434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

Analysis

max time kernel
294s
max time network
299s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
08/10/2023, 22:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
Size

1.7MB
MD5

c2b3685e522340433c14a1347a6b59ae
SHA1

46ea6f7f34b290e6b181c709307f95e09717b9a4
SHA256

434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef
SHA512

67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 31 IoCs

pid	Process
1836	spoolsv.exe
2160	spoolsv.exe
2624	spoolsv.exe
3884	spoolsv.exe
3248	spoolsv.exe
3928	spoolsv.exe
3868	spoolsv.exe
2364	spoolsv.exe
1088	spoolsv.exe
5040	spoolsv.exe
4792	spoolsv.exe
2904	spoolsv.exe
3096	spoolsv.exe
4780	spoolsv.exe
3268	spoolsv.exe
4108	spoolsv.exe
916	spoolsv.exe
4428	spoolsv.exe
4368	spoolsv.exe
2648	spoolsv.exe
4776	spoolsv.exe
4808	spoolsv.exe
2884	spoolsv.exe
5052	spoolsv.exe
1672	spoolsv.exe
4972	spoolsv.exe
5040	spoolsv.exe
2828	spoolsv.exe
1680	spoolsv.exe
3924	spoolsv.exe
3764	spoolsv.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fr-FR\Licenses\5940a34987c991	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\dllhost.exe	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PrintDialog\fontdrvhost.exe	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
File created	C:\Windows\PrintDialog\5b884080fd4f94	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1384669652-2270756765-572751751-1000_Classes\Local Settings	spoolsv.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

pid	Process
292	PING.EXE
5008	PING.EXE
2700	PING.EXE
3432	PING.EXE
2964	PING.EXE
4256	PING.EXE
3416	PING.EXE
5116	PING.EXE
2892	PING.EXE
4844	PING.EXE
2156	PING.EXE
1352	PING.EXE
3008	PING.EXE
4348	PING.EXE
4012	PING.EXE
3444	PING.EXE
4308	PING.EXE
3544	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeIncreaseQuotaPrivilege	4688	powershell.exe
Token: SeSecurityPrivilege	4688	powershell.exe
Token: SeTakeOwnershipPrivilege	4688	powershell.exe
Token: SeLoadDriverPrivilege	4688	powershell.exe
Token: SeSystemProfilePrivilege	4688	powershell.exe
Token: SeSystemtimePrivilege	4688	powershell.exe
Token: SeProfSingleProcessPrivilege	4688	powershell.exe
Token: SeIncBasePriorityPrivilege	4688	powershell.exe
Token: SeCreatePagefilePrivilege	4688	powershell.exe
Token: SeBackupPrivilege	4688	powershell.exe
Token: SeRestorePrivilege	4688	powershell.exe
Token: SeShutdownPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeSystemEnvironmentPrivilege	4688	powershell.exe
Token: SeRemoteShutdownPrivilege	4688	powershell.exe
Token: SeUndockPrivilege	4688	powershell.exe
Token: SeManageVolumePrivilege	4688	powershell.exe
Token: 33	4688	powershell.exe
Token: 34	4688	powershell.exe
Token: 35	4688	powershell.exe
Token: 36	4688	powershell.exe
Token: SeIncreaseQuotaPrivilege	3704	powershell.exe
Token: SeSecurityPrivilege	3704	powershell.exe
Token: SeTakeOwnershipPrivilege	3704	powershell.exe
Token: SeLoadDriverPrivilege	3704	powershell.exe
Token: SeSystemProfilePrivilege	3704	powershell.exe
Token: SeSystemtimePrivilege	3704	powershell.exe
Token: SeProfSingleProcessPrivilege	3704	powershell.exe
Token: SeIncBasePriorityPrivilege	3704	powershell.exe
Token: SeCreatePagefilePrivilege	3704	powershell.exe
Token: SeBackupPrivilege	3704	powershell.exe
Token: SeRestorePrivilege	3704	powershell.exe
Token: SeShutdownPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeSystemEnvironmentPrivilege	3704	powershell.exe
Token: SeRemoteShutdownPrivilege	3704	powershell.exe
Token: SeUndockPrivilege	3704	powershell.exe
Token: SeManageVolumePrivilege	3704	powershell.exe
Token: 33	3704	powershell.exe
Token: 34	3704	powershell.exe
Token: 35	3704	powershell.exe
Token: 36	3704	powershell.exe
Token: SeIncreaseQuotaPrivilege	2400	powershell.exe
Token: SeSecurityPrivilege	2400	powershell.exe
Token: SeTakeOwnershipPrivilege	2400	powershell.exe
Token: SeLoadDriverPrivilege	2400	powershell.exe
Token: SeSystemProfilePrivilege	2400	powershell.exe
Token: SeSystemtimePrivilege	2400	powershell.exe
Token: SeProfSingleProcessPrivilege	2400	powershell.exe
Token: SeIncBasePriorityPrivilege	2400	powershell.exe
Token: SeCreatePagefilePrivilege	2400	powershell.exe
Token: SeBackupPrivilege	2400	powershell.exe
Token: SeRestorePrivilege	2400	powershell.exe
Token: SeShutdownPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeSystemEnvironmentPrivilege	2400	powershell.exe
Token: SeRemoteShutdownPrivilege	2400	powershell.exe
Token: SeUndockPrivilege	2400	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 4688	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	69
PID 3748 wrote to memory of 4688	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	69
PID 3748 wrote to memory of 1148	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	70
PID 3748 wrote to memory of 1148	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	70
PID 3748 wrote to memory of 1376	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	77
PID 3748 wrote to memory of 1376	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	77
PID 3748 wrote to memory of 3704	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	76
PID 3748 wrote to memory of 3704	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	76
PID 3748 wrote to memory of 2400	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	74
PID 3748 wrote to memory of 2400	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	74
PID 3748 wrote to memory of 3424	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	79
PID 3748 wrote to memory of 3424	3748	434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe	79
PID 3424 wrote to memory of 4172	3424	cmd.exe	81
PID 3424 wrote to memory of 4172	3424	cmd.exe	81
PID 3424 wrote to memory of 2892	3424	cmd.exe	82
PID 3424 wrote to memory of 2892	3424	cmd.exe	82
PID 3424 wrote to memory of 1836	3424	cmd.exe	84
PID 3424 wrote to memory of 1836	3424	cmd.exe	84
PID 1836 wrote to memory of 4656	1836	spoolsv.exe	86
PID 1836 wrote to memory of 4656	1836	spoolsv.exe	86
PID 4656 wrote to memory of 644	4656	cmd.exe	87
PID 4656 wrote to memory of 644	4656	cmd.exe	87
PID 4656 wrote to memory of 4156	4656	cmd.exe	88
PID 4656 wrote to memory of 4156	4656	cmd.exe	88
PID 4656 wrote to memory of 2160	4656	cmd.exe	89
PID 4656 wrote to memory of 2160	4656	cmd.exe	89
PID 2160 wrote to memory of 96	2160	spoolsv.exe	90
PID 2160 wrote to memory of 96	2160	spoolsv.exe	90
PID 96 wrote to memory of 4944	96	cmd.exe	92
PID 96 wrote to memory of 4944	96	cmd.exe	92
PID 96 wrote to memory of 2700	96	cmd.exe	93
PID 96 wrote to memory of 2700	96	cmd.exe	93
PID 96 wrote to memory of 2624	96	cmd.exe	94
PID 96 wrote to memory of 2624	96	cmd.exe	94
PID 2624 wrote to memory of 4852	2624	spoolsv.exe	96
PID 2624 wrote to memory of 4852	2624	spoolsv.exe	96
PID 4852 wrote to memory of 4672	4852	cmd.exe	97
PID 4852 wrote to memory of 4672	4852	cmd.exe	97
PID 4852 wrote to memory of 4248	4852	cmd.exe	98
PID 4852 wrote to memory of 4248	4852	cmd.exe	98
PID 4852 wrote to memory of 3884	4852	cmd.exe	99
PID 4852 wrote to memory of 3884	4852	cmd.exe	99
PID 3884 wrote to memory of 2688	3884	spoolsv.exe	100
PID 3884 wrote to memory of 2688	3884	spoolsv.exe	100
PID 2688 wrote to memory of 3000	2688	cmd.exe	102
PID 2688 wrote to memory of 3000	2688	cmd.exe	102
PID 2688 wrote to memory of 4348	2688	cmd.exe	103
PID 2688 wrote to memory of 4348	2688	cmd.exe	103
PID 2688 wrote to memory of 3248	2688	cmd.exe	104
PID 2688 wrote to memory of 3248	2688	cmd.exe	104
PID 3248 wrote to memory of 3096	3248	spoolsv.exe	105
PID 3248 wrote to memory of 3096	3248	spoolsv.exe	105
PID 3096 wrote to memory of 2096	3096	cmd.exe	107
PID 3096 wrote to memory of 2096	3096	cmd.exe	107
PID 3096 wrote to memory of 4308	3096	cmd.exe	108
PID 3096 wrote to memory of 4308	3096	cmd.exe	108
PID 3096 wrote to memory of 3928	3096	cmd.exe	109
PID 3096 wrote to memory of 3928	3096	cmd.exe	109
PID 3928 wrote to memory of 2200	3928	spoolsv.exe	110
PID 3928 wrote to memory of 2200	3928	spoolsv.exe	110
PID 2200 wrote to memory of 2208	2200	cmd.exe	112
PID 2200 wrote to memory of 2208	2200	cmd.exe	112
PID 2200 wrote to memory of 4844	2200	cmd.exe	113
PID 2200 wrote to memory of 4844	2200	cmd.exe	113

C:\Users\Admin\AppData\Local\Temp\434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe
"C:\Users\Admin\AppData\Local\Temp\434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\dwm.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\fontdrvhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\spoolsv.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\fr-FR\Licenses\dllhost.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2PiJebG6ia.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4172
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2892
- - C:\Users\Public\Videos\spoolsv.exe
    "C:\Users\Public\Videos\spoolsv.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl5EWIzDsS.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4656
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:644
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:4156
    - - C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T6xLp4JQ8y.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:96
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4944
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:2700
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddtUB3Qwlt.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4248
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMKRyAEqWe.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:4348
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Sh6ipYOoXP.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2096
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:4308
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMKRyAEqWe.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:4844
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uWhjrprfdL.bat"
        16⤵
        
        PID:2312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:292
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKHlt6LWjG.bat"
        18⤵
        
        PID:4332
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:3432
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QXsfud8LVu.bat"
        20⤵
        
        PID:4448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3596
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        Runs ping.exe
        
        PID:2964
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4IFTJQeKoJ.bat"
        22⤵
        
        PID:1252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        Runs ping.exe
        
        PID:3544
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f2k7CZMYLR.bat"
        24⤵
        
        PID:4172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4348
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rj2XQE6t64.bat"
        26⤵
        
        PID:4744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3820
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhzrLBDaJg.bat"
        28⤵
        
        PID:2108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1200
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        29⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xVZsORhRPb.bat"
        30⤵
        
        PID:4388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3424
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        Runs ping.exe
        
        PID:292
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6RTVEKunro.bat"
        32⤵
        
        PID:3016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:3108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        Runs ping.exe
        
        PID:4012
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qXkQwtlzQj.bat"
        34⤵
        
        PID:4944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:3772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:4016
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        35⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oAocY3YSOp.bat"
        36⤵
        
        PID:4672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        37⤵
        Runs ping.exe
        
        PID:4256
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oOVO2yVWND.bat"
        38⤵
        
        PID:3996
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:360
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAvT1QihcZ.bat"
        40⤵
        
        PID:2172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:1860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:2776
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JlC5zfAS6C.bat"
        42⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:1680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        Runs ping.exe
        
        PID:2156
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tVgmHuxRU.bat"
        44⤵
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        45⤵
        
        PID:4488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        45⤵
        
        PID:4844
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        45⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1TWCJOn7dC.bat"
        46⤵
        
        PID:4116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        47⤵
        
        PID:4920
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        47⤵
        Runs ping.exe
        
        PID:5008
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        47⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HNGHapxv4I.bat"
        48⤵
        
        PID:4420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        49⤵
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        49⤵
        
        PID:1836
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        49⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EON83D8AI2.bat"
        50⤵
        
        PID:1188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        51⤵
        
        PID:4956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        51⤵
        Runs ping.exe
        
        PID:3416
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        51⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rxb3wPgb0H.bat"
        52⤵
        
        PID:4448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        53⤵
        
        PID:3604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        53⤵
        
        PID:2968
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BpIS9nw5fy.bat"
        54⤵
        
        PID:3408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        55⤵
        
        PID:4440
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        55⤵
        Runs ping.exe
        
        PID:1352
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tVgmHuxRU.bat"
        56⤵
        
        PID:692
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        57⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QXsfud8LVu.bat"
        58⤵
        
        PID:4348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        59⤵
        Runs ping.exe
        
        PID:3008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        59⤵
        
        PID:3800
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rS0hE0df6.bat"
        60⤵
        
        PID:3992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        61⤵
        
        PID:420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        61⤵
        
        PID:4032
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CE969IshFW.bat"
        62⤵
        
        PID:700
        
        C:\Users\Public\Videos\spoolsv.exe
        
        "C:\Users\Public\Videos\spoolsv.exe"
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QXsfud8LVu.bat"
        64⤵
        
        PID:4768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        65⤵
        
        PID:4788
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        65⤵
        Runs ping.exe
        
        PID:5116

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
1⤵
PID:2456

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:4360

C:\Windows\system32\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:3444

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
d9fbbda32f03209ae8e2d8e1ce595b32

SHA1
04996e2efdd89a0a7f5172690f96d34abe28ccc6

SHA256
d3f038da27a23a26f88df2466c10c4a846acfdbb323987d5cdd235ade8c16a60

SHA512
5ff8493732d18f6439e548a8149d291e619ad98d4d2280367add07e8fcf38d55803bf2396dba897a239ae0ed1455b157f3a7f827432196c52bc94c5f4154db6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9e6378ee2a8cfb94bb04c81d395d4a3

SHA1
95c23351293d32850b6026a008db5e258edf39ea

SHA256
be08afa3897f349375c910e3fdb2858187479af404118220921f2bc496a3a8c5

SHA512
7d3c009278874b168014184a6c5f0fa7f11fb53a84385503c38c19f5307131d67d4607fb855b1486b1956c6fc1eb63a1dafe70f0c19a463a71aa910353300302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c9e6378ee2a8cfb94bb04c81d395d4a3

SHA1
95c23351293d32850b6026a008db5e258edf39ea

SHA256
be08afa3897f349375c910e3fdb2858187479af404118220921f2bc496a3a8c5

SHA512
7d3c009278874b168014184a6c5f0fa7f11fb53a84385503c38c19f5307131d67d4607fb855b1486b1956c6fc1eb63a1dafe70f0c19a463a71aa910353300302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e23bb420f08fdc2b3d5b482db0d5ff10

SHA1
afdd42aa0203afdaf14b91e9298799ce6e1bd0e6

SHA256
b118355cc7471774f95b57c97167401d6afd3b0a037ab2a77235311ecbd5884b

SHA512
d21ba4d9aa09f4e44ddda4fff2e554688ed91961404bc86a984861f6525f8d07714fd43acc819e2c9a0347a03f96ec78bedc6aa13d6f178c92f853b163416f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4e049f15ea374a88c4508cc4272a9ea

SHA1
12cb8d9523fe884f47deea2d7cd3608a2a2a3081

SHA256
3104f6f22526403c27ac573a0245625203d0b2c47339c066c42ccbd113e92a25

SHA512
cd9a6b4663c3526064b05628724de69ff7bc841f204dc93b50f064642c49b007da21e8351b21f925251a5c16aa4ecb10cb7b2ef22dc588e3e227da00284a67c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tVgmHuxRU.bat

Filesize
210B

MD5
71bfd3093d1b5a01e44b78d1bac58464

SHA1
5f7f68515b031ae900b95190e1e216af6499b195

SHA256
f0930078a65b3a6d666c6a942d5d7a62d4e3385598251af51aab12e073cdd79c

SHA512
03be994cffa44bcf29ba25f6f027762193256e9e2258ce93f568bab148bc8ec7382f69d3394e7372c38689b9b7e1283b2f1dc3bbd8533b887e00277c4efd5b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tVgmHuxRU.bat

Filesize
210B

MD5
71bfd3093d1b5a01e44b78d1bac58464

SHA1
5f7f68515b031ae900b95190e1e216af6499b195

SHA256
f0930078a65b3a6d666c6a942d5d7a62d4e3385598251af51aab12e073cdd79c

SHA512
03be994cffa44bcf29ba25f6f027762193256e9e2258ce93f568bab148bc8ec7382f69d3394e7372c38689b9b7e1283b2f1dc3bbd8533b887e00277c4efd5b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\1TWCJOn7dC.bat

Filesize
162B

MD5
d61f3b585e5c7515a992f94cc1d74ce0

SHA1
59bc724bdd32c9cf21b6cb911f2969fbb37ca709

SHA256
7d50bfddcce623c0b6e066b0a673b5c5efdf314f1ad990da513ed73870edd109

SHA512
0d4062e57c206fa94ee21b8d95eb457397b62a35a74b531dbd4367b6623c8545a0f921c9328213714f3ece7be7ad42ed0b4eb321981198cd50d64da94cef64f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PiJebG6ia.bat

Filesize
162B

MD5
6749043bb039b88d270358cfccfa524f

SHA1
b4121b0632901ee5ff455ebe3085c14f09c62005

SHA256
afdb55b8dcf96585c69eb214c39cb0cc1f4d6547dc3499f67a3b53c2a6297a39

SHA512
715075000be2b33e81ec002559a32575af2b591fa1c2aa37c7a7e123ae40114396e97044f1c59f7828c8f6fe5c7eabcac6225f79c85202df3ddb3df9af72eef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4IFTJQeKoJ.bat

Filesize
162B

MD5
24446b8eee02041426ae517bb3bc90fb

SHA1
540d6e99bc7957591b5af01d4efefbcd9716900e

SHA256
acfff8c08f19e47bd38e6911d9728fac753277351edc9fd3e75e78a0867484a7

SHA512
1ba446805667a05d27a151f25eba2803b8821edb5141578da163c4f3ce54e616843702635390ee644c72a07f397fa0d3dc0139fefc45e1a6db2368cf83161db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6RTVEKunro.bat

Filesize
162B

MD5
46775400d8392fda83aaea855dfbe7cc

SHA1
10fbebeb321491f924f2a1d159d36f2a0cb8321e

SHA256
b2ee3a892f20d83745fed52945d163775fbb39cd219dbf7465082c862dd24d9d

SHA512
586e9ddc9a12fdc9bf63858260a231f451ac94e483172bf1b9454685c8af225220a801fd71e21ffeb31ae3fb35e81d9e811f595574583a9fd5ffe349094a7f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BpIS9nw5fy.bat

Filesize
162B

MD5
4933b4eced1344e5264e411ca9b2d188

SHA1
4cdbf61b9d4bd20b07020f3bb02b9f9f57606da5

SHA256
43c23abfd8938638858eeb3ebe90435ea140bb41a432b145906b4ea23598587a

SHA512
b54f8acaa82a0d82f614f40fa53d1bdfb89e02926dd4b8ec35b251dfef1f571f3aa75442def6302a71b320d2177a8fc788342589d5b907c317a960a4c4bd0502

Download Submit
C:\Users\Admin\AppData\Local\Temp\EON83D8AI2.bat

Filesize
162B

MD5
80b253c8990a706a4cc5c1604bcecd0b

SHA1
a908efbbde18c7388a64cca2c3d4be81539d59d4

SHA256
9b632e88d482cf263660fce4f3e34731f08614c25376c8fd8a5c3c2d2dfbf32b

SHA512
30c142a02d06ff807841035bb513122e866b1acbcd4600bfd43e608ecee3ff1b52318434ed1d5a48452f8ce634677ad3834b6152cff65627df15cdb580d46868

Download Submit
C:\Users\Admin\AppData\Local\Temp\HNGHapxv4I.bat

Filesize
210B

MD5
15d9133b2a70832c895e1b5d5bca3041

SHA1
c11a09a634d75b479dc14c3639743e1cf3a27e76

SHA256
e9e62f2fdbc0f578bf949d5fa683f5d2e89b1e2a1b193ca8ba8b7d66462b60bd

SHA512
be2b41a079a619ac9c94575ab22e1edda0fd698187d25b7705ebbb955a3937780a8ee59ceffaf5699c222035416b818866b60ed11b32e24d09b2951f864893e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMKRyAEqWe.bat

Filesize
162B

MD5
50b33981d156e34718e9ed76937303f0

SHA1
64c8f937e993ecf65a925822e3cc13fbe3480cb6

SHA256
b6b26f8b9b54b3d1472a5a0103cc79b88e451d90784539c9c6abd9e5ae005dbe

SHA512
ffa3001b598d999bd143d1a139403b7b8ff88709888212d87424ef88f4f8bf00b1424faf22de557d6345425d0ae0dba965d2a0a34335b09a6f6d144c00f4ecb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMKRyAEqWe.bat

Filesize
162B

MD5
50b33981d156e34718e9ed76937303f0

SHA1
64c8f937e993ecf65a925822e3cc13fbe3480cb6

SHA256
b6b26f8b9b54b3d1472a5a0103cc79b88e451d90784539c9c6abd9e5ae005dbe

SHA512
ffa3001b598d999bd143d1a139403b7b8ff88709888212d87424ef88f4f8bf00b1424faf22de557d6345425d0ae0dba965d2a0a34335b09a6f6d144c00f4ecb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\JlC5zfAS6C.bat

Filesize
162B

MD5
4800d2cff8a5c36b9993bc22257f1958

SHA1
e583be0d07cf05aad6391316503fe765ff99b32f

SHA256
f6eae2b7fb3cfec6bea075ad4e146f3ed4a99559ec36989332c5818919923733

SHA512
876eb4055b37777b59aed330d2fda96a1d802aa8539fe1a8ae89669a8fbf60ff1f1bfb7a36edeb266437f7b834769d318f05e475985d4c961e647dd795d40614

Download Submit
C:\Users\Admin\AppData\Local\Temp\MKHlt6LWjG.bat

Filesize
162B

MD5
10fe96a33f2b6d52d7c4f5729648e592

SHA1
8857555a8d1cc0d0609d68d17fc1ce1642e8a186

SHA256
88203f7527fb69e5d954f8d1e6f367c43362a8ca33f15c7dc60d35d34f2a23db

SHA512
1b8bcb28315e838dd0f656b08fe1fc6509a9665376b99317e461c901bb0d9f844cc9c7572c22423e2318af0e30c08892b0756eade1e78aa456edf32f8880edbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl5EWIzDsS.bat

Filesize
210B

MD5
b2c80a0069003338d8ed318bf1420158

SHA1
c07d3f39910a088b30cf9c242c4d79d9c68f624d

SHA256
450fcfea7da0f82c12eb0263a909fa4c30850a70b91587e811d0fd17b74b8e71

SHA512
0427c3773f7720f9f517f416f7cf86d093ef3601297dabbc100bb89a43bee4684a7cbeec21b44cbede9d4c9f41477e298fd70767c501f3d104329f078c91a8f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QXsfud8LVu.bat

Filesize
162B

MD5
13c6f2161b7bd3fda00b96bffe0b94ea

SHA1
cfd5c63c18d07b57a78a3c477a44b83778b6ab0f

SHA256
cb3aa3263fa5d1ddb73edb088cf96e1305df6853420b9d530d7554cf11017d2b

SHA512
abb6c7dc46cc546e0c29e97b110038254892cfd8f30a38141efe0e97224d5da2d93a297474dbc3d30264e91761f5b1c439516e8b076673fc72f94b0149c2dcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\QXsfud8LVu.bat

Filesize
162B

MD5
13c6f2161b7bd3fda00b96bffe0b94ea

SHA1
cfd5c63c18d07b57a78a3c477a44b83778b6ab0f

SHA256
cb3aa3263fa5d1ddb73edb088cf96e1305df6853420b9d530d7554cf11017d2b

SHA512
abb6c7dc46cc546e0c29e97b110038254892cfd8f30a38141efe0e97224d5da2d93a297474dbc3d30264e91761f5b1c439516e8b076673fc72f94b0149c2dcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\QXsfud8LVu.bat

Filesize
162B

MD5
13c6f2161b7bd3fda00b96bffe0b94ea

SHA1
cfd5c63c18d07b57a78a3c477a44b83778b6ab0f

SHA256
cb3aa3263fa5d1ddb73edb088cf96e1305df6853420b9d530d7554cf11017d2b

SHA512
abb6c7dc46cc546e0c29e97b110038254892cfd8f30a38141efe0e97224d5da2d93a297474dbc3d30264e91761f5b1c439516e8b076673fc72f94b0149c2dcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rj2XQE6t64.bat

Filesize
210B

MD5
12ea5cb0dd6ef24c574efd814754533b

SHA1
d93253ec5e7be5bdd51f36112754b2b32d4e1cef

SHA256
07c48c549adca4d0fa78e8f32f0007267677027e148460b403ac04470b84632c

SHA512
64a400a4bae0ed6b2d9ba50afab851cba10a07dd51446447eb4b746f636979dbbdbf1151b1db46d0ec7c949a2393a6f36ffa76f4b5724ccf9f66f6abcb257230

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sh6ipYOoXP.bat

Filesize
162B

MD5
ce411a2af400c9dd0adf24a0dc4c2be0

SHA1
7a453370ebb67730f3a0e15c2ff4ab8ec4e89ece

SHA256
e8e651c4110e5a4ba1da74672522711c68205ca7880c6e84321663ae782d4980

SHA512
af8f2cb6eff53c9dbbd4dd117829011e691f0bb0c6269d78df83550e67f8d218ba497b7b376b78b09070e7e7b93fb092925cfdce2b120f1dbcf62f26de671be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\T6xLp4JQ8y.bat

Filesize
162B

MD5
7b8f80a032b21a199918c55ceb41ef11

SHA1
159805927bd6d498d180ceed901dcda14abcd281

SHA256
e0366d91529b0508a27b6e9964b4cd141aae00c55dc2d5d71a007f70a00ccf48

SHA512
49481837d249501b6dac52e51e9a1487a17e29c6dd1b9442630ab84cf2e04a2eec5025f16292883695a51cb47122f293f897abff0a84cffff00e14c451bd0266

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhzrLBDaJg.bat

Filesize
210B

MD5
70eec4dee895b42343ef631cfebc720e

SHA1
f4521109811c53c4f1b23d06598ff084cccf464b

SHA256
28f26023393faba7019ca2177450b0aca2e1d033f010b8b76f6f50d515dd984b

SHA512
a4c20754246ee00b04077024957ea398f5284d7e792137f28ba3b710cc3076c9c89d36710a80d58b200e694f016105c7227d807bc888139a496f2b55d43bacba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_feesxdqh.gdz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddtUB3Qwlt.bat

Filesize
210B

MD5
8572e85b59c3a8072b5f4adf86bf47a2

SHA1
ba6bd81f979a9a7e99ef4483774a3215fdfb962d

SHA256
9db1ebdf66c200131515b18ddcdeb777c4036b44e185cae099d55adcb82cfea0

SHA512
6a275046ce88d079872d370ae16f595bbab62bcc6e0a5c678b1310ec3f629e5a5560ddef1aabc79eed291788c9b52a38f182cb6b6bd677e091658298ed5e440e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f2k7CZMYLR.bat

Filesize
210B

MD5
0e93828284b243db9f0356360123a96a

SHA1
09c79e918383be51935ef9d757493b1a55fda672

SHA256
9ed7fc2753bc1736ade8b7fe99d4dea133eb57091a55c6b196d9ff0ec7e1a9f7

SHA512
bfaf6efe190090498d7d146729b6516d82d3d286b1c8e4eb58de6fde157a2cebb7db0f964b4bddd48391de47646bc0fee54e41b46fcdd0450aa354af1ae7f3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAvT1QihcZ.bat

Filesize
210B

MD5
072a820caefb6b21d72ba96e6725dd88

SHA1
efd95d5d6385d7a2bb7832dc6fd00a2341933ab3

SHA256
9c09297cc1be96323294e1b5d3e973d4eaeee22d34686098c6f18e15bc0797f2

SHA512
edf95ef9c83c8f005db6e7a0646cdbb5a71ea0442da5859ebd480a87d51a8a1e9a6cd7aa70296cad925f28f42a2141c8b63611748e4d5a1d626847443665a8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAocY3YSOp.bat

Filesize
162B

MD5
256687af7c80cffbd1988d60e366b69b

SHA1
dd1be223ee05c596abd967cb8add8fbac3f82cc2

SHA256
7a7a9a76c2891a4bed53e51e1905631ea7422be1d9610dd11863ad8f6fabb8e0

SHA512
b7190ac3fe9449106af3e25c9aaed50a841e859d524b257b42c6e8585f8c88cd1d905cb245091cd4a2bf7b750210f17301351efb4ceb3ee6a59d91f0dfdffe1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oOVO2yVWND.bat

Filesize
210B

MD5
576b584e7778d7b7ac9480c24d39a7a8

SHA1
e6081e0ad62e8d4ed8cee7f75b129ab888755f45

SHA256
2d3b4165e5899a54999811db9558b3ba03c091d574cdb66a75c2e98843da817e

SHA512
afccca69d000b1b69e35136ef3d91fcfa4790748626e7c2e1766b7a7447002e375401b9e2bf9e7a1bb13cbc9bafcd8b89487a179d0c2638b081ec991a9be7e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\qXkQwtlzQj.bat

Filesize
210B

MD5
a1dec2f6ae6eff85cda851c84f0b05d4

SHA1
4f567eb82a4d06577fc40adc462870e75c6297ad

SHA256
130d504891c148fe38e02772f6b1c4feff4048e9ff7de9dff5021984aae74191

SHA512
07a70123acb7009da42432d2c5c4b9a81c34d71fab19e2267389281c7944cf53ee5741a49f1eb5aae493304773b0dbd0391f1e77b192f86335c6872015c4dc6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rxb3wPgb0H.bat

Filesize
210B

MD5
658bfdc5eaeae665fc189acb82465cdf

SHA1
7c4bdf54819f846586bcc8ae3d4ebd393bab48e9

SHA256
bf77881773b3e1243f9da65d2fcde4292f12fefaa3b3556c7518d25124d2687b

SHA512
3c21063fb4190f3ed1efc95069bb51beda873da941cfea06e7332a8f98ed936ef3fbffeab0e759a8c5d8161f7603789c1dd0ffec30b033c33843edbf7ac2b281

Download Submit
C:\Users\Admin\AppData\Local\Temp\uWhjrprfdL.bat

Filesize
210B

MD5
8016eca02c0fea743b455cca3319fe32

SHA1
58921bc05b2c5b925198af21b9b29bef531a75b8

SHA256
4e41b20fe153f8143e33c0525532a6131bedecc9a36962a87041a1f28464212c

SHA512
b29cd9030a7d3badf2654834b2454b34d62c29159d0342b75b8756bfc156ede4680f200a0bd129ddd44a07ce74d492cf6d2f87ef693ebcf0368b6b13786dbded

Download Submit
C:\Users\Admin\AppData\Local\Temp\xVZsORhRPb.bat

Filesize
162B

MD5
a8de7f23096d6880bee9f724308ff42d

SHA1
32192499a8c31be0cb8f2eaf3523ad70f02f59b9

SHA256
08d8c9b5bf24de3cfdec9e779a08ad9c8bd20860dee7819f2b541baa8c609e8a

SHA512
61fa0ad6cdc0f68f6d0501ab524c6da47c2555af83b1cfcdbd17f32e07a83806ba24179e145fa085326b45d855b8a7fa9d9146ef9c5e1714850f5f6c4e916e4a

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
C:\Users\Public\Videos\spoolsv.exe

Filesize
1.7MB

MD5
c2b3685e522340433c14a1347a6b59ae

SHA1
46ea6f7f34b290e6b181c709307f95e09717b9a4

SHA256
434b98fa78507706dc40e662fea6b0f02e5d36e83fd6b8eb026336b89ccc05ef

SHA512
67598a60451318baaa10f7bebc6dca5c3b014ed215dd3377e173fd02f5f933e426c7e1af209d17d437618a7e3019eb2e30bc25cd04542d0d3786e48418078083

Download Submit
memory/1148-68-0x0000023BBD7E0000-0x0000023BBD7F0000-memory.dmp

Filesize
64KB

Download
memory/1148-66-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/1148-69-0x0000023BBD7E0000-0x0000023BBD7F0000-memory.dmp

Filesize
64KB

Download
memory/1148-77-0x0000023BBDB10000-0x0000023BBDB86000-memory.dmp

Filesize
472KB

Download
memory/1148-143-0x0000023BBD7E0000-0x0000023BBD7F0000-memory.dmp

Filesize
64KB

Download
memory/1148-258-0x0000023BBD7E0000-0x0000023BBD7F0000-memory.dmp

Filesize
64KB

Download
memory/1148-273-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/1376-146-0x0000021A55620000-0x0000021A55630000-memory.dmp

Filesize
64KB

Download
memory/1376-62-0x0000021A55620000-0x0000021A55630000-memory.dmp

Filesize
64KB

Download
memory/1376-61-0x0000021A55620000-0x0000021A55630000-memory.dmp

Filesize
64KB

Download
memory/1376-261-0x0000021A55620000-0x0000021A55630000-memory.dmp

Filesize
64KB

Download
memory/1376-281-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/1376-48-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-286-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-289-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/1836-288-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/1836-287-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1836-291-0x00007FFF61BE0000-0x00007FFF61BE1000-memory.dmp

Filesize
4KB

Download
memory/1836-290-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/1836-294-0x00007FFF61BD0000-0x00007FFF61BD1000-memory.dmp

Filesize
4KB

Download
memory/1836-295-0x00007FFF61BC0000-0x00007FFF61BC1000-memory.dmp

Filesize
4KB

Download
memory/1836-298-0x00007FFF61BB0000-0x00007FFF61BB1000-memory.dmp

Filesize
4KB

Download
memory/1836-305-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/2160-316-0x00007FFF61BD0000-0x00007FFF61BD1000-memory.dmp

Filesize
4KB

Download
memory/2160-314-0x00007FFF61BE0000-0x00007FFF61BE1000-memory.dmp

Filesize
4KB

Download
memory/2160-312-0x000000001BA40000-0x000000001BA50000-memory.dmp

Filesize
64KB

Download
memory/2160-311-0x000000001BA40000-0x000000001BA50000-memory.dmp

Filesize
64KB

Download
memory/2160-309-0x00000000014E0000-0x00000000014E1000-memory.dmp

Filesize
4KB

Download
memory/2160-310-0x000000001BA40000-0x000000001BA50000-memory.dmp

Filesize
64KB

Download
memory/2160-308-0x00007FFF56510000-0x00007FFF56EFC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-260-0x0000024DAAF00000-0x0000024DAAF10000-memory.dmp

Filesize
64KB

Download
memory/2400-63-0x0000024DAAF00000-0x0000024DAAF10000-memory.dmp

Filesize
64KB

Download
memory/2400-54-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/2400-142-0x0000024DAAF00000-0x0000024DAAF10000-memory.dmp

Filesize
64KB

Download
memory/2400-64-0x0000024DAAF00000-0x0000024DAAF10000-memory.dmp

Filesize
64KB

Download
memory/2400-274-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/3704-144-0x00000139272C0000-0x00000139272D0000-memory.dmp

Filesize
64KB

Download
memory/3704-259-0x00000139272C0000-0x00000139272D0000-memory.dmp

Filesize
64KB

Download
memory/3704-67-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/3704-282-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/3704-58-0x00000139272C0000-0x00000139272D0000-memory.dmp

Filesize
64KB

Download
memory/3704-59-0x00000139272C0000-0x00000139272D0000-memory.dmp

Filesize
64KB

Download
memory/3748-11-0x00000000013A0000-0x00000000013AE000-memory.dmp

Filesize
56KB

Download
memory/3748-14-0x0000000002A50000-0x0000000002A5C000-memory.dmp

Filesize
48KB

Download
memory/3748-60-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/3748-1-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/3748-2-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

Filesize
64KB

Download
memory/3748-3-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/3748-0-0x0000000000790000-0x0000000000950000-memory.dmp

Filesize
1.8MB

Download
memory/3748-4-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

Filesize
64KB

Download
memory/3748-33-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/3748-16-0x0000000002A70000-0x0000000002A7C000-memory.dmp

Filesize
48KB

Download
memory/3748-17-0x00007FFF61BB0000-0x00007FFF61BB1000-memory.dmp

Filesize
4KB

Download
memory/3748-5-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

Filesize
64KB

Download
memory/3748-12-0x00007FFF61BC0000-0x00007FFF61BC1000-memory.dmp

Filesize
4KB

Download
memory/3748-6-0x00007FFF61BE0000-0x00007FFF61BE1000-memory.dmp

Filesize
4KB

Download
memory/3748-9-0x00007FFF61BD0000-0x00007FFF61BD1000-memory.dmp

Filesize
4KB

Download
memory/3748-8-0x0000000001390000-0x000000000139E000-memory.dmp

Filesize
56KB

Download
memory/4688-65-0x0000027D15B00000-0x0000027D15B22000-memory.dmp

Filesize
136KB

Download
memory/4688-255-0x0000027D15AA0000-0x0000027D15AB0000-memory.dmp

Filesize
64KB

Download
memory/4688-39-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/4688-272-0x00007FFF56760000-0x00007FFF5714C000-memory.dmp

Filesize
9.9MB

Download
memory/4688-57-0x0000027D15AA0000-0x0000027D15AB0000-memory.dmp

Filesize
64KB

Download
memory/4688-145-0x0000027D15AA0000-0x0000027D15AB0000-memory.dmp

Filesize
64KB

Download