-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-147-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-148-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-149-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-150-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-151-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-152-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-153-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-154-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-155-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-156-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-157-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-158-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-159-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-160-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-161-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-162-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-163-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-165-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-164-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-166-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-167-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-168-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-169-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-170-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-171-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-172-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-173-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-174-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-175-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-176-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-178-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/3876-177-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/4612-179-0x0000000000000000-mapping.dmp

memory/4612-180-0x0000000076EC0000-0x000000007704E000-memory.dmp

memory/4612-181-0x0000000076EC0000-0x000000007704E000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4708-255-0x0000000000000000-mapping.dmp

memory/2512-278-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2512-281-0x0000000000C10000-0x0000000000D20000-memory.dmp

memory/2512-282-0x0000000002CE0000-0x0000000002CF2000-memory.dmp

memory/2512-283-0x0000000002D80000-0x0000000002D8C000-memory.dmp

memory/2512-284-0x000000001B770000-0x000000001B77C000-memory.dmp

memory/2512-285-0x000000001B780000-0x000000001B78C000-memory.dmp

memory/5084-287-0x0000000000000000-mapping.dmp

memory/4904-288-0x0000000000000000-mapping.dmp

memory/4896-286-0x0000000000000000-mapping.dmp

memory/4820-289-0x0000000000000000-mapping.dmp

memory/820-290-0x0000000000000000-mapping.dmp

memory/908-291-0x0000000000000000-mapping.dmp

memory/5052-297-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4896-318-0x000001F97DB20000-0x000001F97DB42000-memory.dmp

memory/5052-321-0x0000000001350000-0x0000000001362000-memory.dmp

memory/4896-330-0x000001F97E760000-0x000001F97E7D6000-memory.dmp

memory/1564-484-0x0000000000000000-mapping.dmp

memory/2140-483-0x0000000000000000-mapping.dmp

memory/1280-489-0x0000000000000000-mapping.dmp

memory/1304-488-0x0000000000000000-mapping.dmp

memory/1336-487-0x0000000000000000-mapping.dmp

memory/780-486-0x0000000000000000-mapping.dmp

memory/4040-485-0x0000000000000000-mapping.dmp

memory/3824-482-0x0000000000000000-mapping.dmp

memory/4000-481-0x0000000000000000-mapping.dmp

memory/4520-515-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

MD5 b4268d8ae66fdd920476b97a1776bf85
SHA1 f920de54f7467f0970eccc053d3c6c8dd181d49a
SHA256 61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879
SHA512 03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

C:\Users\Admin\AppData\Local\Temp\68z4f957pf.bat

MD5 9d756327c5cd9ee8d840f133b057ad4e
SHA1 70f037706afff7075348897926cd7aa131429ca9
SHA256 119da916ddfb55a347f52dd8dc47fa33df20cd78471fdf488b32c4ff3456e509
SHA512 8d2dbd228e0753e0a4e8a02d46e17b0a0ffe98bfb3c25b0f4c213a37666655149daaae5607f420f8a4d6664d8257635592c59d80f129b02de390b7c4a95acbb2

memory/4244-583-0x0000000000000000-mapping.dmp

memory/4752-801-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Default\Cookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4752-806-0x0000000001560000-0x0000000001572000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 02a4261a8af36df874e02774ab8034f4
SHA1 c2f92d1fb77d7e59d273e169760d2b2a2b73f446
SHA256 189ed2a159bc489ef2e2b6aeec37a3a1f87c7a28b5ebf0cc9d8088adb3e05dd1
SHA512 83db25c4e10a0984ee40fd8d9c5145c175d870aaa90d433a944f5a0e1d542e87eccc64d47721d24b5a8d5c03583025572f5eede5d8aee0ac1fd4195a04b8d9d8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 02a4261a8af36df874e02774ab8034f4
SHA1 c2f92d1fb77d7e59d273e169760d2b2a2b73f446
SHA256 189ed2a159bc489ef2e2b6aeec37a3a1f87c7a28b5ebf0cc9d8088adb3e05dd1
SHA512 83db25c4e10a0984ee40fd8d9c5145c175d870aaa90d433a944f5a0e1d542e87eccc64d47721d24b5a8d5c03583025572f5eede5d8aee0ac1fd4195a04b8d9d8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ab5b2ba825d562e23d6d3bd444c153b3
SHA1 bc49c866d905f997ddbe474b394dfc32a2c40785
SHA256 083005d87122dd4e22c9db7d5fa131f360092b34525253bf11db19e4dc811fc4
SHA512 7efb4c5f24649b92f8044e253c3f96702e0aca8ca0c6e7c5d509eea6bb84516add2adf3614a914d70e9059dfc96bbf68ba0fa5ccc14b62d07d497fb27ca95dec

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9fff42ed123acbcbedb3ae9bc13c7caf
SHA1 6e8df258957f0313fb88ee8cc3a97cff8c9fd037
SHA256 fdea38451043d8ea3b0adc2bac8e5b44b143a03eddc45e4eea1c15206f7c75b1
SHA512 f32f2ca014b1e6ea09589a8ebe36512c9e05ecbe7333490c140f33d947496098213b96af959806d81ba9a2781e44477af8765a1d6cbfb6ee6f2a27fc1d7fbb56

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3f5a9e9556cb225386e55eece7c1ef6f
SHA1 c85539e0c0ed7fde087eb605dff480bed5842b19
SHA256 f49c273ef57a18027dd159728ea383a0ba75ae3b5d1506634c6bda0a07fe59a8
SHA512 aea658dea7fce1d19b7585a5c569a9732091129aa809dd218acb816c3717e89a8da14f320c75002df5016e272cc3f92055ceea1c248c0627309f4ab530130067

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3f5a9e9556cb225386e55eece7c1ef6f
SHA1 c85539e0c0ed7fde087eb605dff480bed5842b19
SHA256 f49c273ef57a18027dd159728ea383a0ba75ae3b5d1506634c6bda0a07fe59a8
SHA512 aea658dea7fce1d19b7585a5c569a9732091129aa809dd218acb816c3717e89a8da14f320c75002df5016e272cc3f92055ceea1c248c0627309f4ab530130067

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 68de62fe66f9b492e94e98ced7737bf4
SHA1 6681849abb88363f3e0cedaec84535faea0221bd
SHA256 da45781ef0aad5448310a4a4d5ad8cedb4c72eddba621fd2e111ad8be953c32e
SHA512 aec608aa0ef68da637cd021d970b54aa76e071c1441e4ab0239bd7085f2290f10b3e5bc5c0b533e5b06717c5ee307f46c07625ed0398428b9fecbca7ce20186a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 68de62fe66f9b492e94e98ced7737bf4
SHA1 6681849abb88363f3e0cedaec84535faea0221bd
SHA256 da45781ef0aad5448310a4a4d5ad8cedb4c72eddba621fd2e111ad8be953c32e
SHA512 aec608aa0ef68da637cd021d970b54aa76e071c1441e4ab0239bd7085f2290f10b3e5bc5c0b533e5b06717c5ee307f46c07625ed0398428b9fecbca7ce20186a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 249bfe9024d2d7cb744a9549fb266db8
SHA1 751e6b891c35a7040f859d8f01eddb02af327520
SHA256 80d177c06717b82e53b0c83dc0ce98260b94a4bbd9bf0fc28f3d7a4fada18e05
SHA512 25968747a058073bcfd1c6fbbb38a70e34d348f679808fcd48b65251d2e979831315f3d09561dc3149dd95d4536a6a62ae339fcd586353787511adf90d0a33ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 249bfe9024d2d7cb744a9549fb266db8
SHA1 751e6b891c35a7040f859d8f01eddb02af327520
SHA256 80d177c06717b82e53b0c83dc0ce98260b94a4bbd9bf0fc28f3d7a4fada18e05
SHA512 25968747a058073bcfd1c6fbbb38a70e34d348f679808fcd48b65251d2e979831315f3d09561dc3149dd95d4536a6a62ae339fcd586353787511adf90d0a33ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 249bfe9024d2d7cb744a9549fb266db8
SHA1 751e6b891c35a7040f859d8f01eddb02af327520
SHA256 80d177c06717b82e53b0c83dc0ce98260b94a4bbd9bf0fc28f3d7a4fada18e05
SHA512 25968747a058073bcfd1c6fbbb38a70e34d348f679808fcd48b65251d2e979831315f3d09561dc3149dd95d4536a6a62ae339fcd586353787511adf90d0a33ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 445ea5ee8a32a324772fc210036cb6be
SHA1 5e2890e1a82bd1c89d7ff191fe4d114033f8102f
SHA256 e23394a4b7ad709c984a0e4cda8ab6feed82383cd83d761528c5a7b7540f9007
SHA512 bf1c02e6b13645f8589e9a77afad9f82dde3c7b805d0414e47530b2af72a0e3de4779439d0ad34b49fd503e386c1642b6ffc739b1753704e69cbecf70469c3c8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0bdfaa14d7814b541a77f4e97920dfd6
SHA1 c239720eee47db7f7136bb78e37c539b9e735c4c
SHA256 4c8946ef444ac60d731d674ad3d32a42edcd2a8d5fc984366f7c09eb24f5a272
SHA512 dfa795a1fd4fc852064cfdf93602899685bf9c13c7c326feca76fc7f97f92662342c52b79b447bcbc20cd55ea724742a499ad8da8e7770377a3e04ae52351608

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 500c29a76e740d730a2b04e046b32570
SHA1 b2e19fb35f984754aee8777f24e1e8021d940a3a
SHA256 83959b24391abc322c13431ce5205c623882fb9cc007535ee2e8e3cf4af61899
SHA512 4698c504557a59d97ef163c252dd38db45dbd0c35dcd821397790f80dfc75aa6ae5def5c38682a017a5563acd33b1bdd3e0ca2710ea7f5a048541da4b5a64085

memory/400-847-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat

MD5 5fe2cfe82aeab4c7d7f11eb7f8363a4b
SHA1 547ce6988373ac2b2a690e56436a96ec46c1e2f2
SHA256 62bd92b911f01acd7cec4a4d245f3647131041f856ed98da6b5202c9e5eb2749
SHA512 61c5ece49dfc55e6bec744d5159c7d8ee5436803edea1289b51cef5294645474c993aeb62dfea0f77f4669684fca19df9b5b4b83d58378dfdfdf88d3eb6d3cfd

memory/2504-849-0x0000000000000000-mapping.dmp

memory/3284-850-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/3284-853-0x0000000000EE0000-0x0000000000EF2000-memory.dmp

memory/2848-854-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat

MD5 32c8c7c3bb1a343c8178431dc0912f3d
SHA1 243096572de00585d0b8fcd000771cd30379545d
SHA256 b81177fff72b5785b3ca343ce76a52d5d61522bfe5aab1574633a5a38e4c1a0b
SHA512 a52f86c0e8e42373b63c23c74a7c107b70a7ad6b32c1d92ac7420cfced675679d25ec0bd1735bffc4ae18f34e17592ea2bc7cc185c7e5887de4925c985f78f3c

memory/1836-856-0x0000000000000000-mapping.dmp

memory/2476-857-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1616-859-0x0000000000000000-mapping.dmp

memory/1108-860-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1108-862-0x0000000001850000-0x0000000001862000-memory.dmp

memory/1548-863-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat

MD5 233d7e45cddbe720ce52ce0474d9ccf4
SHA1 8d8418e28859233f9c16d3cafa00182094671fd8
SHA256 e8917e4959720ed4f7863fa75f4f42c6a5f6e16668f44a780c74a7dba3ae80eb
SHA512 3ca853c01c7deb41e4c11c453561b8e08eb0cf0b8b783661cf172a3380a93000108043c6f1fc567bb3d6b8c4eb2ca751d35945f3f27d299f97dea67020439693

memory/1660-865-0x0000000000000000-mapping.dmp

memory/2136-866-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4288-868-0x0000000000000000-mapping.dmp

memory/4356-870-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

MD5 b694fbdc9adb3e8f2b988644d1c30521
SHA1 189d0970035a7fcc86d4fb55fb7aa6a0d91d2cef
SHA256 6a7137f80053b4459eb28e3abf259228186544a5fb607054ce289d2b33215a1b
SHA512 d536f6f71d484fe37f977f7fe13593d5573b361668dd962397f84c2aec40b6cfb96932715c91db0f22b5286686c6b29417aa6183adaa1d4afcc6961fcae49606

memory/4660-871-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2696-873-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat

MD5 4860baf62f5c17c1db077e37336ebbdf
SHA1 9522dae0ec0c180c1c909482c630c9b4a7fed75b
SHA256 9e837b2ba2c7864857b20b70e4f1afa3b6afe5a458d370a344475aef6c1910a9
SHA512 8336608acaa459453e980b2e6d45043b6cff482ae3e4e1d77416672e5441f125872546508135658fe3d1ecb6f97b6f5b2dd72b1e74aa04d3cfb547f7d422a3f4

memory/748-875-0x0000000000000000-mapping.dmp

memory/4088-876-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4828-878-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat

MD5 517eb89cb7f0aa8dc872ce41c9d745c1
SHA1 30755533c308e8351a9559c7b0215593a6737928
SHA256 2d1bce1c2348b1801a1111fbfcced0fd5f6536089c99e0eb057502a136c7c25e
SHA512 1bde5d97f2d167a79baf88781a9140aa4d0ec8e36c542243d6eb792ae913bbe70bf67d1ae66f380bddf56676479ca994e5afb069e116e832789ce02f09a72bf3

memory/1900-880-0x0000000000000000-mapping.dmp

memory/2448-881-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3744-883-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat

MD5 a5e5135fb4c1f3d0e82d3efdf74d8e64
SHA1 36cfcfaa7906e74b2e24d493c07a836cc7bac55c
SHA256 d0da0488dbfd810758d3bb9d9a13cc5fef1312e8bf7a7af178b3ff15b6fbe5c9
SHA512 4bfd41ce02b9affd309cda1db64f9bc5457b86e10780d1186bfb8e875b22067acfb0cb62f11f5e298d2779ea817b9ee6f7aa274b3ef1abc90f312b542b920866

memory/356-885-0x0000000000000000-mapping.dmp

memory/2072-886-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2072-888-0x0000000001540000-0x0000000001552000-memory.dmp

memory/2424-889-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat

MD5 b3deb9099450621accdf0ecaa6ebb320
SHA1 aafc5539954aa5613a3013102f975762ced9e7f3
SHA256 0268c061d96958b620f0457d6e510e4410d5c87e9eedb579b2c5d1c426f71ea7
SHA512 bad5d2a261f854dee47e96b09508b8ced05ee13beaa61117e0b3d59e5736cf760e53a148ecc1be49d825d443498fe434c61f885a7e6b584bac86da952693bcca

memory/3476-891-0x0000000000000000-mapping.dmp

memory/5108-892-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4608-894-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

MD5 708af0b994311a42f5802541df578a37
SHA1 d367764f2f5b126f60de18fb764c306f091c48a0
SHA256 e9e2d0fab35fc4c338656db313d5df3ee869dcf567d77dc92fd81b08a47cae5b
SHA512 38d97488dbc5d298fe7f8c5a13a42cb568a4a0476f259f29227544ca4d03946fb1e8043f9ff680f72901fdd742f51444cf130753613171d2d52788d03c0ebf7b

memory/4568-896-0x0000000000000000-mapping.dmp

memory/4552-897-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4552-899-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

memory/1816-900-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

MD5 a96ccd08e9ced61c0302861adcd61602
SHA1 372ff542536d35b7dd11b43717a29a202c936014
SHA256 84d4f63c21b705b866ed99a4ecd1de9260ae5bfe22f486ae0f1e87c10f84fd1d
SHA512 9e2d661aa80d88d539ae4645f1ef062a5ec611a2df12f0e72d1eea42ab03f4e4648e52495deab396852647f1c1bbc34f487ffce7d07ddad5c088b7f00f55c8dc

memory/3212-902-0x0000000000000000-mapping.dmp

memory/1492-903-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1492-905-0x0000000001340000-0x0000000001352000-memory.dmp

memory/3748-906-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat

MD5 4860baf62f5c17c1db077e37336ebbdf
SHA1 9522dae0ec0c180c1c909482c630c9b4a7fed75b
SHA256 9e837b2ba2c7864857b20b70e4f1afa3b6afe5a458d370a344475aef6c1910a9
SHA512 8336608acaa459453e980b2e6d45043b6cff482ae3e4e1d77416672e5441f125872546508135658fe3d1ecb6f97b6f5b2dd72b1e74aa04d3cfb547f7d422a3f4

memory/4948-908-0x0000000000000000-mapping.dmp

C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\Idle.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4044-909-0x0000000000000000-mapping.dmp

memory/4044-911-0x0000000000F00000-0x0000000000F12000-memory.dmp