Malware Analysis Report

2025-08-10 23:14

Sample ID 221031-11m7yaedfn
Target e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56
SHA256 e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56

Threat Level: Known bad

The file e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

DcRat

DCRat payload

Dcrat family

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-31 22:07

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-31 22:07

Reported

2022-10-31 22:09

Platform

win10-20220812-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe C:\Windows\SysWOW64\WScript.exe
PID 2656 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe C:\Windows\SysWOW64\WScript.exe
PID 2656 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe C:\Windows\SysWOW64\WScript.exe
PID 4784 wrote to memory of 1568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 1568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 1568 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 1568 wrote to memory of 3472 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3472 wrote to memory of 5044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 5044 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 5020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 5020 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 4932 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 4932 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3472 wrote to memory of 4444 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\spoolsv.exe
PID 3472 wrote to memory of 4444 N/A C:\providercommon\DllCommonsvc.exe C:\providercommon\spoolsv.exe
PID 4444 wrote to memory of 4716 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4444 wrote to memory of 4716 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4716 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4716 wrote to memory of 2632 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4716 wrote to memory of 4736 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 4716 wrote to memory of 4736 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 4736 wrote to memory of 3316 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4736 wrote to memory of 3316 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 3316 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3316 wrote to memory of 2760 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3316 wrote to memory of 1292 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 3316 wrote to memory of 1292 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 1292 wrote to memory of 4840 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 1292 wrote to memory of 4840 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4840 wrote to memory of 3892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4840 wrote to memory of 3892 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4840 wrote to memory of 376 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 4840 wrote to memory of 376 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 376 wrote to memory of 4764 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 376 wrote to memory of 4764 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4764 wrote to memory of 4908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4764 wrote to memory of 4908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4764 wrote to memory of 4788 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 4764 wrote to memory of 4788 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 4788 wrote to memory of 4320 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4788 wrote to memory of 4320 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4320 wrote to memory of 4568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4320 wrote to memory of 4568 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4320 wrote to memory of 4308 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 4320 wrote to memory of 4308 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 4308 wrote to memory of 1868 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4308 wrote to memory of 1868 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 1868 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1868 wrote to memory of 872 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1868 wrote to memory of 4456 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 1868 wrote to memory of 4456 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 4456 wrote to memory of 220 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 4456 wrote to memory of 220 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 220 wrote to memory of 2180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 220 wrote to memory of 2180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 220 wrote to memory of 1040 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 220 wrote to memory of 1040 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 1040 wrote to memory of 2132 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 1040 wrote to memory of 2132 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 2132 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2132 wrote to memory of 2392 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2132 wrote to memory of 4500 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 2132 wrote to memory of 4500 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe

"C:\Users\Admin\AppData\Local\Temp\e63c7c92f46cbd081e9111934043b43bdf9b5444bf67c82d370e877611d5bd56.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\odt\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\odt\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\ShellExperienceHost.exe'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 20.42.73.24:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/2656-122-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-124-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-125-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-121-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-120-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-119-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-127-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-128-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-129-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-132-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-133-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-135-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-137-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-136-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-138-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-139-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-134-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-131-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-140-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-130-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-141-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-142-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-143-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-145-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-144-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-146-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-147-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-148-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-150-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-152-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-153-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-154-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-155-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-156-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-157-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-151-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-158-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-160-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-159-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-161-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-162-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-163-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-149-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-164-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-165-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-166-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-167-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-168-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-170-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-173-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-171-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-172-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-169-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-174-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-175-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-177-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-176-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-178-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-179-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-180-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-182-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/2656-181-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/4784-185-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/4784-184-0x0000000077770000-0x00000000778FE000-memory.dmp

memory/4784-183-0x0000000000000000-mapping.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

memory/1568-259-0x0000000000000000-mapping.dmp

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3472-285-0x0000000000270000-0x0000000000380000-memory.dmp

memory/3472-282-0x0000000000000000-mapping.dmp

memory/3472-286-0x0000000002460000-0x0000000002472000-memory.dmp

memory/3472-287-0x000000001ADD0000-0x000000001ADDC000-memory.dmp

memory/3472-288-0x000000001B8B0000-0x000000001B8BC000-memory.dmp

memory/3472-289-0x000000001ADE0000-0x000000001ADEC000-memory.dmp

memory/5044-290-0x0000000000000000-mapping.dmp

memory/4932-292-0x0000000000000000-mapping.dmp

memory/5020-291-0x0000000000000000-mapping.dmp

memory/4444-302-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5044-308-0x00000193E4760000-0x00000193E4782000-memory.dmp

memory/4444-309-0x0000000001060000-0x0000000001072000-memory.dmp

memory/4932-314-0x000002DC99A60000-0x000002DC99AD6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b8434b46a9fc311482dfa3ec2c6baf2f
SHA1 ab925a9da43821ca31158f8ddbe682fbf4f96400
SHA256 23fe0033babdfe0c502df6de36685a5cdc5613086e222edc57f97a266ced8149
SHA512 e6ff732fccc6a6444b298f68b6fc4045a6b2ecc73a40a171bac07224529615252a1a8fa4c50a29b1e6daabb34e14bac3845ad22f620e18ed7f684a54b6e3a1bc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 092012581b38cacd04073f0befea943a
SHA1 3ae45afb2d715f74dabd25d0c1036e2d1ab13d24
SHA256 e4f55f299bd74de0c8da82b4ed70a87053a89a785b84c694ed4008bcad0b7d43
SHA512 4d305282639e627c7708b2fca9601d4c2436e213fe14a53452f76fc3407c12cc7590628e7ff2e589445ba9bd1cb03c4b210a52e320cbb6c123abff4115490873

memory/4716-401-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

MD5 0ea0d87ad435c307b8d9dd2b4d2cba51
SHA1 7bd4afcca773d72eaec8f535fb3e68cf5e632a4c
SHA256 57251a912d8124f8f558e5ae490378ab906f691d01e050dcf46f09fe6654f6af
SHA512 d60efca0a133fa6e14e0fc08cbcc7758a2cfbe645b668177bdd5d6ed2f71761db13beb54488904481107ed4b6b898b7fedbd683d19dff31f0249b812fd21b158

memory/2632-403-0x0000000000000000-mapping.dmp

memory/4736-404-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/3316-407-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat

MD5 29bd0125796fde2ef8132f8eaa217fd5
SHA1 cc2fb831cce856f60686ddd3cfad627d6d66ab5a
SHA256 afc15f23191d430539f609cbd398868e3e566708c6ea5b78a33ee2cedd22811c
SHA512 04d2037be4d85896697d7f82f467d84cb6ae23b2e6c45937062142f6eeba99b9c830b34b88eb6a2d4a5f5825e5ef520798cdb3ebc9f63218c73900b1131ff262

memory/2760-409-0x0000000000000000-mapping.dmp

memory/1292-410-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1292-412-0x0000000000D50000-0x0000000000D62000-memory.dmp

memory/4840-413-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

MD5 6c522770f0c79d069de1ef041a2964db
SHA1 8302f36bf0b5bea9dca1c2a5a50961e56ecb0bb9
SHA256 5330e72eaf0a9be3b692900fcb82f271d9840ce64dd4bb9865edc749c2518a16
SHA512 8a0615cf2fcb3a0b321a26aaf9f9fce4d98f02d32e4abb904581761c85d4776aad2dab96b525e00a035d2715942d4989e68c089ce7e5c658c6300e209bbb7397

memory/3892-415-0x0000000000000000-mapping.dmp

memory/376-416-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4764-418-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat

MD5 053299379af7f320502094d4db361064
SHA1 fb52af0a338f97f6b027396761289af1c47b05d9
SHA256 b7e1d763d0da3815816fd79bb73aa384438802766c5e201cbe20d07d4146579b
SHA512 08fa30b721812ccd2a3311a91d538151e8d9b2fb738dcf4882f7879fc4488e0e2b5ce6aac5cadecc64c0c089d389013cfd703bc87be266a2e148a9685888764a

memory/4908-420-0x0000000000000000-mapping.dmp

memory/4788-421-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4788-423-0x0000000000920000-0x0000000000932000-memory.dmp

memory/4320-424-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

MD5 d70f90efaef46f3a65e8705ee25b41cb
SHA1 18a7cb2ec46583c1e2dfba33479e19fa15c7035c
SHA256 1ae98bbc1b48d226920d540af178858d844041e6bea6ad8e2cc3199cb8d5a8b0
SHA512 972cc184972980fdc5aa119ca91cbf678a3eb35d2b719b032575ea2137dea86ee2af6b5569831ce74c77295de3c4762c3477469092f107e153db525f87e78754

memory/4568-426-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4308-427-0x0000000000000000-mapping.dmp

memory/4308-429-0x0000000000E20000-0x0000000000E32000-memory.dmp

memory/1868-430-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

MD5 f08ede0c3722e29faa90ee33271baf31
SHA1 187cf7178a9e86e74961dd5b7be0c6d304661453
SHA256 5aab7437fccad7c0382313275a43dee9c7ebfac13ecfaa02ea7133355c217be3
SHA512 260a22a20612fcd5f65bcbee0a5fddab647750df83f7a89bc43706d58d8ea701bc1f7c1d19531b884578084d1ccb4491efa9b533f38628692664bb23cb97cc16

memory/872-432-0x0000000000000000-mapping.dmp

memory/4456-433-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/220-435-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

MD5 7521031780c8016c32a493702821cffb
SHA1 e68fe9f5735b775d225628c47dafff53607d5f54
SHA256 79d31363a5391f9379cdf62a97638a429387f99e36f7f599de3b52c434e420e6
SHA512 f5d4305a3ad6367499b929cf9246bc8d97af8f3dabe7d2888b5694c3bce43d220914663a599186e1d97dd518f30a67d4c2956068940454061e44e75d285f2b19

memory/2180-437-0x0000000000000000-mapping.dmp

memory/1040-438-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1040-440-0x00000000011E0000-0x00000000011F2000-memory.dmp

memory/2132-441-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat

MD5 29bd0125796fde2ef8132f8eaa217fd5
SHA1 cc2fb831cce856f60686ddd3cfad627d6d66ab5a
SHA256 afc15f23191d430539f609cbd398868e3e566708c6ea5b78a33ee2cedd22811c
SHA512 04d2037be4d85896697d7f82f467d84cb6ae23b2e6c45937062142f6eeba99b9c830b34b88eb6a2d4a5f5825e5ef520798cdb3ebc9f63218c73900b1131ff262

memory/2392-443-0x0000000000000000-mapping.dmp

memory/4500-444-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1848-446-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\yMeEqlK1gO.bat

MD5 b32e168ee4749de589617064dc2c61db
SHA1 946988d13b9bd7d1875409555c9afbf97320aeb4
SHA256 cf6521a7b24a76ad5d9ac4909ec54b9a9a222d5aaa3f63196b5c3bcc23df21df
SHA512 3c9081b2cd5817d34ba5af66a0808dbb3115c0b50b672dd36f3ef120003fd5f33ae37bf87d95a45e146d0112e1b95102647ffec1408b06e996e9f819cc42a78d

memory/4340-448-0x0000000000000000-mapping.dmp

memory/4356-449-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4356-451-0x0000000000A80000-0x0000000000A92000-memory.dmp

memory/1216-452-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

MD5 6c522770f0c79d069de1ef041a2964db
SHA1 8302f36bf0b5bea9dca1c2a5a50961e56ecb0bb9
SHA256 5330e72eaf0a9be3b692900fcb82f271d9840ce64dd4bb9865edc749c2518a16
SHA512 8a0615cf2fcb3a0b321a26aaf9f9fce4d98f02d32e4abb904581761c85d4776aad2dab96b525e00a035d2715942d4989e68c089ce7e5c658c6300e209bbb7397

memory/3820-454-0x0000000000000000-mapping.dmp

memory/4744-455-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4740-457-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

MD5 427255b2c8ddf096e6fddeadf31deb46
SHA1 42b5ae31fe33ff1e425a52b3f6f41a486028ba79
SHA256 1061f887ef79ad9264b63f7dc2a9a8f43e43ca9d5ae0e72fdeca55fca67c3b5b
SHA512 0aeab5b4f2ee270026bfbe5ba597004590daa7c357b702d6f2b97d3436eb299767ea412c94f00a43153f91211032f60c5b65acc844c031a631a6398a9cc82731

memory/4716-459-0x0000000000000000-mapping.dmp

memory/2668-460-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3896-462-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\WtQmBjXbDh.bat

MD5 dd60a0b180866a8990e9ce5e71e92014
SHA1 3426c79c42ce1955a807a8db0e7384367530e626
SHA256 251cdcb3fd8495edc3ccfa0e8032cbce872c9f88a1112cdab48cb869f7968fa9
SHA512 df86fb1d2429a8c93a31cdc780c74c0e73b24fc12c43832afbccfab04e076686ef75eca186d048deaed35b7c262b414d2059595f54c236db30203fd711784e48

memory/2748-464-0x0000000000000000-mapping.dmp

memory/1400-465-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4224-467-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

MD5 1858f84b7b73cfc217a383938d8a8150
SHA1 f2d4f39c94b0536ce58c66de2907c4907d5bb56f
SHA256 605c285c4597920bdd8034383c15a5353364d6d196af343a454636d8f5963bdd
SHA512 ab56ec1da589d522aa81592cbf78095f4eacdf4f327e7ed32af16595ab399680f08e604f59c4f6d2c43049e5dd7bef9184e443f8ab79b34c0437e268283218e7

memory/3912-469-0x0000000000000000-mapping.dmp