Malware Analysis Report

2025-08-10 23:16

Sample ID 221101-nv7m6scecl
Target ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f
SHA256 ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f

Threat Level: Known bad

The file ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

Process spawned unexpected child process

DCRat payload

Dcrat family

DcRat

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 11:44

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 11:44

Reported

2022-11-01 11:46

Platform

win10-20220901-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\0a1fd5f707cd16 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.71\6ccacd8608530f C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\dab4d89cac03ec C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\9e8d7a4ca61bd9 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Uninstall Information\sppsvc.exe C:\providercommon\DllCommonsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Logs\HomeGroup\sihost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Windows\Logs\HomeGroup\66fc9ff0ee96c2 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings C:\providercommon\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\providercommon\spoolsv.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe C:\Windows\SysWOW64\WScript.exe
PID 2652 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe C:\Windows\SysWOW64\WScript.exe
PID 2652 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe C:\Windows\SysWOW64\WScript.exe
PID 1980 wrote to memory of 4556 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 4556 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1980 wrote to memory of 4556 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4556 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 4556 wrote to memory of 3152 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3152 wrote to memory of 2236 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2236 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2200 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2200 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2832 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2832 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 4836 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 4836 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2172 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 816 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2776 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2608 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2608 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2356 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2356 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 3800 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 3800 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2132 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 2132 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 4948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 4948 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 4264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 4264 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 972 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 1848 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 1848 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3152 wrote to memory of 4416 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3152 wrote to memory of 4416 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 4416 wrote to memory of 212 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4416 wrote to memory of 212 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4416 wrote to memory of 1808 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 4416 wrote to memory of 1808 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 1808 wrote to memory of 5128 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 1808 wrote to memory of 5128 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 5128 wrote to memory of 5232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5128 wrote to memory of 5232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5128 wrote to memory of 5408 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 5128 wrote to memory of 5408 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 5408 wrote to memory of 5516 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 5408 wrote to memory of 5516 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 5516 wrote to memory of 5572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5516 wrote to memory of 5572 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5516 wrote to memory of 5596 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 5516 wrote to memory of 5596 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 5596 wrote to memory of 5696 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 5596 wrote to memory of 5696 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 5696 wrote to memory of 5752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5696 wrote to memory of 5752 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5696 wrote to memory of 5772 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 5696 wrote to memory of 5772 N/A C:\Windows\System32\cmd.exe C:\providercommon\spoolsv.exe
PID 5772 wrote to memory of 5868 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe
PID 5772 wrote to memory of 5868 N/A C:\providercommon\spoolsv.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe

"C:\Users\Admin\AppData\Local\Temp\ec5d8d161c944c4ff60d09baa4ad9f1bec43103a026329d3ec415988ee87044f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\providercommon\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\HomeGroup\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\sihost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\Download\ef8525dacdbd990854d9abd6532181fa\cbshandler\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\HomeGroup\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.71\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\SearchUI.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\sihost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\ShellExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PWgslm4zbP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\providercommon\spoolsv.exe

"C:\providercommon\spoolsv.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 20.189.173.2:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/2652-120-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-121-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-122-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-123-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-125-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-126-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-128-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-129-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-130-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-131-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-132-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-135-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-136-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-134-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-137-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-138-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-139-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-140-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-141-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-142-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-143-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-144-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-145-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-146-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-147-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-148-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-149-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-150-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-151-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-152-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-153-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-154-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-155-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-156-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-157-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-158-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-159-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-160-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-161-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-162-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-163-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-164-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-165-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-166-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-167-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-168-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-169-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-170-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-171-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-172-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-173-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-174-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-175-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-176-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-177-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-178-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-179-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-180-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-181-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-182-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/2652-183-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/1980-184-0x0000000000000000-mapping.dmp

memory/1980-185-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

memory/1980-186-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

memory/4556-260-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3152-283-0x0000000000000000-mapping.dmp

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3152-286-0x00000000001B0000-0x00000000002C0000-memory.dmp

memory/3152-287-0x00000000008D0000-0x00000000008E2000-memory.dmp

memory/3152-288-0x0000000002560000-0x000000000256C000-memory.dmp

memory/3152-289-0x00000000023D0000-0x00000000023DC000-memory.dmp

memory/3152-290-0x0000000002540000-0x000000000254C000-memory.dmp

memory/2236-291-0x0000000000000000-mapping.dmp

memory/2832-293-0x0000000000000000-mapping.dmp

memory/4836-294-0x0000000000000000-mapping.dmp

memory/2172-295-0x0000000000000000-mapping.dmp

memory/2776-297-0x0000000000000000-mapping.dmp

memory/2608-298-0x0000000000000000-mapping.dmp

memory/816-296-0x0000000000000000-mapping.dmp

memory/2356-299-0x0000000000000000-mapping.dmp

memory/2132-304-0x0000000000000000-mapping.dmp

memory/4264-311-0x0000000000000000-mapping.dmp

memory/1848-322-0x0000000000000000-mapping.dmp

memory/972-316-0x0000000000000000-mapping.dmp

memory/4948-308-0x0000000000000000-mapping.dmp

memory/3800-300-0x0000000000000000-mapping.dmp

memory/2200-292-0x0000000000000000-mapping.dmp

memory/4416-363-0x0000000000000000-mapping.dmp

memory/2832-381-0x000001CE520C0000-0x000001CE520E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PWgslm4zbP.bat

MD5 974f032b9d4985b67e238195836760e7
SHA1 073aca2817e08e9c304ffeb5b524444c7eb59ea3
SHA256 26cac475cdc07dbc12d05abcae35165229395fdee157ef0d871b270d0e2844f4
SHA512 8d84cc61e33d4fdc7e7a4c697ea2347e5f93c22ff4bf6d3ff22cbfea4cc5e6d1ab091cf4249cc805074d3c2fcd269887cd47d7844cde5e7e7fdd32aae49d669e

memory/212-399-0x0000000000000000-mapping.dmp

memory/2132-401-0x0000019AB0070000-0x0000019AB00E6000-memory.dmp

memory/1808-580-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1808-639-0x00000000028A0000-0x00000000028B2000-memory.dmp

memory/5128-882-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

MD5 9a559e7e3fd0255348066cf199bfaa33
SHA1 55d131797dc7e954565c003c96b3f4a75f68ca7c
SHA256 79fb6f577c6b26c855324e950aa519ebf202546c7c16c210732f026477fb6d39
SHA512 dc7f4c160c24424fe1333663b31d9c2044dd8894fb1306c70748703059e538c2f159cab88f559e8f434ee3f2c64dfa0a29bfdd87a9917a5b86142b7bb9ee7858

memory/5232-884-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 794bca7499c793c4f621ad8df8fd78de
SHA1 191a45fd0dd64e2e8225e80769943cfde11a4a77
SHA256 3ccbafd8c55bbb52938a7422c6720a28102e69cabfbf3a9e3be125f53c3f60e1
SHA512 fa82cc4a4e8acf6897b977dc59860dd04a939423a5787afabeb6ed797227fb22f229499f6e1fd46e9a1dc8cf9a5ac59d22713796c7b898fdd192da3b21e7ad1c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 794bca7499c793c4f621ad8df8fd78de
SHA1 191a45fd0dd64e2e8225e80769943cfde11a4a77
SHA256 3ccbafd8c55bbb52938a7422c6720a28102e69cabfbf3a9e3be125f53c3f60e1
SHA512 fa82cc4a4e8acf6897b977dc59860dd04a939423a5787afabeb6ed797227fb22f229499f6e1fd46e9a1dc8cf9a5ac59d22713796c7b898fdd192da3b21e7ad1c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a7edda8e497deac257bc67f5912be8b
SHA1 af575ca7a97a8d280561477785692b406b7bf5ea
SHA256 cce496f7be83e77e6f56c2861348b6b4e1cd5029fc39314c3b4632bf84d2b956
SHA512 c543c362e700d12cc9c7d6223e8e168a5470d703f04ba003d44d64971e1f098e924b8c09fb6c9563f68f9890f3efa379ed2999dbc86f7861af38dee6ad3efc29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5529b0c4372c5381248b8fe5f3c6fa0a
SHA1 e4ba3c3974d6938480a9fbba3a9574ce6e42da77
SHA256 b9412dd833a169328cae96c561d5aa6574426f87a01d9140c190d8c7697fd5b9
SHA512 6be25d3f9ad71faaf0987271d739404362fc4043d3b5868cce93e3356bb334f2208c84d9eb814866df485d40d177082098824d6c253dab78acd9e98fdcd15caf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5529b0c4372c5381248b8fe5f3c6fa0a
SHA1 e4ba3c3974d6938480a9fbba3a9574ce6e42da77
SHA256 b9412dd833a169328cae96c561d5aa6574426f87a01d9140c190d8c7697fd5b9
SHA512 6be25d3f9ad71faaf0987271d739404362fc4043d3b5868cce93e3356bb334f2208c84d9eb814866df485d40d177082098824d6c253dab78acd9e98fdcd15caf

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 055d8ebf26a8add9fb0d763baaf6167e
SHA1 c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5
SHA256 465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca
SHA512 2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 055d8ebf26a8add9fb0d763baaf6167e
SHA1 c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5
SHA256 465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca
SHA512 2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 055d8ebf26a8add9fb0d763baaf6167e
SHA1 c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5
SHA256 465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca
SHA512 2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 055d8ebf26a8add9fb0d763baaf6167e
SHA1 c5ce65b3b394ecf55bc06e2ce5dd86feadc12da5
SHA256 465a94b416e55880769e44c4938aefe1b24e9b11609ba9078dc8580490ff1aca
SHA512 2485e6ab897c2620c1905f6892ca0485db02c58a69cd4453e1f947d0c070005f863edb6b3a9ef3ba0146972e37af8bbc3a9b41387429df034821ee8c9b4566f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 478e53f46a69a899ea092e5f6462c4e4
SHA1 c543c3afd4eb8dc4d6aa0431e774adeef7c2b297
SHA256 9ddef2286a1017fdbe22f3086d4049c71d7efceb23c3dd3a36b1ce3ac7c78319
SHA512 f858b002fb1923698a2eaf923941e98110c434a00a37ae29f6070fa39cdc1b63c9f28b94a1721da4f8774bfd7d4dcbb31019e68321caddac6a7b77fc54958ddc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 478e53f46a69a899ea092e5f6462c4e4
SHA1 c543c3afd4eb8dc4d6aa0431e774adeef7c2b297
SHA256 9ddef2286a1017fdbe22f3086d4049c71d7efceb23c3dd3a36b1ce3ac7c78319
SHA512 f858b002fb1923698a2eaf923941e98110c434a00a37ae29f6070fa39cdc1b63c9f28b94a1721da4f8774bfd7d4dcbb31019e68321caddac6a7b77fc54958ddc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 30c35bdc02a952bfb7f292426ff762e0
SHA1 aa03b4f58529f4edfc0e59b927ee783396a1cdbf
SHA256 60ded1ff1559ec1cb94bdcff7638e23d9b91775eb04e86d79b171cd06c407dc7
SHA512 860cce050428f172c0931b91138d99d44f8c980d5b730e09fe529b9ce5868ac6299315d697b026517629ba563b4a90a0b418a1a5b4a1072771d7f61402dbbb4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 30c35bdc02a952bfb7f292426ff762e0
SHA1 aa03b4f58529f4edfc0e59b927ee783396a1cdbf
SHA256 60ded1ff1559ec1cb94bdcff7638e23d9b91775eb04e86d79b171cd06c407dc7
SHA512 860cce050428f172c0931b91138d99d44f8c980d5b730e09fe529b9ce5868ac6299315d697b026517629ba563b4a90a0b418a1a5b4a1072771d7f61402dbbb4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9af189021b6c1fd7fb611a18bd968f46
SHA1 90218c5aa530c2cd88b87fc39469826b9da83fe1
SHA256 6c5daaf568c6b52d1a6f8072a748828c27ca7c738843fd7251022f29be68b902
SHA512 f25392cee1f2c3780104c801525aa4980074a1cdcecea365911a812f9247ea01fc4465268acc383c936c14e8b4f72182715c0677aeac70e8e226727d187f259b

memory/5408-916-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/5516-919-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

MD5 a498e97d8b84c0d44a3b50ca3119ffd3
SHA1 aac60788bcb3c383c901c0ab4230fa1dba29ff08
SHA256 2ec5126271d8505e5bbf20e60c560b07443fec630ce5456cdba331382fa4badd
SHA512 b7e5bf0ca5e2fb2601e35f1c7b90dfb78cb16ffb537e4e8d5fc335cd7d1f548988ddee69beb547aa2e338355bf9c2f5be7614b1e289effea08d03f2ca6009736

memory/5572-921-0x0000000000000000-mapping.dmp

memory/5596-922-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5696-924-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

MD5 1858f84b7b73cfc217a383938d8a8150
SHA1 f2d4f39c94b0536ce58c66de2907c4907d5bb56f
SHA256 605c285c4597920bdd8034383c15a5353364d6d196af343a454636d8f5963bdd
SHA512 ab56ec1da589d522aa81592cbf78095f4eacdf4f327e7ed32af16595ab399680f08e604f59c4f6d2c43049e5dd7bef9184e443f8ab79b34c0437e268283218e7

memory/5752-926-0x0000000000000000-mapping.dmp

memory/5772-927-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5868-929-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

MD5 88a7ce9cd7b544d05a86f94cba9a27b5
SHA1 9cdfc5303b2a7fb2101c7f37519f8258bc0772aa
SHA256 16759d19c55967e95a37d2b0bc5c78ec841a61c6b011d76587ba57897d89420b
SHA512 a372fe26342b481c25aa3de7d0901b79a5839ae6a9a82e99d268d2d53ca7c25512f07ca7caba6817f99e2691b757f623d313e2b1f1c2d95b7c8322acfbf17740

memory/5924-931-0x0000000000000000-mapping.dmp

memory/5944-932-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/6044-934-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

MD5 2d8f36700eed18cb19b066e809dc5e21
SHA1 6dacd20c8575597da12d3e0b4415a2c286c17384
SHA256 9c4ccc086bd6a026697a748d7016e04ffa27e03d4012072da7d9ae417ff91b29
SHA512 a85ae8df30a374232279eb355cd4aeb8437db8b2887b6a51c692ad1f905ed846095c2146eb046c325c7cb23de24733bcc1bd996b4344e7eede30fc7b275c19e5

memory/6100-936-0x0000000000000000-mapping.dmp

memory/6124-937-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5140-939-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

MD5 c69e1cb69599953c63b0855d2975ae88
SHA1 d13695216683f0db9be9b7284083f083fc0641d0
SHA256 6f9bd18d43d08998d864fd62b2ee3b28810e6247fd089ee3cfa4bc0e9eefa1ab
SHA512 9e59973f752014c4350c9a9bfbf6b919199390dc67dfa46012a05554af1a55f2e25e226f6926fcf6c6412cb6855e3a03b438598525f52b50c61cc4da3806e294

memory/5264-941-0x0000000000000000-mapping.dmp

memory/4332-942-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4924-944-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IrGY9odMle.bat

MD5 7dd00e66241426450b56f1f115ceb80e
SHA1 98639aed96f54eac569e89a9c6f6286d9a18d4d6
SHA256 60605d1ab886e82cc1c7705da9d448cca3f4acb08370f6d38d061c28015716be
SHA512 0de20b247eeffc29c61f2ec8fb1184276c6f5d0863bfdf77be6c689447cf81873f15388b5d45077b455d2c15829b51c2800035c695337e064c39eea90eef7895

memory/4256-946-0x0000000000000000-mapping.dmp

memory/1884-947-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/2832-949-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

MD5 abcc3e6cd11705b1229d042deff0f307
SHA1 9e6470168afd91974bf7ce07f2c56db0391cfb01
SHA256 cc2e5af570af0a30d48afaf1155f33c07c7491e694fc14bfd5d52137ac29e339
SHA512 96f6411a260f79a31bb2218345801d1890a32ef6d5d485b32ac995791e7b79ddacb2b4aebbfaae7e37fbffa44543be588ff30b311e3e325b159428a23d0c9995

memory/5308-951-0x0000000000000000-mapping.dmp

memory/4460-952-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5332-954-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

MD5 c6b53e81cd21621deb98acbcbb2e21ce
SHA1 72cc01701237745c5b3298e063c2083b214a3a09
SHA256 424c4da5e8e3371470d3493f662424bb722cca6fbe6d659e58665cd25c63d6f9
SHA512 e8f61e983cc822d67b4c3ac09db5a2bc9d36ca6ae3fe2630592599731ed9888bafe8511346b70de913747dc30e058990be7bcf9493983f184da1d6be1684920a

memory/4808-956-0x0000000000000000-mapping.dmp

memory/4956-957-0x0000000000000000-mapping.dmp

C:\providercommon\spoolsv.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1528-959-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

MD5 6cdd9f3084064e977cf457d9c97cac40
SHA1 403b28699e84605a3491b212bf0b345af9ee4952
SHA256 1b1f4d1f551db1e69dfe6eedc81f0a542f4efd7eb86958b18beec0c65b4c0867
SHA512 99e4d63e74f8a7738ea998ab52194be0e2bab62d36e05153e33e29844dbf23c61d5d404bebf8d10816caff1200b3a429f4ab66919d852e2f6a2b165b24a56f9b

memory/3684-961-0x0000000000000000-mapping.dmp