dcrat | 664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7

Analysis

max time kernel
142s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe
Size

1.3MB
MD5

67df91dae71f5e77aba6aaeef32ba99c
SHA1

30b6fc90c283b51501b76bf6ae945286268fc329
SHA256

664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7
SHA512

6cd967f3bd1cfdf5d763fe34a2fbdc7aeea957b683d53ea6d5ca6a074b4e0d24888c09c6521380554c86fadda0b0afc909b13f08e2a24829bb296c557b0100af
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	768	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0007000000016dbe-9.dat	dcrat
behavioral1/memory/796-13-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/2920-81-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
behavioral1/memory/2156-194-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2216-254-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/2640-314-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2220-374-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/336-552-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/540-612-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/2632-732-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2308	powershell.exe
2380	powershell.exe
1848	powershell.exe
2832	powershell.exe
3024	powershell.exe
2760	powershell.exe
2700	powershell.exe
1604	powershell.exe
2772	powershell.exe
3036	powershell.exe
2268	powershell.exe
2740	powershell.exe
2668	powershell.exe
2908	powershell.exe
2796	powershell.exe
2732	powershell.exe
1632	powershell.exe
2644	powershell.exe
1712	powershell.exe

Executes dropped EXE 12 IoCs

Processes:

DllCommonsvc.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

pid	Process
796	DllCommonsvc.exe
2920	audiodg.exe
2156	audiodg.exe
2216	audiodg.exe
2640	audiodg.exe
2220	audiodg.exe
2984	audiodg.exe
2280	audiodg.exe
336	audiodg.exe
540	audiodg.exe
844	audiodg.exe
2632	audiodg.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2192	cmd.exe
2192	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
34	raw.githubusercontent.com
37	raw.githubusercontent.com
9	raw.githubusercontent.com
17	raw.githubusercontent.com
28	raw.githubusercontent.com
31	raw.githubusercontent.com
24	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\b75386f1303e64	DllCommonsvc.exe

Drops file in Windows directory 9 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File created	C:\Windows\L2Schemas\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\886983d96e3d3e	DllCommonsvc.exe
File opened for modification	C:\Windows\L2Schemas\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2200	schtasks.exe
1592	schtasks.exe
1556	schtasks.exe
1664	schtasks.exe
2036	schtasks.exe
1700	schtasks.exe
2344	schtasks.exe
2132	schtasks.exe
2404	schtasks.exe
756	schtasks.exe
920	schtasks.exe
404	schtasks.exe
1788	schtasks.exe
2156	schtasks.exe
848	schtasks.exe
2108	schtasks.exe
2356	schtasks.exe
1532	schtasks.exe
1816	schtasks.exe
704	schtasks.exe
1100	schtasks.exe
1832	schtasks.exe
2628	schtasks.exe
1512	schtasks.exe
1560	schtasks.exe
1760	schtasks.exe
2496	schtasks.exe
2556	schtasks.exe
2084	schtasks.exe
700	schtasks.exe
1820	schtasks.exe
2004	schtasks.exe
1688	schtasks.exe
2980	schtasks.exe
2964	schtasks.exe
2660	schtasks.exe
1656	schtasks.exe
2548	schtasks.exe
2288	schtasks.exe
1596	schtasks.exe
1756	schtasks.exe
2656	schtasks.exe
2364	schtasks.exe
1424	schtasks.exe
1152	schtasks.exe
2988	schtasks.exe
2076	schtasks.exe
1108	schtasks.exe
1672	schtasks.exe
2932	schtasks.exe
2764	schtasks.exe
560	schtasks.exe
2936	schtasks.exe
2196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodg.exepowershell.exepowershell.exepowershell.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

pid	Process
796	DllCommonsvc.exe
796	DllCommonsvc.exe
796	DllCommonsvc.exe
796	DllCommonsvc.exe
796	DllCommonsvc.exe
796	DllCommonsvc.exe
796	DllCommonsvc.exe
2760	powershell.exe
2772	powershell.exe
2796	powershell.exe
2308	powershell.exe
2668	powershell.exe
2268	powershell.exe
2908	powershell.exe
2380	powershell.exe
3036	powershell.exe
1632	powershell.exe
1848	powershell.exe
2832	powershell.exe
2644	powershell.exe
2700	powershell.exe
3024	powershell.exe
2740	powershell.exe
2920	audiodg.exe
1712	powershell.exe
2732	powershell.exe
1604	powershell.exe
2156	audiodg.exe
2216	audiodg.exe
2640	audiodg.exe
2220	audiodg.exe
2984	audiodg.exe
2280	audiodg.exe
336	audiodg.exe
540	audiodg.exe
844	audiodg.exe
2632	audiodg.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodg.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exeaudiodg.exe

description	pid	Process
Token: SeDebugPrivilege	796	DllCommonsvc.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2920	audiodg.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2156	audiodg.exe
Token: SeDebugPrivilege	2216	audiodg.exe
Token: SeDebugPrivilege	2640	audiodg.exe
Token: SeDebugPrivilege	2220	audiodg.exe
Token: SeDebugPrivilege	2984	audiodg.exe
Token: SeDebugPrivilege	2280	audiodg.exe
Token: SeDebugPrivilege	336	audiodg.exe
Token: SeDebugPrivilege	540	audiodg.exe
Token: SeDebugPrivilege	844	audiodg.exe
Token: SeDebugPrivilege	2632	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exeWScript.execmd.exeDllCommonsvc.exe

description	pid	Process	procid_target
PID 2160 wrote to memory of 2180	2160	664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe	30
PID 2160 wrote to memory of 2180	2160	664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe	30
PID 2160 wrote to memory of 2180	2160	664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe	30
PID 2160 wrote to memory of 2180	2160	664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe	30
PID 2180 wrote to memory of 2192	2180	WScript.exe	31
PID 2180 wrote to memory of 2192	2180	WScript.exe	31
PID 2180 wrote to memory of 2192	2180	WScript.exe	31
PID 2180 wrote to memory of 2192	2180	WScript.exe	31
PID 2192 wrote to memory of 796	2192	cmd.exe	33
PID 2192 wrote to memory of 796	2192	cmd.exe	33
PID 2192 wrote to memory of 796	2192	cmd.exe	33
PID 2192 wrote to memory of 796	2192	cmd.exe	33
PID 796 wrote to memory of 1848	796	DllCommonsvc.exe	89
PID 796 wrote to memory of 1848	796	DllCommonsvc.exe	89
PID 796 wrote to memory of 1848	796	DllCommonsvc.exe	89
PID 796 wrote to memory of 2732	796	DllCommonsvc.exe	90
PID 796 wrote to memory of 2732	796	DllCommonsvc.exe	90
PID 796 wrote to memory of 2732	796	DllCommonsvc.exe	90
PID 796 wrote to memory of 2772	796	DllCommonsvc.exe	91
PID 796 wrote to memory of 2772	796	DllCommonsvc.exe	91
PID 796 wrote to memory of 2772	796	DllCommonsvc.exe	91
PID 796 wrote to memory of 2832	796	DllCommonsvc.exe	92
PID 796 wrote to memory of 2832	796	DllCommonsvc.exe	92
PID 796 wrote to memory of 2832	796	DllCommonsvc.exe	92
PID 796 wrote to memory of 3036	796	DllCommonsvc.exe	93
PID 796 wrote to memory of 3036	796	DllCommonsvc.exe	93
PID 796 wrote to memory of 3036	796	DllCommonsvc.exe	93
PID 796 wrote to memory of 3024	796	DllCommonsvc.exe	94
PID 796 wrote to memory of 3024	796	DllCommonsvc.exe	94
PID 796 wrote to memory of 3024	796	DllCommonsvc.exe	94
PID 796 wrote to memory of 2760	796	DllCommonsvc.exe	95
PID 796 wrote to memory of 2760	796	DllCommonsvc.exe	95
PID 796 wrote to memory of 2760	796	DllCommonsvc.exe	95
PID 796 wrote to memory of 2268	796	DllCommonsvc.exe	96
PID 796 wrote to memory of 2268	796	DllCommonsvc.exe	96
PID 796 wrote to memory of 2268	796	DllCommonsvc.exe	96
PID 796 wrote to memory of 2908	796	DllCommonsvc.exe	97
PID 796 wrote to memory of 2908	796	DllCommonsvc.exe	97
PID 796 wrote to memory of 2908	796	DllCommonsvc.exe	97
PID 796 wrote to memory of 1632	796	DllCommonsvc.exe	98
PID 796 wrote to memory of 1632	796	DllCommonsvc.exe	98
PID 796 wrote to memory of 1632	796	DllCommonsvc.exe	98
PID 796 wrote to memory of 2796	796	DllCommonsvc.exe	99
PID 796 wrote to memory of 2796	796	DllCommonsvc.exe	99
PID 796 wrote to memory of 2796	796	DllCommonsvc.exe	99
PID 796 wrote to memory of 2740	796	DllCommonsvc.exe	100
PID 796 wrote to memory of 2740	796	DllCommonsvc.exe	100
PID 796 wrote to memory of 2740	796	DllCommonsvc.exe	100
PID 796 wrote to memory of 2644	796	DllCommonsvc.exe	101
PID 796 wrote to memory of 2644	796	DllCommonsvc.exe	101
PID 796 wrote to memory of 2644	796	DllCommonsvc.exe	101
PID 796 wrote to memory of 2700	796	DllCommonsvc.exe	102
PID 796 wrote to memory of 2700	796	DllCommonsvc.exe	102
PID 796 wrote to memory of 2700	796	DllCommonsvc.exe	102
PID 796 wrote to memory of 2308	796	DllCommonsvc.exe	103
PID 796 wrote to memory of 2308	796	DllCommonsvc.exe	103
PID 796 wrote to memory of 2308	796	DllCommonsvc.exe	103
PID 796 wrote to memory of 2380	796	DllCommonsvc.exe	104
PID 796 wrote to memory of 2380	796	DllCommonsvc.exe	104
PID 796 wrote to memory of 2380	796	DllCommonsvc.exe	104
PID 796 wrote to memory of 2668	796	DllCommonsvc.exe	105
PID 796 wrote to memory of 2668	796	DllCommonsvc.exe	105
PID 796 wrote to memory of 2668	796	DllCommonsvc.exe	105
PID 796 wrote to memory of 1604	796	DllCommonsvc.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe
"C:\Users\Admin\AppData\Local\Temp\664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Local\Microsoft\Windows\History\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Application Data\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
    - - C:\Windows\RemotePackages\RemoteApps\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteApps\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        6⤵
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:628
        
        C:\Windows\RemotePackages\RemoteApps\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteApps\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"
        8⤵
        
        PID:108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2256
        
        C:\Windows\RemotePackages\RemoteApps\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteApps\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        10⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2280
        
        C:\Windows\RemotePackages\RemoteApps\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteApps\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"
        12⤵
        
        PID:440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1576
        
        C:\Windows\RemotePackages\RemoteApps\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteApps\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        14⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1796
        
        C:\Windows\RemotePackages\RemoteApps\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteApps\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat"
        16⤵
        
        PID:1148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2216
        
        C:\Windows\RemotePackages\RemoteApps\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteApps\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        18⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3036
        
        C:\Windows\RemotePackages\RemoteApps\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteApps\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
        20⤵
        
        PID:1580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:752
        
        C:\Windows\RemotePackages\RemoteApps\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteApps\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
        22⤵
        
        PID:1904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2152
        
        C:\Windows\RemotePackages\RemoteApps\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteApps\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
        24⤵
        
        PID:1440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3000
        
        C:\Windows\RemotePackages\RemoteApps\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteApps\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Local\Microsoft\Windows\History\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Microsoft\Windows\History\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Local\Microsoft\Windows\History\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Application Data\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Favorites\Links\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\Links\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\RemotePackages\RemoteApps\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
159435be2c7f1c949779202b335a27d0

SHA1
d4e13c8b48353e31625df1f87c91ab528ede5eef

SHA256
220b655d5a093fd3502cea097875390a347ffdd7523df2501b1ad6589938b7e0

SHA512
ff36a653d4db9184f64ea9a2f8de5c6a3653c95330b80417ba0dacd859dd49945056ab007f76adfc305b07456abf12647ba0cbc144c2a00d8f211bc471d377c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab370e816f01f9cf8346c47a22ccad5f

SHA1
b121e49bcfdb4fc2b377ad617de46bcd782f2484

SHA256
07f0eaed3dd0b91b1578be498b775eff6dfac9044f1afb08c9c4938b3644d734

SHA512
0d3bd7f62db6991e1415fb3b0d42ceadafba7e75d123bcf74ddb31fa96dd9a0b56304d3f10663490805a96ff5c99cefa3de7012933a0212ba2ac5b81f22e5ce3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef7ef68b29fadaa49f62d74ad6dc0ef5

SHA1
039ad66c2bc905132ed6e2569ef22222c2772783

SHA256
d88bcd093814f47c949cda0e13f153747cac717bd19e4c03ee531217249f37f4

SHA512
c1738f6bf3099891a8c58682109efbe854b0cb8cab4fe293e75ffdbacdb30f7c26b6fa6e13b15ca46ab18114fd0df529e90197344c8c6ed6ef481db7dc030979

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54279b863839084c03f49d782b4a13dd

SHA1
d13561b469aac70353e8dc95e8a14261f94c2d90

SHA256
316719f8bf2d072ba8b21197f7017b51a88f5abaa79452e0910b4f0e8a0c44a7

SHA512
b38dd446f2f71bc1a3db2c81e32fcb1ddf4b642920946e2256a03aacf2d5ea8a13cfa7501755e3ccf79e118c0d8af426f2945b4db3d9e648e8f7dd08e87cdaa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb83a3e0c51e48e3ee953417a898b022

SHA1
3ec939e5ebfd8560484798f51316e1231985e27b

SHA256
6bc26311287f0a66972ca590515df4bb63156a35e137cc3031dc837d4b3f4fcb

SHA512
5eb48a2844785a74713ba856a12e06d58e99460eb1ffcb72b8d5e1f4d7946f0e9e4c1004f121af8148717dd76206a57b6598db6b62225ff77c0b44ebc83ad528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2ba9833d2b20c91dc303c8da9957b39

SHA1
f33a9b37e0496659bc5171959bdae43d99e83267

SHA256
0ee6589426e693ef946e859a901af3ae9202444b67afd9063d79ceb4be207236

SHA512
7bb7457c8814783af71dc523bfb46e583d96d7a111f8b03e5661c579fb505991bbd4a12faf92852a2476c4a5d23727ffe3e7570f3304552c6a8f4e0cfc1b6912

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b540a4100d71173b82ec1d59075257a

SHA1
0568be9463952696f354a994763de7828d4becb8

SHA256
da7c8c301621c5702e1f95f7c681ca0d01d2d29b17929e50c52a9f61be3908e4

SHA512
0571d48c9e3f8d747e8035e11f7b47ab1704c99c8b6e49fdcde33faf4cc3edb724256f0c9daa49563fb48019a52fdd6ec9f0bd565572f0aaa1030152bf5321f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
419acc195a203d37ab4296f61805529d

SHA1
8e222ca538e4bce7c3715b01907d25d9d3886d5c

SHA256
3f63c75a56896eebaaa96a8ba557997d22081c6af275fb732920059c8a9be508

SHA512
6ba3bf666361d96feddb65723a4ef13818a983c8e307770de9efe6681f602ec2cc11f1cfeac7cab77caf5d37cd62b5645c4827f36765bc9890a623ea1ffada41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3658ed4f60a98625164072854285140f

SHA1
05a3e9160669dfd57b95faa11c3a041de37a02ad

SHA256
56db90c6995b76d3e7301b4bd68c7cfbd1d5ee2adbafe4a3c48ca5ef2e26ca61

SHA512
460539a06addb175fae811e6428a37b8af2d3ef0b36c24dee421280d452ba13cc4679e7a366ea44c7e45e9560f69b089063484d038ba0bc71526509623eeef2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
213B

MD5
cce386cc17388d41eeeecf50f8b6147b

SHA1
675912fc70b9f1b77d29f9c91ffb62245a7787e0

SHA256
182bfb81290acb27d5bdeccc9ee6f175265d6daf69b81468e3f9e60f72fc3f39

SHA512
2802334e7e8c9d65985c1aabdba9f1103abb9ed52955489f4b5230e0e067128dc8789de1ca6fc9bad44d6710488c2503aac0f335137141b40e2c71c1228dc2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bDnwPuEug.bat

Filesize
213B

MD5
981ea95610cde692171091cf7408c22a

SHA1
76f6e5102cadf14f1d29ae15997e438f944b1567

SHA256
5d4e471ab3dc9fd431b5473dfb32716a6fd1b3391662f3fc5c4c1eb007206420

SHA512
dd777ca76759541e1fef39811a7f0964507ff143118f09f7811d3d26ab87bb98cf3804cdfd3b684acf8d43aab6db4795a79ebb556bbdfb63a337889109d656d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFDD1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

Filesize
213B

MD5
91c8c917cdd19c329f6f353f25e09bc6

SHA1
c8d89066a35c11393f3c73bc49b54dcb992dd14a

SHA256
e3b9b66ecbaaa7673d6f90593d1ce3ea8b2de705131d9840ebfb6846ad1cacbb

SHA512
8ea919c2fb047754d293d20a66df5ce313d5a3fee0583fffd173dfdfb8052a552ffc59c776a696b865a0c76f28de04e5e67413db06c7fffc44e8266c7cf2166f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
213B

MD5
9680611f05dbf36784ab5cacc7c3108e

SHA1
5fbfd190cdbb6fa3f771205afe5624b21370fa89

SHA256
f7f0656b08e78b2457f8e4142ef57c9506f160b567a400238e2aaa7361b02c42

SHA512
5fe3d6e6c4a18d1dc751f2193ab299d364d185a9ec152e314bca9b89b9c1e6de388483ea22ee2b099dd9ccc0fd90589d95011c26b992d36899b1736a211305f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat

Filesize
213B

MD5
7a00732cb3cabcfea6ca3f1fc61483ab

SHA1
4f8ef4d8c80be91145908bedffd9b944b5e5f274

SHA256
e0eb299192dc5f131c45e4f433f0e6ca2a57b05ae785a745159916c62b2c9045

SHA512
ff45165c0c0183515d18c4ff3f651e2b3847c506cb9afe52bcb44d6cc7496a27519939ce7c3f4b4da9ac8e3eb8887a098621ccc505edd60e920935df3b5513f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat

Filesize
213B

MD5
c101d1f71e87eea4003d280e611c75d6

SHA1
ff6d323278c456397526984e5c0912916eba2016

SHA256
70338dd1377a0bf8d88379ef8e4705c83d9d4fc09e39bb684acded2a92dd1392

SHA512
c19e19803890513cde92caf651fd621e0d9150f75e1aa07651d60c7a1e62796abb704ff46473d3e515666c4b31801f6a124f2d87477621a6f20af1dd8f61ec21

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFE03.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
213B

MD5
66095dd2717b69d741eadfdeaf5c5a19

SHA1
99715af6b0055094cccdc4cbe6d21717a4d9c114

SHA256
cccfdfd3773cd92ec0dba8635aa4afee77708a7d59f96af84d66072273bfb5e1

SHA512
ea3ba0df52c7d7ad40c73eea578deecdd924722388daf39c6eabc048faf93d2c370b12b37fc9ec9e8a7ddfb8cdfdd2d53b6034df62abe923096e3ef2cdeecb8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

Filesize
213B

MD5
88dc19f91ec141890dff1f16859163d5

SHA1
0777f9aada3eb973605874f042eba073a00e0d65

SHA256
3d7541826e9f6ea18c90b26ea722778d26a78c892753192944e7b4156ce00534

SHA512
56620b1aa071aff7ae1730c552fdeba0e50fd4c8d9a3d8548bd6f1f8be7a129f333993d6ee097af71f073b186837de3d389136dafb52c9e8eaa0a3e1bd43e691

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
213B

MD5
95d46b9945e776cbb73974dde8ba354c

SHA1
1a6d989d7dd0312b81567734de900808787310cc

SHA256
5cd82676d2856e7d57b77893136611568762f93aa97568762169022f4074df7d

SHA512
f0f342ed3679b9cd678cde17bf97167dee15c81575845a2a3df8256eb8f2512048af867d42a89130bb29709a8d636da7205679d1e7e80dac1fa92b23090967d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

Filesize
213B

MD5
04a13003cea89fea7b5e7cd38c52e724

SHA1
5ef1d55c7f0dfdd90330430f6e2cd17fd71e2059

SHA256
16fd351bc3fe4f1e49f13f94dda3d8c850b1e731529d8ccf9550c140381b385f

SHA512
51da3501924644e83613d928a466aff4ceff2be9fa9d41b9694d4147d533fd595028a66e560bd9d306060357fc8015209b54e19e2f8a77d624f1cabe6431a3d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
642fc088af3523b49c34f790e2e13302

SHA1
2828308bec0b0da92c5a37de41a314fd51425f34

SHA256
09c8295ed98e572729f689c6a04915f897f9671c441b669605fd7af0ec515597

SHA512
8f3304a443a506f8e91d976218170d7773b9d52e3b4f700a7cbdec20703688b143d9702f75897af8a03fdfdf61b7d1a1b2e6eed6df5768bf39897c8238ba2a26

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/336-552-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/540-612-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/796-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/796-13-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/796-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/796-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/796-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/844-672-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2156-194-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2216-254-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/2220-374-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2632-732-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2640-314-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2760-68-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2760-70-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2920-81-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download