Analysis Overview
SHA256
ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f
Threat Level: Known bad
The file ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
DCRat payload
Dcrat family
DcRat
DCRat payload
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-01 11:44
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-01 11:44
Reported
2022-11-01 11:46
Platform
win10-20220901-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
| N/A | N/A | C:\providercommon\spoolsv.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\System.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Multimedia Platform\27d1bcfc3c54e0 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5b884080fd4f94 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\1.3.36.71\6ccacd8608530f | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\dab4d89cac03ec | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\9e8d7a4ca61bd9 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Uninstall Information\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\5b884080fd4f94 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Logs\HomeGroup\sihost.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\Logs\HomeGroup\66fc9ff0ee96c2 | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings | C:\providercommon\spoolsv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe
"C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\ShellExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\sihost.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\ShellExperienceHost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PWgslm4zbP.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\spoolsv.exe
"C:\providercommon\spoolsv.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 20.189.173.2:443 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2652-120-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-121-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-122-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-123-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-125-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-126-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-128-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-129-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-130-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-131-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-132-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-135-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-136-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-134-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-137-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-138-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-139-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-140-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-141-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-142-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-143-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-144-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-145-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-146-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-147-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-148-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-149-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-150-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-151-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-152-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-153-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-154-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-155-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-156-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-157-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-158-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-159-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-160-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-161-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-162-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-163-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-164-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-165-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-166-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-167-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-168-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-169-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-170-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-171-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-172-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-173-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-174-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-175-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-176-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-177-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-178-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-179-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-180-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-181-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-182-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/2652-183-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/1980-184-0x0000000000000000-mapping.dmp
memory/1980-185-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
memory/1980-186-0x0000000077BA0000-0x0000000077D2E000-memory.dmp
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
memory/4556-260-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3152-283-0x0000000000000000-mapping.dmp
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3152-286-0x00000000001B0000-0x00000000002C0000-memory.dmp
memory/3152-287-0x00000000008D0000-0x00000000008E2000-memory.dmp
memory/3152-288-0x0000000002560000-0x000000000256C000-memory.dmp
memory/3152-289-0x00000000023D0000-0x00000000023DC000-memory.dmp
memory/3152-290-0x0000000002540000-0x000000000254C000-memory.dmp
memory/2236-291-0x0000000000000000-mapping.dmp
memory/2832-293-0x0000000000000000-mapping.dmp
memory/4836-294-0x0000000000000000-mapping.dmp
memory/2172-295-0x0000000000000000-mapping.dmp
memory/2776-297-0x0000000000000000-mapping.dmp
memory/2608-298-0x0000000000000000-mapping.dmp
memory/816-296-0x0000000000000000-mapping.dmp
memory/2356-299-0x0000000000000000-mapping.dmp
memory/2132-304-0x0000000000000000-mapping.dmp
memory/4264-311-0x0000000000000000-mapping.dmp
memory/1848-322-0x0000000000000000-mapping.dmp
memory/972-316-0x0000000000000000-mapping.dmp
memory/4948-308-0x0000000000000000-mapping.dmp
memory/3800-300-0x0000000000000000-mapping.dmp
memory/2200-292-0x0000000000000000-mapping.dmp
memory/4416-363-0x0000000000000000-mapping.dmp
memory/2832-381-0x000001CE520C0000-0x000001CE520E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PWgslm4zbP.bat
| MD5 | 974f032b9d4985b67e238195836760e7 |
| SHA1 | 073aca2817e08e9c304ffeb5b524444c7eb59ea3 |
| SHA256 | 26cac475cdc07dbc12d05abcae35165229395fdee157ef0d871b270d0e2844f4 |
| SHA512 | 8d84cc61e33d4fdc7e7a4c697ea2347e5f93c22ff4bf6d3ff22cbfea4cc5e6d1ab091cf4249cc805074d3c2fcd269887cd47d7844cde5e7e7fdd32aae49d669e |
memory/212-399-0x0000000000000000-mapping.dmp
memory/2132-401-0x0000019AB0070000-0x0000019AB00E6000-memory.dmp
memory/1808-580-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1808-639-0x00000000028A0000-0x00000000028B2000-memory.dmp
memory/5128-882-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat
| MD5 | 9a559e7e3fd0255348066cf199bfaa33 |
| SHA1 | 55d131797dc7e954565c003c96b3f4a75f68ca7c |
| SHA256 | 79fb6f577c6b26c855324e950aa519ebf202546c7c16c210732f026477fb6d39 |
| SHA512 | dc7f4c160c24424fe1333663b31d9c2044dd8894fb1306c70748703059e538c2f159cab88f559e8f434ee3f2c64dfa0a29bfdd87a9917a5b86142b7bb9ee7858 |
memory/5232-884-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 794bca7499c793c4f621ad8df8fd78de |
| SHA1 | 191a45fd0dd64e2e8225e80769943cfde11a4a77 |
| SHA256 | 3ccbafd8c55bbb52938a7422c6720a28102e69cabfbf3a9e3be125f53c3f60e1 |
| SHA512 | fa82cc4a4e8acf6897b977dc59860dd04a939423a5787afabeb6ed797227fb22f229499f6e1fd46e9a1dc8cf9a5ac59d22713796c7b898fdd192da3b21e7ad1c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 794bca7499c793c4f621ad8df8fd78de |
| SHA1 | 191a45fd0dd64e2e8225e80769943cfde11a4a77 |
| SHA256 | 3ccbafd8c55bbb52938a7422c6720a28102e69cabfbf3a9e3be125f53c3f60e1 |
| SHA512 | fa82cc4a4e8acf6897b977dc59860dd04a939423a5787afabeb6ed797227fb22f229499f6e1fd46e9a1dc8cf9a5ac59d22713796c7b898fdd192da3b21e7ad1c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 1a7edda8e497deac257bc67f5912be8b |
| SHA1 | af575ca7a97a8d280561477785692b406b7bf5ea |
| SHA256 | cce496f7be83e77e6f56c2861348b6b4e1cd5029fc39314c3b4632bf84d2b956 |
| SHA512 | c543c362e700d12cc9c7d6223e8e168a5470d703f04ba003d44d64971e1f098e924b8c09fb6c9563f68f9890f3efa379ed2999dbc86f7861af38dee6ad3efc29 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5529b0c4372c5381248b8fe5f3c6fa0a |
| SHA1 | e4ba3c3974d6938480a9fbba3a9574ce6e42da77 |
| SHA256 | b9412dd833a169328cae96c561d5aa6574426f87a01d9140c190d8c7697fd5b9 |
| SHA512 | 6be25d3f9ad71faaf0987271d739404362fc4043d3b5868cce93e3356bb334f2208c84d9eb814866df485d40d177082098824d6c253dab78acd9e98fdcd15caf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5529b0c4372c5381248b8fe5f3c6fa0a |
| SHA1 | e4ba3c3974d6938480a9fbba3a9574ce6e42da77 |
| SHA256 | b9412dd833a169328cae96c561d5aa6574426f87a01d9140c190d8c7697fd5b9 |
| SHA512 | 6be25d3f9ad71faaf0987271d739404362fc4043d3b5868cce93e3356bb334f2208c84d9eb814866df485d40d177082098824d6c253dab78acd9e98fdcd15caf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 055d8ebf26a8add9fb0d763baaf6167e |
| SHA1 | c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5 |
| SHA256 | 465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca |
| SHA512 | 2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 055d8ebf26a8add9fb0d763baaf6167e |
| SHA1 | c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5 |
| SHA256 | 465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca |
| SHA512 | 2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 055d8ebf26a8add9fb0d763baaf6167e |
| SHA1 | c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5 |
| SHA256 | 465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca |
| SHA512 | 2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 055d8ebf26a8add9fb0d763baaf6167e |
| SHA1 | c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5 |
| SHA256 | 465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca |
| SHA512 | 2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 478e53f46a69a899ea092e5f6462c4e4 |
| SHA1 | c543c3afd4eb8dc4d6aa0431e774adeef7c2b297 |
| SHA256 | 9ddef2286a1017fdbe22f3086d4049c71d7efceb23c3dd3a36b1ce3ac7c78319 |
| SHA512 | f858b002fb1923698a2eaf923941e98110c434a00a37ae29f6070fa39cdc1b63c9f28b94a1721da4f8774bfd7d4dcbb31019e68321caddac6a7b77fc54958ddc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 478e53f46a69a899ea092e5f6462c4e4 |
| SHA1 | c543c3afd4eb8dc4d6aa0431e774adeef7c2b297 |
| SHA256 | 9ddef2286a1017fdbe22f3086d4049c71d7efceb23c3dd3a36b1ce3ac7c78319 |
| SHA512 | f858b002fb1923698a2eaf923941e98110c434a00a37ae29f6070fa39cdc1b63c9f28b94a1721da4f8774bfd7d4dcbb31019e68321caddac6a7b77fc54958ddc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 30c35bdc02a952bfb7f292426ff762e0 |
| SHA1 | aa03b4f58529f4edfc0e59b927ee783396a1cdbf |
| SHA256 | 60ded1ff1559ec1cb94bdcff7638e23d9b91775eb04e86d79b171cd06c407dc7 |
| SHA512 | 860cce050428f172c0931b91138d99d44f8c980d5b730e09fe529b9ce5868ac6299315d697b026517629ba563b4a90a0b418a1a5b4a1072771d7f61402dbbb4d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 30c35bdc02a952bfb7f292426ff762e0 |
| SHA1 | aa03b4f58529f4edfc0e59b927ee783396a1cdbf |
| SHA256 | 60ded1ff1559ec1cb94bdcff7638e23d9b91775eb04e86d79b171cd06c407dc7 |
| SHA512 | 860cce050428f172c0931b91138d99d44f8c980d5b730e09fe529b9ce5868ac6299315d697b026517629ba563b4a90a0b418a1a5b4a1072771d7f61402dbbb4d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9af189021b6c1fd7fb611a18bd968f46 |
| SHA1 | 90218c5aa530c2cd88b87fc39469826b9da83fe1 |
| SHA256 | 6c5daaf568c6b52d1a6f8072a748828c27ca7c738843fd7251022f29be68b902 |
| SHA512 | f25392cee1f2c3780104c801525aa4980074a1cdcecea365911a812f9247ea01fc4465268acc383c936c14e8b4f72182715c0677aeac70e8e226727d187f259b |
memory/5408-916-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/5516-919-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat
| MD5 | a498e97d8b84c0d44a3b50ca3119ffd3 |
| SHA1 | aac60788bcb3c383c901c0ab4230fa1dba29ff08 |
| SHA256 | 2ec5126271d8505e5bbf20e60c560b07443fec630ce5456cdba331382fa4badd |
| SHA512 | b7e5bf0ca5e2fb2601e35f1c7b90dfb78cb16ffb537e4e8d5fc335cd7d1f548988ddee69beb547aa2e338355bf9c2f5be7614b1e289effea08d03f2ca6009736 |
memory/5572-921-0x0000000000000000-mapping.dmp
memory/5596-922-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5696-924-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat
| MD5 | 1858f84b7b73cfc217a383938d8a8150 |
| SHA1 | f2d4f39c94b0536ce58c66de2907c4907d5bb56f |
| SHA256 | 605c285c4597920bdd8034383c15a5353364d6d196af343a454636d8f5963bdd |
| SHA512 | ab56ec1da589d522aa81592cbf78095f4eacdf4f327e7ed32af16595ab399680f08e604f59c4f6d2c43049e5dd7bef9184e443f8ab79b34c0437e268283218e7 |
memory/5752-926-0x0000000000000000-mapping.dmp
memory/5772-927-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5868-929-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat
| MD5 | 88a7ce9cd7b544d05a86f94cba9a27b5 |
| SHA1 | 9cdfc5303b2a7fb2101c7f37519f8258bc0772aa |
| SHA256 | 16759d19c55967e95a37d2b0bc5c78ec841a61c6b011d76587ba57897d89420b |
| SHA512 | a372fe26342b481c25aa3de7d0901b79a5839ae6a9a82e99d268d2d53ca7c25512f07ca7caba6817f99e2691b757f623d313e2b1f1c2d95b7c8322acfbf17740 |
memory/5924-931-0x0000000000000000-mapping.dmp
memory/5944-932-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/6044-934-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat
| MD5 | 2d8f36700eed18cb19b066e809dc5e21 |
| SHA1 | 6dacd20c8575597da12d3e0b4415a2c286c17384 |
| SHA256 | 9c4ccc086bd6a026697a748d7016e04ffa27e03d4012072da7d9ae417ff91b29 |
| SHA512 | a85ae8df30a374232279eb355cd4aeb8437db8b2887b6a51c692ad1f905ed846095c2146eb046c325c7cb23de24733bcc1bd996b4344e7eede30fc7b275c19e5 |
memory/6100-936-0x0000000000000000-mapping.dmp
memory/6124-937-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5140-939-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat
| MD5 | c69e1cb69599953c63b0855d2975ae88 |
| SHA1 | d13695216683f0db9be9b7284083f083fc0641d0 |
| SHA256 | 6f9bd18d43d08998d864fd62b2ee3b28810e6247fd089ee3cfa4bc0e9eefa1ab |
| SHA512 | 9e59973f752014c4350c9a9bfbf6b919199390dc67dfa46012a05554af1a55f2e25e226f6926fcf6c6412cb6855e3a03b438598525f52b50c61cc4da3806e294 |
memory/5264-941-0x0000000000000000-mapping.dmp
memory/4332-942-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/4924-944-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat
| MD5 | 7dd00e66241426450b56f1f115ceb80e |
| SHA1 | 98639aed96f54eac569e89a9c6f6286d9a18d4d6 |
| SHA256 | 60605d1ab886e82cc1c7705da9d448cca3f4acb08370f6d38d061c28015716be |
| SHA512 | 0de20b247eeffc29c61f2ec8fb1184276c6f5d0863bfdf77be6c689447cf81873f15388b5d45077b455d2c15829b51c2800035c695337e064c39eea90eef7895 |
memory/4256-946-0x0000000000000000-mapping.dmp
memory/1884-947-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2832-949-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat
| MD5 | abcc3e6cd11705b1229d042deff0f307 |
| SHA1 | 9e6470168afd91974bf7ce07f2c56db0391cfb01 |
| SHA256 | cc2e5af570af0a30d48afaf1155f33c07c7491e694fc14bfd5d52137ac29e339 |
| SHA512 | 96f6411a260f79a31bb2218345801d1890a32ef6d5d485b32ac995791e7b79ddacb2b4aebbfaae7e37fbffa44543be588ff30b311e3e325b159428a23d0c9995 |
memory/5308-951-0x0000000000000000-mapping.dmp
memory/4460-952-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/5332-954-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat
| MD5 | c6b53e81cd21621deb98acbcbb2e21ce |
| SHA1 | 72cc01701237745c5b3298e063c2083b214a3a09 |
| SHA256 | 424c4da5e8e3371470d3493f662424bb722cca6fbe6d659e58665cd25c63d6f9 |
| SHA512 | e8f61e983cc822d67b4c3ac09db5a2bc9d36ca6ae3fe2630592599731ed9888bafe8511346b70de913747dc30e058990be7bcf9493983f184da1d6be1684920a |
memory/4808-956-0x0000000000000000-mapping.dmp
memory/4956-957-0x0000000000000000-mapping.dmp
C:\providercommon\spoolsv.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/1528-959-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat
| MD5 | 6cdd9f3084064e977cf457d9c97cac40 |
| SHA1 | 403b28699e84605a3491b212bf0b345af9ee4952 |
| SHA256 | 1b1f4d1f551db1e69dfe6eedc81f0a542f4efd7eb86958b18beec0c65b4c0867 |
| SHA512 | 99e4d63e74f8a7738ea998ab52194be0e2bab62d36e05153e33e29844dbf23c61d5d404bebf8d10816caff1200b3a429f4ab66919d852e2f6a2b165b24a56f9b |
memory/3684-961-0x0000000000000000-mapping.dmp