dcrat | 0355490f79b48b672e641bf621e65567f579945dbfcff367970f6bd4606658bc

Analysis

max time kernel
149s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2022 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0355490f79b48b672e641bf621e65567f579945dbfcff367970f6bd4606658bc.exe
Size

1.3MB
MD5

498a9c7a19e83bdea6b531ed1bc0100e
SHA1

f42f014749a6bf44f7683c83253f4763c68b3098
SHA256

0355490f79b48b672e641bf621e65567f579945dbfcff367970f6bd4606658bc
SHA512

e9251604e103946492d5f876ad8e581865410b21bfb53794572274b5fa3bd4e53d96d77bd573d1beceeb42832cb0bc4db100ce00e5911e22e932e4ebbcda35de
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4728	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	360	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4348	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	4348	schtasks.exe	85

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000022e46-137.dat	dcrat
behavioral1/files/0x0006000000022e46-138.dat	dcrat
behavioral1/memory/4768-139-0x0000000000570000-0x0000000000680000-memory.dmp	dcrat
behavioral1/files/0x0006000000022e6f-163.dat	dcrat
behavioral1/files/0x0006000000022e6f-162.dat	dcrat
behavioral1/files/0x0006000000022e6f-219.dat	dcrat
behavioral1/files/0x0006000000022e6f-227.dat	dcrat
behavioral1/files/0x0006000000022e6f-234.dat	dcrat
behavioral1/files/0x0006000000022e6f-241.dat	dcrat
behavioral1/files/0x0006000000022e6f-248.dat	dcrat
behavioral1/files/0x0006000000022e6f-255.dat	dcrat
behavioral1/files/0x0006000000022e6f-262.dat	dcrat
behavioral1/files/0x0006000000022e6f-269.dat	dcrat

Executes dropped EXE 10 IoCs

pid	Process
4768	DllCommonsvc.exe
1488	spoolsv.exe
5568	spoolsv.exe
6124	spoolsv.exe
5272	spoolsv.exe
2108	spoolsv.exe
3548	spoolsv.exe
1068	spoolsv.exe
4872	spoolsv.exe
5052	spoolsv.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0355490f79b48b672e641bf621e65567f579945dbfcff367970f6bd4606658bc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\e1ef82546f0b02	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\24dbde2999530e	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Adobe\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Temp\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\ea9f0e6c9e2dcd	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\OCR\en-us\upfc.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\es-ES\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\es-ES\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\Help\Help\sihost.exe	DllCommonsvc.exe
File created	C:\Windows\Help\Help\66fc9ff0ee96c2	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\services.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2248	schtasks.exe
3116	schtasks.exe
2320	schtasks.exe
1948	schtasks.exe
2336	schtasks.exe
3504	schtasks.exe
4320	schtasks.exe
3464	schtasks.exe
1404	schtasks.exe
2468	schtasks.exe
3904	schtasks.exe
1348	schtasks.exe
5044	schtasks.exe
1420	schtasks.exe
400	schtasks.exe
376	schtasks.exe
4232	schtasks.exe
4204	schtasks.exe
2252	schtasks.exe
228	schtasks.exe
4728	schtasks.exe
3888	schtasks.exe
2312	schtasks.exe
4672	schtasks.exe
3736	schtasks.exe
1288	schtasks.exe
2264	schtasks.exe
372	schtasks.exe
4572	schtasks.exe
572	schtasks.exe
3660	schtasks.exe
976	schtasks.exe
4720	schtasks.exe
2424	schtasks.exe
3380	schtasks.exe
3372	schtasks.exe
4964	schtasks.exe
360	schtasks.exe
3860	schtasks.exe
1488	schtasks.exe
1408	schtasks.exe
4416	schtasks.exe
1960	schtasks.exe
2728	schtasks.exe
5052	schtasks.exe
4476	schtasks.exe
1592	schtasks.exe
2052	schtasks.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	0355490f79b48b672e641bf621e65567f579945dbfcff367970f6bd4606658bc.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
4768	DllCommonsvc.exe
3052	powershell.exe
3052	powershell.exe
4656	powershell.exe
4656	powershell.exe
784	powershell.exe
784	powershell.exe
3484	powershell.exe
3484	powershell.exe
3644	powershell.exe
3644	powershell.exe
2324	powershell.exe
2324	powershell.exe
1268	powershell.exe
1268	powershell.exe
3732	powershell.exe
3732	powershell.exe
3268	powershell.exe
3268	powershell.exe
4040	powershell.exe
4040	powershell.exe
3468	powershell.exe
3468	powershell.exe
1172	powershell.exe
1172	powershell.exe
3216	powershell.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	DllCommonsvc.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	3268	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	1488	spoolsv.exe
Token: SeDebugPrivilege	5568	spoolsv.exe
Token: SeDebugPrivilege	6124	spoolsv.exe
Token: SeDebugPrivilege	5272	spoolsv.exe
Token: SeDebugPrivilege	2108	spoolsv.exe
Token: SeDebugPrivilege	3548	spoolsv.exe
Token: SeDebugPrivilege	1068	spoolsv.exe
Token: SeDebugPrivilege	4872	spoolsv.exe
Token: SeDebugPrivilege	5052	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3988 wrote to memory of 4960	3988	0355490f79b48b672e641bf621e65567f579945dbfcff367970f6bd4606658bc.exe	81
PID 3988 wrote to memory of 4960	3988	0355490f79b48b672e641bf621e65567f579945dbfcff367970f6bd4606658bc.exe	81
PID 3988 wrote to memory of 4960	3988	0355490f79b48b672e641bf621e65567f579945dbfcff367970f6bd4606658bc.exe	81
PID 4960 wrote to memory of 4308	4960	WScript.exe	82
PID 4960 wrote to memory of 4308	4960	WScript.exe	82
PID 4960 wrote to memory of 4308	4960	WScript.exe	82
PID 4308 wrote to memory of 4768	4308	cmd.exe	84
PID 4308 wrote to memory of 4768	4308	cmd.exe	84
PID 4768 wrote to memory of 2324	4768	DllCommonsvc.exe	134
PID 4768 wrote to memory of 2324	4768	DllCommonsvc.exe	134
PID 4768 wrote to memory of 4656	4768	DllCommonsvc.exe	135
PID 4768 wrote to memory of 4656	4768	DllCommonsvc.exe	135
PID 4768 wrote to memory of 3052	4768	DllCommonsvc.exe	137
PID 4768 wrote to memory of 3052	4768	DllCommonsvc.exe	137
PID 4768 wrote to memory of 784	4768	DllCommonsvc.exe	138
PID 4768 wrote to memory of 784	4768	DllCommonsvc.exe	138
PID 4768 wrote to memory of 3644	4768	DllCommonsvc.exe	139
PID 4768 wrote to memory of 3644	4768	DllCommonsvc.exe	139
PID 4768 wrote to memory of 3484	4768	DllCommonsvc.exe	140
PID 4768 wrote to memory of 3484	4768	DllCommonsvc.exe	140
PID 4768 wrote to memory of 3732	4768	DllCommonsvc.exe	141
PID 4768 wrote to memory of 3732	4768	DllCommonsvc.exe	141
PID 4768 wrote to memory of 1268	4768	DllCommonsvc.exe	147
PID 4768 wrote to memory of 1268	4768	DllCommonsvc.exe	147
PID 4768 wrote to memory of 3268	4768	DllCommonsvc.exe	145
PID 4768 wrote to memory of 3268	4768	DllCommonsvc.exe	145
PID 4768 wrote to memory of 3468	4768	DllCommonsvc.exe	154
PID 4768 wrote to memory of 3468	4768	DllCommonsvc.exe	154
PID 4768 wrote to memory of 4040	4768	DllCommonsvc.exe	153
PID 4768 wrote to memory of 4040	4768	DllCommonsvc.exe	153
PID 4768 wrote to memory of 1172	4768	DllCommonsvc.exe	150
PID 4768 wrote to memory of 1172	4768	DllCommonsvc.exe	150
PID 4768 wrote to memory of 2120	4768	DllCommonsvc.exe	157
PID 4768 wrote to memory of 2120	4768	DllCommonsvc.exe	157
PID 4768 wrote to memory of 3836	4768	DllCommonsvc.exe	158
PID 4768 wrote to memory of 3836	4768	DllCommonsvc.exe	158
PID 4768 wrote to memory of 3216	4768	DllCommonsvc.exe	159
PID 4768 wrote to memory of 3216	4768	DllCommonsvc.exe	159
PID 4768 wrote to memory of 4064	4768	DllCommonsvc.exe	161
PID 4768 wrote to memory of 4064	4768	DllCommonsvc.exe	161
PID 4768 wrote to memory of 3604	4768	DllCommonsvc.exe	166
PID 4768 wrote to memory of 3604	4768	DllCommonsvc.exe	166
PID 4768 wrote to memory of 1488	4768	DllCommonsvc.exe	168
PID 4768 wrote to memory of 1488	4768	DllCommonsvc.exe	168
PID 1488 wrote to memory of 5468	1488	spoolsv.exe	171
PID 1488 wrote to memory of 5468	1488	spoolsv.exe	171
PID 5468 wrote to memory of 5520	5468	cmd.exe	172
PID 5468 wrote to memory of 5520	5468	cmd.exe	172
PID 5468 wrote to memory of 5568	5468	cmd.exe	173
PID 5468 wrote to memory of 5568	5468	cmd.exe	173
PID 5568 wrote to memory of 5892	5568	spoolsv.exe	180
PID 5568 wrote to memory of 5892	5568	spoolsv.exe	180
PID 5892 wrote to memory of 5960	5892	cmd.exe	179
PID 5892 wrote to memory of 5960	5892	cmd.exe	179
PID 5892 wrote to memory of 6124	5892	cmd.exe	183
PID 5892 wrote to memory of 6124	5892	cmd.exe	183
PID 6124 wrote to memory of 5228	6124	spoolsv.exe	185
PID 6124 wrote to memory of 5228	6124	spoolsv.exe	185
PID 5228 wrote to memory of 2860	5228	cmd.exe	186
PID 5228 wrote to memory of 2860	5228	cmd.exe	186
PID 5228 wrote to memory of 5272	5228	cmd.exe	187
PID 5228 wrote to memory of 5272	5228	cmd.exe	187
PID 5272 wrote to memory of 2388	5272	spoolsv.exe	188
PID 5272 wrote to memory of 2388	5272	spoolsv.exe	188

C:\Users\Admin\AppData\Local\Temp\0355490f79b48b672e641bf621e65567f579945dbfcff367970f6bd4606658bc.exe
"C:\Users\Admin\AppData\Local\Temp\0355490f79b48b672e641bf621e65567f579945dbfcff367970f6bd4606658bc.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\es-ES\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Help\sihost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\WmiPrvSE.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\explorer.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\services.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\spoolsv.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
    - - C:\Users\All Users\Templates\spoolsv.exe
        
        "C:\Users\All Users\Templates\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5520
        
        C:\Users\All Users\Templates\spoolsv.exe
        
        "C:\Users\All Users\Templates\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5892
        
        C:\Users\All Users\Templates\spoolsv.exe
        
        "C:\Users\All Users\Templates\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2860
        
        C:\Users\All Users\Templates\spoolsv.exe
        
        "C:\Users\All Users\Templates\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
        12⤵
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3408
        
        C:\Users\All Users\Templates\spoolsv.exe
        
        "C:\Users\All Users\Templates\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        14⤵
        
        PID:5000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3112
        
        C:\Users\All Users\Templates\spoolsv.exe
        
        "C:\Users\All Users\Templates\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
        16⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1824
        
        C:\Users\All Users\Templates\spoolsv.exe
        
        "C:\Users\All Users\Templates\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"
        18⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1308
        
        C:\Users\All Users\Templates\spoolsv.exe
        
        "C:\Users\All Users\Templates\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        20⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3380
        
        C:\Users\All Users\Templates\spoolsv.exe
        
        "C:\Users\All Users\Templates\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
        22⤵
        
        PID:3224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\Help\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Help\Help\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\Help\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\SIGNUP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\SIGNUP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\odt\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\odt\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:5960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Templates\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
205B

MD5
6e0cd9cd20449cfad005932c1390b3e1

SHA1
f5c727c881014fec29caad019af42e8b4dde018e

SHA256
c81d449c46aefdbdbee09dae9f886b4bf891e3d3819f62b584a6ab99dcc2b56d

SHA512
338839568d1c916f2e013e20412b9319fc66268b8da2934c43810b2f35935c8b66b86aec9cb0f160307a2c4bbf57a72c7d00ee765c7a762a5f91ddeb9fdfd9fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
205B

MD5
77638766d42c3cffbc0273e99ac653c6

SHA1
085b71227187b4b6f1b2d98a31970bc0b1bd72d8

SHA256
de81f28b77ee50071a6531a2c8ec0b28ed4aff64a49f162a88fcae78b6850a9c

SHA512
bb37e22e004f680026774bc2880f352693538bcc1421088b39d5117026e636a2dad5784e99606288c2a2bdae65e1fd3d1af3cc2c9601cd8c504fb4af7fa2b784

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat

Filesize
205B

MD5
3ac3d574c693488ba61d4742a353cf47

SHA1
d5890cddd148b1b4be3bca9011dba50767b213b6

SHA256
dfab9365ac8b595da8562942d8ae3a5a1e16e81fe0a6710c04bd8d5d84461e1e

SHA512
6a4ce22dcb55ac0f7ec078e8b43b2425fcbcbe45ecb0ac5a23ee8a4b3202ed8a0da032899334bcde4d09afcd0b7d45ab1fa7051bea905b869889e9b14a4b69cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

Filesize
205B

MD5
bf55f4c671a49744bfc03adc2f57eda9

SHA1
4b50c71708a9177d0fd2e527c52cfc96dfc3f972

SHA256
4544ab551fb7af728de89f7636392f002eb6f9eb77bd9e72d6be5ba0f9f1683d

SHA512
2359a331ec33bc317aeec159bff7436ae67f0e2ca7a77b9deec77ee5dd303e5828ab2188e41ca6242fd86ac43260dc7295be878edaa16b341243a16e306ee2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat

Filesize
205B

MD5
96f7286a38b1bfb0e7310deaf3aca9c7

SHA1
65a4056f17c2a23da0d275fe3911637aa4449e5a

SHA256
e13323d0a480a121f1ead9bf4b239eed2a699c01775f0bbd24f1c0daa63e7c83

SHA512
a30a03f110ee95f188655cd6678171d7396ae7e8ce07a814767985bb2a97b3603319a505ed9bca46caf2b6f4b2c4a09aca60ae56f0825845c208da32ad6b1a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

Filesize
205B

MD5
ad92b6b45bc7a3abb3a38c64bc9cd06b

SHA1
fb4e89f03c977ac9706f7dc5af9b34e1c836752c

SHA256
1673293d95018755ae4be0d9975adc8cfefc187a75de8961e28bc567f440d4af

SHA512
c73b289dfd8ff6cd271ee85357b1027bd68f286bbec1b783134a3cf9425373015a594c8325fc747ca5419cd3f68b4c6eeb3e8ccd6b86e178605b2b9b4b39bbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

Filesize
205B

MD5
e571f7934e3895049ae116e6854eb8c4

SHA1
6c6697812c788cc7a2b912fee04e3f4dd68e2428

SHA256
060d29b0d5948a4b452b71aa0f87f90d126a786492c950cd6617780db4119cf1

SHA512
4f6a15232ee30d555241d68ec587d657d52672bf15f53d8de86cdddfb68ecb0db39dea172b3869789f637233b141470bc150b26d8a74963292063cfa8e0cb442

Download Submit
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat

Filesize
205B

MD5
92c913e6897701e298fe39c309d388cf

SHA1
351b04f588becb3e078993752a689a2d1177f132

SHA256
459038485266db13c8d684a96d237c0e0601876d1600bb66186d06b5d499850a

SHA512
b48bfae8cb229a604aadc9e1c90ac6f82f2ee7f1b37c21cdc69a90e67ac7ff600f462398cf588d9be10542281f0e6f9cbb0c5558bf5ae7cf689e7dc4bfecebc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

Filesize
205B

MD5
b42819b5e6ce2992c0e4150570f85857

SHA1
d4e8bd3974e8995a7eda7f848ea3a69ffbe44005

SHA256
4c192a5413fe76bf7de827ddfb157d5488dafd2ad0245393621b6785fe606e65

SHA512
df0228a257f654c3fe8b58ba3903c735287ec6a52e8e30912d024fc543219e8000a41359c9628742cb65ede115ac2cd73ac6dc46aa78191b41eee7eb14d2bca0

Download Submit
C:\Users\All Users\Templates\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/784-199-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/784-144-0x0000000000000000-mapping.dmp

Download
memory/784-165-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/1068-260-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download
memory/1068-256-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download
memory/1068-254-0x0000000000000000-mapping.dmp

Download
memory/1172-152-0x0000000000000000-mapping.dmp

Download
memory/1172-175-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/1172-197-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/1268-169-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/1268-198-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/1268-148-0x0000000000000000-mapping.dmp

Download
memory/1308-259-0x0000000000000000-mapping.dmp

Download
memory/1488-213-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/1488-160-0x0000000000000000-mapping.dmp

Download
memory/1488-217-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/1824-252-0x0000000000000000-mapping.dmp

Download
memory/1888-250-0x0000000000000000-mapping.dmp

Download
memory/2108-240-0x0000000000000000-mapping.dmp

Download
memory/2108-246-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download
memory/2108-242-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download
memory/2120-153-0x0000000000000000-mapping.dmp

Download
memory/2120-207-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/2120-176-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/2324-171-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/2324-141-0x0000000000000000-mapping.dmp

Download
memory/2324-204-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/2388-236-0x0000000000000000-mapping.dmp

Download
memory/2552-264-0x0000000000000000-mapping.dmp

Download
memory/2776-257-0x0000000000000000-mapping.dmp

Download
memory/2860-231-0x0000000000000000-mapping.dmp

Download
memory/3052-164-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-203-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-143-0x0000000000000000-mapping.dmp

Download
memory/3112-245-0x0000000000000000-mapping.dmp

Download
memory/3120-273-0x0000000000000000-mapping.dmp

Download
memory/3216-210-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3216-155-0x0000000000000000-mapping.dmp

Download
memory/3224-271-0x0000000000000000-mapping.dmp

Download
memory/3268-149-0x0000000000000000-mapping.dmp

Download
memory/3268-173-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3268-200-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3380-266-0x0000000000000000-mapping.dmp

Download
memory/3408-238-0x0000000000000000-mapping.dmp

Download
memory/3468-150-0x0000000000000000-mapping.dmp

Download
memory/3468-174-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3468-211-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3484-146-0x0000000000000000-mapping.dmp

Download
memory/3484-202-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3484-168-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3548-253-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download
memory/3548-249-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download
memory/3548-247-0x0000000000000000-mapping.dmp

Download
memory/3604-157-0x0000000000000000-mapping.dmp

Download
memory/3604-196-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-178-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3644-145-0x0000000000000000-mapping.dmp

Download
memory/3644-167-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3644-208-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3732-147-0x0000000000000000-mapping.dmp

Download
memory/3732-205-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3732-170-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3836-177-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/3836-154-0x0000000000000000-mapping.dmp

Download
memory/3836-212-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4040-172-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4040-151-0x0000000000000000-mapping.dmp

Download
memory/4040-201-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-156-0x0000000000000000-mapping.dmp

Download
memory/4064-209-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-135-0x0000000000000000-mapping.dmp

Download
memory/4656-159-0x000001ABB27E0000-0x000001ABB2802000-memory.dmp

Filesize
136KB

Download
memory/4656-206-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4656-142-0x0000000000000000-mapping.dmp

Download
memory/4656-161-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-136-0x0000000000000000-mapping.dmp

Download
memory/4768-139-0x0000000000570000-0x0000000000680000-memory.dmp

Filesize
1.1MB

Download
memory/4768-140-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-158-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-166-0x00007FFD7E010000-0x00007FFD7EAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4872-267-0x00007FFD7E7C0000-0x00007FFD7F281000-memory.dmp

Filesize
10.8MB

Download
memory/4872-263-0x00007FFD7E7C0000-0x00007FFD7F281000-memory.dmp

Filesize
10.8MB

Download
memory/4872-261-0x0000000000000000-mapping.dmp

Download
memory/4960-132-0x0000000000000000-mapping.dmp

Download
memory/5000-243-0x0000000000000000-mapping.dmp

Download
memory/5052-270-0x00007FFD7E7C0000-0x00007FFD7F281000-memory.dmp

Filesize
10.8MB

Download
memory/5052-268-0x0000000000000000-mapping.dmp

Download
memory/5052-274-0x00007FFD7E7C0000-0x00007FFD7F281000-memory.dmp

Filesize
10.8MB

Download
memory/5228-229-0x0000000000000000-mapping.dmp

Download
memory/5272-239-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download
memory/5272-235-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download
memory/5272-233-0x0000000000000000-mapping.dmp

Download
memory/5468-214-0x0000000000000000-mapping.dmp

Download
memory/5520-216-0x0000000000000000-mapping.dmp

Download
memory/5568-218-0x0000000000000000-mapping.dmp

Download
memory/5568-221-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download
memory/5568-224-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download
memory/5892-222-0x0000000000000000-mapping.dmp

Download
memory/5960-225-0x0000000000000000-mapping.dmp

Download
memory/6124-226-0x0000000000000000-mapping.dmp

Download
memory/6124-228-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download
memory/6124-232-0x00007FFD7E250000-0x00007FFD7ED11000-memory.dmp

Filesize
10.8MB

Download