dcrat | fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97

Analysis

max time kernel
142s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe
Size

1.3MB
MD5

7e515e4b394a3a0b27c3f061dd0215ea
SHA1

c3be28953ce77ebc930c774d6ce5110a0696bd7d
SHA256

fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97
SHA512

85a563ed0ab056b5e1b720b9dd043c6b3e246a761f099e6dd3b79c0ccb64dada0f916ff7cbc4cd14cabac34941874e326d5aa9db317d2a77bf6b22aa164d2424
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4324	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3408	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	4848	schtasks.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4848	schtasks.exe	27

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0003000000000725-137.dat	dcrat
behavioral1/files/0x0003000000000725-138.dat	dcrat
behavioral1/memory/3700-139-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/files/0x0001000000022dfd-165.dat	dcrat
behavioral1/files/0x0001000000022dfd-166.dat	dcrat
behavioral1/files/0x0001000000022dfd-232.dat	dcrat
behavioral1/files/0x0001000000022dfd-240.dat	dcrat
behavioral1/files/0x0001000000022dfd-247.dat	dcrat
behavioral1/files/0x0001000000022dfd-254.dat	dcrat
behavioral1/files/0x0001000000022dfd-261.dat	dcrat
behavioral1/files/0x0001000000022dfd-268.dat	dcrat
behavioral1/files/0x0001000000022dfd-275.dat	dcrat
behavioral1/files/0x0001000000022dfd-282.dat	dcrat

Executes dropped EXE 10 IoCs

pid	Process
3700	DllCommonsvc.exe
4784	spoolsv.exe
4284	spoolsv.exe
4312	spoolsv.exe
1836	spoolsv.exe
3212	spoolsv.exe
5164	spoolsv.exe
3200	spoolsv.exe
3340	spoolsv.exe
5480	spoolsv.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\taskhostw.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\images\WaaSMedicAgent.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\images\c82b8037eab33d	DllCommonsvc.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\e1ef82546f0b02	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\OfficeClickToRun.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\e6c9b481da804f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1100	schtasks.exe
3424	schtasks.exe
1728	schtasks.exe
2472	schtasks.exe
3112	schtasks.exe
1640	schtasks.exe
3128	schtasks.exe
3984	schtasks.exe
2308	schtasks.exe
4344	schtasks.exe
4784	schtasks.exe
4896	schtasks.exe
4300	schtasks.exe
4972	schtasks.exe
4960	schtasks.exe
4324	schtasks.exe
1636	schtasks.exe
4332	schtasks.exe
4468	schtasks.exe
4180	schtasks.exe
4800	schtasks.exe
3584	schtasks.exe
4596	schtasks.exe
3144	schtasks.exe
2988	schtasks.exe
4688	schtasks.exe
4836	schtasks.exe
3640	schtasks.exe
2804	schtasks.exe
940	schtasks.exe
1312	schtasks.exe
1688	schtasks.exe
3752	schtasks.exe
1596	schtasks.exe
2584	schtasks.exe
1152	schtasks.exe
1296	schtasks.exe
4140	schtasks.exe
3728	schtasks.exe
2292	schtasks.exe
4260	schtasks.exe
1768	schtasks.exe
1108	schtasks.exe
4952	schtasks.exe
4584	schtasks.exe
4412	schtasks.exe
4968	schtasks.exe
4052	schtasks.exe
5012	schtasks.exe
3408	schtasks.exe
2332	schtasks.exe
1608	schtasks.exe
2828	schtasks.exe
988	schtasks.exe
2336	schtasks.exe
3060	schtasks.exe
2912	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
3700	DllCommonsvc.exe
4308	powershell.exe
1288	powershell.exe
4308	powershell.exe
1288	powershell.exe
2980	powershell.exe
2980	powershell.exe
3856	powershell.exe
3856	powershell.exe
4320	powershell.exe
4320	powershell.exe
4016	powershell.exe
4016	powershell.exe
3472	powershell.exe
3472	powershell.exe
3820	powershell.exe
3820	powershell.exe
5060	powershell.exe
5060	powershell.exe
3924	powershell.exe
3924	powershell.exe
3712	powershell.exe
3712	powershell.exe
4416	powershell.exe
4416	powershell.exe
4620	powershell.exe
4620	powershell.exe
1596	powershell.exe
1852	powershell.exe
1596	powershell.exe
1852	powershell.exe
2220	powershell.exe
2220	powershell.exe
996	powershell.exe
996	powershell.exe
4896	powershell.exe
4896	powershell.exe
1108	powershell.exe
1108	powershell.exe
1152	powershell.exe
1152	powershell.exe
4784	spoolsv.exe
4784	spoolsv.exe
4308	powershell.exe
4308	powershell.exe
1288	powershell.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	3700	DllCommonsvc.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	3472	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4784	spoolsv.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	4284	spoolsv.exe
Token: SeDebugPrivilege	4312	spoolsv.exe
Token: SeDebugPrivilege	1836	spoolsv.exe
Token: SeDebugPrivilege	3212	spoolsv.exe
Token: SeDebugPrivilege	5164	spoolsv.exe
Token: SeDebugPrivilege	3200	spoolsv.exe
Token: SeDebugPrivilege	3340	spoolsv.exe
Token: SeDebugPrivilege	5480	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4112	1300	fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe	83
PID 1300 wrote to memory of 4112	1300	fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe	83
PID 1300 wrote to memory of 4112	1300	fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe	83
PID 4112 wrote to memory of 4776	4112	WScript.exe	87
PID 4112 wrote to memory of 4776	4112	WScript.exe	87
PID 4112 wrote to memory of 4776	4112	WScript.exe	87
PID 4776 wrote to memory of 3700	4776	cmd.exe	89
PID 4776 wrote to memory of 3700	4776	cmd.exe	89
PID 3700 wrote to memory of 1288	3700	DllCommonsvc.exe	148
PID 3700 wrote to memory of 1288	3700	DllCommonsvc.exe	148
PID 3700 wrote to memory of 4308	3700	DllCommonsvc.exe	149
PID 3700 wrote to memory of 4308	3700	DllCommonsvc.exe	149
PID 3700 wrote to memory of 2980	3700	DllCommonsvc.exe	190
PID 3700 wrote to memory of 2980	3700	DllCommonsvc.exe	190
PID 3700 wrote to memory of 3856	3700	DllCommonsvc.exe	151
PID 3700 wrote to memory of 3856	3700	DllCommonsvc.exe	151
PID 3700 wrote to memory of 4320	3700	DllCommonsvc.exe	152
PID 3700 wrote to memory of 4320	3700	DllCommonsvc.exe	152
PID 3700 wrote to memory of 3924	3700	DllCommonsvc.exe	153
PID 3700 wrote to memory of 3924	3700	DllCommonsvc.exe	153
PID 3700 wrote to memory of 4016	3700	DllCommonsvc.exe	154
PID 3700 wrote to memory of 4016	3700	DllCommonsvc.exe	154
PID 3700 wrote to memory of 3472	3700	DllCommonsvc.exe	161
PID 3700 wrote to memory of 3472	3700	DllCommonsvc.exe	161
PID 3700 wrote to memory of 5060	3700	DllCommonsvc.exe	156
PID 3700 wrote to memory of 5060	3700	DllCommonsvc.exe	156
PID 3700 wrote to memory of 3820	3700	DllCommonsvc.exe	159
PID 3700 wrote to memory of 3820	3700	DllCommonsvc.exe	159
PID 3700 wrote to memory of 3712	3700	DllCommonsvc.exe	188
PID 3700 wrote to memory of 3712	3700	DllCommonsvc.exe	188
PID 3700 wrote to memory of 4416	3700	DllCommonsvc.exe	168
PID 3700 wrote to memory of 4416	3700	DllCommonsvc.exe	168
PID 3700 wrote to memory of 1852	3700	DllCommonsvc.exe	167
PID 3700 wrote to memory of 1852	3700	DllCommonsvc.exe	167
PID 3700 wrote to memory of 1596	3700	DllCommonsvc.exe	187
PID 3700 wrote to memory of 1596	3700	DllCommonsvc.exe	187
PID 3700 wrote to memory of 4620	3700	DllCommonsvc.exe	170
PID 3700 wrote to memory of 4620	3700	DllCommonsvc.exe	170
PID 3700 wrote to memory of 2220	3700	DllCommonsvc.exe	185
PID 3700 wrote to memory of 2220	3700	DllCommonsvc.exe	185
PID 3700 wrote to memory of 996	3700	DllCommonsvc.exe	172
PID 3700 wrote to memory of 996	3700	DllCommonsvc.exe	172
PID 3700 wrote to memory of 4896	3700	DllCommonsvc.exe	173
PID 3700 wrote to memory of 4896	3700	DllCommonsvc.exe	173
PID 3700 wrote to memory of 1108	3700	DllCommonsvc.exe	175
PID 3700 wrote to memory of 1108	3700	DllCommonsvc.exe	175
PID 3700 wrote to memory of 1152	3700	DllCommonsvc.exe	176
PID 3700 wrote to memory of 1152	3700	DllCommonsvc.exe	176
PID 3700 wrote to memory of 4784	3700	DllCommonsvc.exe	180
PID 3700 wrote to memory of 4784	3700	DllCommonsvc.exe	180
PID 4784 wrote to memory of 5672	4784	spoolsv.exe	191
PID 4784 wrote to memory of 5672	4784	spoolsv.exe	191
PID 5672 wrote to memory of 3344	5672	cmd.exe	193
PID 5672 wrote to memory of 3344	5672	cmd.exe	193
PID 5672 wrote to memory of 4284	5672	cmd.exe	195
PID 5672 wrote to memory of 4284	5672	cmd.exe	195
PID 4284 wrote to memory of 2888	4284	spoolsv.exe	196
PID 4284 wrote to memory of 2888	4284	spoolsv.exe	196
PID 2888 wrote to memory of 4856	2888	cmd.exe	198
PID 2888 wrote to memory of 4856	2888	cmd.exe	198
PID 2888 wrote to memory of 4312	2888	cmd.exe	199
PID 2888 wrote to memory of 4312	2888	cmd.exe	199
PID 4312 wrote to memory of 2336	4312	spoolsv.exe	200
PID 4312 wrote to memory of 2336	4312	spoolsv.exe	200

C:\Users\Admin\AppData\Local\Temp\fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe
"C:\Users\Admin\AppData\Local\Temp\fa225ad8d86707d63c7b607c5b5068fbbb0ad539d9243397927b439d5f437d97.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\backgroundTaskHost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\System.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\WaaSMedicAgent.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\taskhostw.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\conhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dllhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
    - - C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3344
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4856
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        10⤵
        
        PID:2336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2280
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
        12⤵
        
        PID:4628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5888
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
        14⤵
        
        PID:4004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1484
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
        16⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:5328
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"
        18⤵
        
        PID:6064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:5172
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        20⤵
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4300
        
        C:\providercommon\spoolsv.exe
        
        "C:\providercommon\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Skins\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\odt\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\SoftwareDistribution\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Update\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\images\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\images\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\providercommon\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae96ca6d5f605116d027b60ee601dbf8

SHA1
227fd9141f215138fb1bf85391accfc97a691d47

SHA256
30e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf

SHA512
03a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae96ca6d5f605116d027b60ee601dbf8

SHA1
227fd9141f215138fb1bf85391accfc97a691d47

SHA256
30e866ae47fec01989b6ae6ced870828b089a8ce68580ee70204ae5db88451bf

SHA512
03a324722a5fd70a59bfa341bf2606dd6cb943b9f2c415c22b2913140837e3c12acfdf929b1db8535f943a805900164a12528d4bf2b1933cd2bfbcd22e03d374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

Filesize
194B

MD5
32a7aee95dc7cf6d8d4523f831623096

SHA1
55b3072d36b6a7705ee84b81ab7e5e8a8e0b392d

SHA256
9858ed579fbb9c5b29971da76b83f51e0fdcc529db4226c08faccba98270798a

SHA512
b2663db09957da25fd7bf7e3c8c1eae1a8a47d4979a02e9aa337700c9fe460c2c5a8fd3f03becfeb40efd82d587bcf23a3ab84df21e3dfdb29d6a6fa675ad054

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat

Filesize
194B

MD5
ea85d0da39aa8483eeff5bf98006fa5f

SHA1
6d10faf5fc80640c802ba0135c723fd4b7a32162

SHA256
02b847780c9c803ab6de20cc062440319d7660c075988a1d29febf8732e21909

SHA512
2a7383afad32fbda5df1d9c3d056430438e04d44dd3cd9ee57bc6291b5fc031b1456946bbd9cb27892bd85a947fc08f1aa9d4d576cceee2b69d67489ad546192

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
194B

MD5
bc266cbb0920d0d5509ced9fb89549b0

SHA1
4b7d65fd890c1e62ee5806770e0a101e443b6322

SHA256
33cf061e2ce2616707f5607240d3b9f052b7a031aa69447f5c7c371d3c418f27

SHA512
55104e04b63c922b57ec1685e7bb7bed881d9d7ad34b7c9a60fb322156956a30b85ac919f3d223de631fa6a088d88ca6576d44f903982c1a859138166700b59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
194B

MD5
bc266cbb0920d0d5509ced9fb89549b0

SHA1
4b7d65fd890c1e62ee5806770e0a101e443b6322

SHA256
33cf061e2ce2616707f5607240d3b9f052b7a031aa69447f5c7c371d3c418f27

SHA512
55104e04b63c922b57ec1685e7bb7bed881d9d7ad34b7c9a60fb322156956a30b85ac919f3d223de631fa6a088d88ca6576d44f903982c1a859138166700b59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat

Filesize
194B

MD5
702a96c8e852247fcdace18944f0fe50

SHA1
90d919e6f4a4e70eb9026a7545ce56c68093aa9b

SHA256
cccaa16182aa1bdb8317b79a0e6de554ab0ec6f22f9130db1b4e9100add195bc

SHA512
a912e69b457031eef42b6306d032a096c446f2fb30956f4ab760098ba1d3b67c8ba8c4e8c999581d822747db4f8d6a101e24be06e4ac27d6c21be1474ef70e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

Filesize
194B

MD5
9f8aa585b407277a0a4516585e59d6b7

SHA1
63a8a7dff7dc89c064ff7ca8564c1dbcf5bfe550

SHA256
131ed0d1b50219d5299e1084c72fa7faeced9554baba6569bb698abd25da387f

SHA512
5e5625e38683a98b2d93619f036ec786a7ae597d1237e197836ced4e458c5f4b2ae01933548bed3a7a2724dfe8d5c1fccad894845dab412092a79956766b2169

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat

Filesize
194B

MD5
431d0860a3ea7ad1def89054a6753ee9

SHA1
347d86a2d432c11c87af02bb056ea152f6f07a1f

SHA256
21cbe5fcd7d33619fa3669331d8743bb6bd73b0d37c8f330d035ef1011048ba5

SHA512
dd4e7d64bdd605854777af0c3e848b8822ea397ace65f051d3b624a2a0f32a6d02fbac492c49d8b94030f70bf2c793f29d4449f3c6fb9d05fe6399984d778422

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
194B

MD5
fabd4cc79c52659454b1984dbbcdafcb

SHA1
8b6bc7d5cb1d411ec25ef80b3cd8471339d5cc76

SHA256
0804f8e75d97cf67f43e7a138c0fb87db51962432920f2d9a033eb2aa6cb7bf5

SHA512
2a2a65e682141ee86b338f601b187669289f1bce0c2be09a2f4fc7892b451ffd53b7fe7bc2307fa74c3d414f20e59f49445b9de01e69f810c97969ffd84650d0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\spoolsv.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/996-230-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/996-185-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/1108-182-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/1108-226-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/1152-228-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/1152-186-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/1288-200-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/1288-162-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/1596-217-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/1596-184-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/1836-252-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/1836-248-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/1852-225-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/1852-177-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/2220-179-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/2220-212-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/2980-168-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/2980-197-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3200-269-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/3200-273-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/3212-259-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/3212-255-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/3340-276-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/3340-280-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/3472-173-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3472-214-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3700-170-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3700-139-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/3700-140-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3712-183-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3712-209-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3820-208-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3820-174-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3856-167-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3856-196-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3924-171-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/3924-202-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4016-172-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4016-203-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4284-238-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4284-234-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4308-191-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4308-159-0x0000023CAE3C0000-0x0000023CAE3E2000-memory.dmp

Filesize
136KB

Download
memory/4308-163-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4312-241-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/4312-245-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/4320-169-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4320-207-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4416-176-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4416-219-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4620-178-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4620-216-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4784-181-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4784-188-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4896-224-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/4896-180-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/5060-227-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/5060-175-0x00007FFBFE6A0000-0x00007FFBFF161000-memory.dmp

Filesize
10.8MB

Download
memory/5164-266-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/5164-262-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download
memory/5480-283-0x00007FFBFE4C0000-0x00007FFBFEF81000-memory.dmp

Filesize
10.8MB

Download