dcrat | 664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe
Size

1.3MB
MD5

67df91dae71f5e77aba6aaeef32ba99c
SHA1

30b6fc90c283b51501b76bf6ae945286268fc329
SHA256

664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7
SHA512

6cd967f3bd1cfdf5d763fe34a2fbdc7aeea957b683d53ea6d5ca6a074b4e0d24888c09c6521380554c86fadda0b0afc909b13f08e2a24829bb296c557b0100af
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2372	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0008000000015d19-9.dat	dcrat
behavioral1/memory/2504-13-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/1740-164-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/2600-223-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2292-284-0x00000000008A0000-0x00000000009B0000-memory.dmp	dcrat
behavioral1/memory/1120-344-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/2452-404-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/2368-464-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2600	powershell.exe
2008	powershell.exe
2104	powershell.exe
2776	powershell.exe
1792	powershell.exe
1448	powershell.exe
2608	powershell.exe
276	powershell.exe
1052	powershell.exe
712	powershell.exe
2872	powershell.exe
1472	powershell.exe
1928	powershell.exe
2144	powershell.exe
1876	powershell.exe
3000	powershell.exe
1416	powershell.exe
2988	powershell.exe
2420	powershell.exe
1656	powershell.exe

Executes dropped EXE 13 IoCs

Processes:

DllCommonsvc.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	Process
2504	DllCommonsvc.exe
1740	winlogon.exe
2600	winlogon.exe
2292	winlogon.exe
1120	winlogon.exe
2452	winlogon.exe
2368	winlogon.exe
2180	winlogon.exe
2812	winlogon.exe
2600	winlogon.exe
792	winlogon.exe
2560	winlogon.exe
2588	winlogon.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2892	cmd.exe
2892	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

Processes:

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
39	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Icons\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\24dbde2999530e	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File created	C:\Windows\Media\Landscape\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\PLA\Rules\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Rules\ja-JP\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Media\Landscape\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2808	schtasks.exe
2700	schtasks.exe
2420	schtasks.exe
1836	schtasks.exe
2456	schtasks.exe
2428	schtasks.exe
1424	schtasks.exe
1632	schtasks.exe
1732	schtasks.exe
1572	schtasks.exe
1548	schtasks.exe
3008	schtasks.exe
2768	schtasks.exe
2924	schtasks.exe
2292	schtasks.exe
1000	schtasks.exe
2720	schtasks.exe
2160	schtasks.exe
2016	schtasks.exe
2476	schtasks.exe
2400	schtasks.exe
2952	schtasks.exe
1436	schtasks.exe
2752	schtasks.exe
3012	schtasks.exe
1940	schtasks.exe
2908	schtasks.exe
2728	schtasks.exe
2288	schtasks.exe
1660	schtasks.exe
924	schtasks.exe
1952	schtasks.exe
1168	schtasks.exe
1460	schtasks.exe
2364	schtasks.exe
2376	schtasks.exe
2800	schtasks.exe
1420	schtasks.exe
1700	schtasks.exe
580	schtasks.exe
2880	schtasks.exe
560	schtasks.exe
2836	schtasks.exe
1872	schtasks.exe
2164	schtasks.exe
1468	schtasks.exe
2120	schtasks.exe
1380	schtasks.exe
2168	schtasks.exe
1864	schtasks.exe
3044	schtasks.exe
840	schtasks.exe
988	schtasks.exe
2472	schtasks.exe
2964	schtasks.exe
2580	schtasks.exe
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	Process
2504	DllCommonsvc.exe
1792	powershell.exe
3000	powershell.exe
2600	powershell.exe
2104	powershell.exe
2608	powershell.exe
1416	powershell.exe
1876	powershell.exe
1448	powershell.exe
712	powershell.exe
2872	powershell.exe
1052	powershell.exe
1928	powershell.exe
276	powershell.exe
2988	powershell.exe
2776	powershell.exe
2420	powershell.exe
1656	powershell.exe
1472	powershell.exe
2008	powershell.exe
2144	powershell.exe
1740	winlogon.exe
2600	winlogon.exe
2292	winlogon.exe
1120	winlogon.exe
2452	winlogon.exe
2368	winlogon.exe
2180	winlogon.exe
2812	winlogon.exe
2600	winlogon.exe
792	winlogon.exe
2560	winlogon.exe
2588	winlogon.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2504	DllCommonsvc.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1740	winlogon.exe
Token: SeDebugPrivilege	2600	winlogon.exe
Token: SeDebugPrivilege	2292	winlogon.exe
Token: SeDebugPrivilege	1120	winlogon.exe
Token: SeDebugPrivilege	2452	winlogon.exe
Token: SeDebugPrivilege	2368	winlogon.exe
Token: SeDebugPrivilege	2180	winlogon.exe
Token: SeDebugPrivilege	2812	winlogon.exe
Token: SeDebugPrivilege	2600	winlogon.exe
Token: SeDebugPrivilege	792	winlogon.exe
Token: SeDebugPrivilege	2560	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exeWScript.execmd.exeDllCommonsvc.exe

description	pid	Process	procid_target
PID 2700 wrote to memory of 2660	2700	664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe	31
PID 2700 wrote to memory of 2660	2700	664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe	31
PID 2700 wrote to memory of 2660	2700	664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe	31
PID 2700 wrote to memory of 2660	2700	664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe	31
PID 2660 wrote to memory of 2892	2660	WScript.exe	32
PID 2660 wrote to memory of 2892	2660	WScript.exe	32
PID 2660 wrote to memory of 2892	2660	WScript.exe	32
PID 2660 wrote to memory of 2892	2660	WScript.exe	32
PID 2892 wrote to memory of 2504	2892	cmd.exe	34
PID 2892 wrote to memory of 2504	2892	cmd.exe	34
PID 2892 wrote to memory of 2504	2892	cmd.exe	34
PID 2892 wrote to memory of 2504	2892	cmd.exe	34
PID 2504 wrote to memory of 1472	2504	DllCommonsvc.exe	93
PID 2504 wrote to memory of 1472	2504	DllCommonsvc.exe	93
PID 2504 wrote to memory of 1472	2504	DllCommonsvc.exe	93
PID 2504 wrote to memory of 1416	2504	DllCommonsvc.exe	94
PID 2504 wrote to memory of 1416	2504	DllCommonsvc.exe	94
PID 2504 wrote to memory of 1416	2504	DllCommonsvc.exe	94
PID 2504 wrote to memory of 2988	2504	DllCommonsvc.exe	95
PID 2504 wrote to memory of 2988	2504	DllCommonsvc.exe	95
PID 2504 wrote to memory of 2988	2504	DllCommonsvc.exe	95
PID 2504 wrote to memory of 3000	2504	DllCommonsvc.exe	96
PID 2504 wrote to memory of 3000	2504	DllCommonsvc.exe	96
PID 2504 wrote to memory of 3000	2504	DllCommonsvc.exe	96
PID 2504 wrote to memory of 1876	2504	DllCommonsvc.exe	97
PID 2504 wrote to memory of 1876	2504	DllCommonsvc.exe	97
PID 2504 wrote to memory of 1876	2504	DllCommonsvc.exe	97
PID 2504 wrote to memory of 2104	2504	DllCommonsvc.exe	98
PID 2504 wrote to memory of 2104	2504	DllCommonsvc.exe	98
PID 2504 wrote to memory of 2104	2504	DllCommonsvc.exe	98
PID 2504 wrote to memory of 2776	2504	DllCommonsvc.exe	99
PID 2504 wrote to memory of 2776	2504	DllCommonsvc.exe	99
PID 2504 wrote to memory of 2776	2504	DllCommonsvc.exe	99
PID 2504 wrote to memory of 1792	2504	DllCommonsvc.exe	100
PID 2504 wrote to memory of 1792	2504	DllCommonsvc.exe	100
PID 2504 wrote to memory of 1792	2504	DllCommonsvc.exe	100
PID 2504 wrote to memory of 1448	2504	DllCommonsvc.exe	101
PID 2504 wrote to memory of 1448	2504	DllCommonsvc.exe	101
PID 2504 wrote to memory of 1448	2504	DllCommonsvc.exe	101
PID 2504 wrote to memory of 2608	2504	DllCommonsvc.exe	102
PID 2504 wrote to memory of 2608	2504	DllCommonsvc.exe	102
PID 2504 wrote to memory of 2608	2504	DllCommonsvc.exe	102
PID 2504 wrote to memory of 276	2504	DllCommonsvc.exe	103
PID 2504 wrote to memory of 276	2504	DllCommonsvc.exe	103
PID 2504 wrote to memory of 276	2504	DllCommonsvc.exe	103
PID 2504 wrote to memory of 2600	2504	DllCommonsvc.exe	104
PID 2504 wrote to memory of 2600	2504	DllCommonsvc.exe	104
PID 2504 wrote to memory of 2600	2504	DllCommonsvc.exe	104
PID 2504 wrote to memory of 1928	2504	DllCommonsvc.exe	105
PID 2504 wrote to memory of 1928	2504	DllCommonsvc.exe	105
PID 2504 wrote to memory of 1928	2504	DllCommonsvc.exe	105
PID 2504 wrote to memory of 2008	2504	DllCommonsvc.exe	106
PID 2504 wrote to memory of 2008	2504	DllCommonsvc.exe	106
PID 2504 wrote to memory of 2008	2504	DllCommonsvc.exe	106
PID 2504 wrote to memory of 1052	2504	DllCommonsvc.exe	107
PID 2504 wrote to memory of 1052	2504	DllCommonsvc.exe	107
PID 2504 wrote to memory of 1052	2504	DllCommonsvc.exe	107
PID 2504 wrote to memory of 2420	2504	DllCommonsvc.exe	108
PID 2504 wrote to memory of 2420	2504	DllCommonsvc.exe	108
PID 2504 wrote to memory of 2420	2504	DllCommonsvc.exe	108
PID 2504 wrote to memory of 712	2504	DllCommonsvc.exe	109
PID 2504 wrote to memory of 712	2504	DllCommonsvc.exe	109
PID 2504 wrote to memory of 712	2504	DllCommonsvc.exe	109
PID 2504 wrote to memory of 2144	2504	DllCommonsvc.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe
"C:\Users\Admin\AppData\Local\Temp\664dea6f81b67751afb7262aeb714ced32f49b3037b5b2d4a84e361f2d2906d7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Landscape\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Rules\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u7nY0D41fZ.bat"
        5⤵
        
        PID:2180
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2652
      - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat"
        7⤵
        
        PID:2976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2444
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
        9⤵
        
        PID:2672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2872
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        11⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1648
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
        13⤵
        
        PID:1328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:320
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat"
        15⤵
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2092
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat"
        17⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2116
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"
        19⤵
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1492
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"
        21⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2228
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
        23⤵
        
        PID:2016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2008
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"
        25⤵
        
        PID:1640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:604
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat"
        27⤵
        
        PID:864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2152
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Media\Landscape\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Media\Landscape\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Landscape\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\Rules\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\Rules\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Rules\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Favorites\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bb7f47b5ce72b5791d9d928cb830370

SHA1
33c6d14bda8fc98b03c8411f64167a828a16d28a

SHA256
32821cc6caaccee8060b407cea5521ebde632f623b967ab2e3ce8f331e06dd34

SHA512
5de8e3bb9b07f2f6605cfec3bc1f79c18e3ee8c62af3a82d930b8187592968e18aea22b7f89de19198789c9ecf8fe35646c3c3411900c0cbc51af8adfba3a0b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
145a1c0739dbeae6ed9d727f9b851f27

SHA1
f10c57a0a351ebc94b1915c3b6dfbe3e6add805c

SHA256
90d52145238658b76e3d3127f87d433ce6f177f53ef1d9beaf2d6eeae34b0b13

SHA512
80bb0082a33c261bf00dd50e450b5e4b221246b7bd8df8bd10ab8fc4c5b9b16a4f345108b57f37022fdc3422f9d8db3b4341daa07f98f3b3fde68187d3f5c7dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81eb1136e7b7ce634a81ea717f7ce80b

SHA1
b14dadae1ec9bb4494fb8668a44b45b296ffc272

SHA256
c23621a1edfa8e9f15ff2200289df3e5051dc633a78d336c96761fb3c89acd0c

SHA512
e121e9ce00243995df58de2a31f415f107c69ad0433bf66f8d9b3becea2274ccfa08cace3df1210d704b790e542d947e1fc9d31942a5d1802203c8e131443f52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20c86f925857426e7413623f546a3a7e

SHA1
3349b531b6b0a099112e59146f49d9fd07046d58

SHA256
999ebd04d8bd26f9c2108b7b10ab2126fc9aef840930a2b8c6c4f32a5a4bb484

SHA512
1587ba51f84e54470966d1d30f2f4c04272861a02f4f1431befeed823a981a7d05d70892a77fbcd9e79157f7a4bc8ff2a00a55f4be9a858f5671b790801b9595

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4e1420ed0943200123574aa2bca73fa

SHA1
78b833799a54f291a9d8b176e77cf63d9d58a756

SHA256
6db1a5395572971062efc2012b07cc843718a7412fe90f0f2a9831d0e0c9df92

SHA512
5d2717105f5593524bc01155bcdcd4279c2b64679b5bd284f37b2bb1a877810294faf45023ca8d03c806f0658907d88d23a52cb9258f9579445320e482927c91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88c05ba64fcdd1ff305fa8c2aaf89079

SHA1
718749f7f4aa7b0dbfeb089fa28ba5f8629d245e

SHA256
abb7885a573884d2bfc4deaeaa2d4fda1f1202d27dc0e67720f87d9d70725d72

SHA512
d653d4bdb8fc2939beebbd50d8bb0c191197eb11afac237417253fc4d8418d93b9f19462836689c1eebe92b10e3d06d97b3c83abb97df0cc5753cb9450c929df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
482490a26000caa217d07fc27fdf7cde

SHA1
fb6720146c0da2051f426c625fce67ba4cee69e6

SHA256
3adaf2697f29549939f82520694f6049c818505d3905b1206de28d5a3b539797

SHA512
fae0249ee0c282db4757d8cfcb19ca0c7f38658ddc88ba132f87c2840436ee5eaf631924a4e6bb9b4815b236be09757ab2f9b9e106c422b12a2b42937fb31fca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d73a8a2acc8983742ef549b0c96cc81b

SHA1
10fe9bd72087db72dcd7826498840a0540ec7688

SHA256
5550d806c9833786bb32941598fe778defb329b8a79e60b9f69a66293c939c8d

SHA512
4b3743108c1eb5847a8ba116c9eff402f15c4c19236346a625473cffbe7d14cf137b75c29b5b7ed269d03bc530a4c87b429ed0c9cdb8c94c304b00cf36b7030d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0342090b01fe9ffbde40cf9c46ed4c67

SHA1
edcc0adf8fcb49154b17f3306a258010a8995fbc

SHA256
3ae67d1d836aab46edeb17eb0cf9eae9003e7fad141d3845cda1b104e1ae56b7

SHA512
298349f6b52ed5df5b303365688cea244851327d556c4f314694259852713b4744c8e9f1f3cc21ac9333da3a4a1ad5650304243d6a749ad977456e408dada178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7652984dd65521c65cfedab51bdb0f9c

SHA1
8cda3036c8adaaa98d62a9564b2cc42807ce04d2

SHA256
991455278edbfb4bdb142fe5e5b2ca4253d9c8c3201e4572debfca10cbef841d

SHA512
18cde397d801e64ddae1b00b436a2d2c2a7424d1df072853e025992b6c4ffb1440d9c37e7ff31279540c06178752ee4c7522c22d8fe0d7d60bcbef25dc8fa736

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2C50.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D5faDLbbQ0.bat

Filesize
240B

MD5
b6aaf27faab793d3bba9ea54a9e8ac50

SHA1
1969121646dd7172ae7c64cddaf78fceeefc4c4d

SHA256
0e76ee2aa5a1b426d24856976ec43ce45859dac345ded918a3973f682bc20f48

SHA512
422ef85e7028f5988ca72477cb488310f8b276b24c7406145cf1b3a0921d855971ce48e947d45f71936fa8fa20cf6f992eb566c3756696301a4be74dead34f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

Filesize
240B

MD5
9be02660f6774a25ba13798b11c697e6

SHA1
95e3d554eb015aeeca6a88acffb0f2690a547512

SHA256
811661382d0dcd8f69b528971dc20734a988d2c3f8d8aad8158b6b8633a2a113

SHA512
31a769f5e885d61ee12860e2a6237daf9c4ba1d09ab9d609fd2094684639e8769ac433284a1ab34ea5526a2076077f0a4df203bd40d764fdd127d4d0d2841d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAQQp9H1T4.bat

Filesize
240B

MD5
4852572436ecf82006c6abe3ffced4ba

SHA1
ef3154fad48b8983435c22f4c3d73435ae721998

SHA256
693759e03e961d251ba79f5ba1503b32d87cdff92adee0ba1647e60c0d4ee0b3

SHA512
2db6d618d40efe8a4e92c3a44cbe406b8a4feb41192f0fd67f6dbb8cfea4143545907aee3d59821e48b44d890a493c2f2a3c89bbebb9e6ee2c49aae7b6ccadbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2C72.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat

Filesize
240B

MD5
e3d70d6675abb5c6e6980497489c2639

SHA1
ac3452fa2ae8a655b66ea82a5b0a150cf00b4271

SHA256
dcbe7cab8a035a7727bb9a5f5c3ba1527c81c2938d28d50583cbd7a587a71442

SHA512
104ffb2bc4d638ef73c71385a50ac1f7cfaa7e58a9934bfe371f54faf0aa2a4e3e2fd2093e47d58d6f108117c4b753fbd05a52f99e43b9fd933f15ec4477e497

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat

Filesize
240B

MD5
ce82ee5cfa5f85016046c5abda4650db

SHA1
b0ee885f04c772dd9b485f56970e67a5b99ba4a0

SHA256
61b9f8da2407eb015b080dce75ff20666c503bd62cd9ddc7644e961694e183e2

SHA512
44c22b8af974e4434916c02d7ebe65ae5f8971f0689c154cdaf490318800f54fbd39eff07685ee6dff92ff298325cc94d97ecc2696f9d9af9a80334a2f9a4999

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat

Filesize
240B

MD5
8a2a593d97ea9e9033e835b54b41d774

SHA1
af56558f2a88188d23d1c1b597e165d430db0890

SHA256
8a1e85a167ce882b6750fbfb913469d9815baba054de7ee728fd6392cdb2704e

SHA512
444e4caa4521feb0e9e555c032ace92ced050bb9a675aeff6ee8ccabcc3d938a35024fc4b444636d7127efb0332b3a1341d06013d1f9f49100bb066a23d8bb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

Filesize
240B

MD5
2c1a4374ebbf28cc58f4a972bb7a2885

SHA1
c7345473b24feece81959639b9106587ad7b1e04

SHA256
803104216251e711262522db6800332a8404533752517305b0c723a8d58d7310

SHA512
49f74ac85919a6b29393a024e4c906d3ce3738194a7f37a4853f16590fc4b1b186d4612f4bc2c9e89a5f3d796871edeb50fa5e9e2f85015e8952480a52112068

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat

Filesize
240B

MD5
72552285db5b6c9528d97d79f02b73af

SHA1
55b2ae0c0cdecb562b8a789ee353192abf3cb15b

SHA256
ecd584f42aacd463c7f1adff910f65078f7664d64b418e68e7564ddb76f003a6

SHA512
99a7a49718ec9384a50a991ad38725519a4cca26a59befc68ff0de90010a1184d0d200d6e034e1f6a29fbc6a0a112a4194e0413fba6df61c172fd259a68e0069

Download Submit
C:\Users\Admin\AppData\Local\Temp\u7nY0D41fZ.bat

Filesize
240B

MD5
cadf821c2fdd3a0cdb66f2834b32011f

SHA1
d94e1770cc8c9f6c7c84f99523669c305ef69634

SHA256
dd1aad67d1843fc37819ec1ab10cc9fe52308a50aafac65665f5b5cf254820d2

SHA512
2e2c66610669c670dd9ceff56e1e762d8d8056bee88f38915f49896476494acda1e98cea65eb6e5869d71bc1c49746926cd485b974c3e922fb5c3036b33523e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

Filesize
240B

MD5
cab5fd25759df7d45b162d1949ed8323

SHA1
397572036b88bb283c507f3e09fe78c400553de2

SHA256
0ca99676962589cd5b6a6c42f4b10e7dff36197939914886d50363ad28f51b0b

SHA512
f13a4d362c51ea46d9cfab6033d0ad1d2ebfc91710a001d2475d0a33e2e332304c6819913f87443f7dbb98402e89ebfebdf45df93d3422bab3d2b044dd9e469f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

Filesize
240B

MD5
b389b30c2b33a06fb468e09a868be02a

SHA1
f62ce6828fa66290122c6009c4569da13a87dbcb

SHA256
51b3ece84d21f39855458c78a1789cffbaf838d2c7819be9bd2c55e1e2d75bd6

SHA512
e5bd707d286253799f32d883ed145b382162fb20edd6cbbbcfdcba31bfdaaeef68790dbbe55286535850125fc8fcb55f7d82d3816339732b1331b26caaee33cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat

Filesize
240B

MD5
33a08d8db5bcc9c90ea607f2715dfe79

SHA1
2f8d2c2c7bd7fc3100981ca3e12321c5bd8f7b95

SHA256
d1d8ed151b0581817fb6095421919c7ddf185ede07bc0a57b045510fca196ae1

SHA512
dfa53979965c178e3780f9fe957bce0c64f154976620b7d94c304167bb6bc2387a024c56c57fef5b7f1081cd43861bc895f78d70e6a127c9ebc0f40a8cc6f7c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b9293e7ccb5ebc29168b5ba949a4d32

SHA1
73c459ba10645b0f9a7ad36d21e7746dc44d97d2

SHA256
96cd0696286ccafc2e81e15098445bfc8bed424818702177f8117733f21c9e25

SHA512
0297fd4b1fb35a0d1c2918eb279a4b17d797a1c02d554d059cf4349ad14def89f5ae232900c542d2b578c8c19d844e0535d38dcbf58c2af31194431c0b245579

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1120-344-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/1740-164-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/1792-64-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1792-66-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2292-284-0x00000000008A0000-0x00000000009B0000-memory.dmp

Filesize
1.1MB

Download
memory/2368-465-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2368-464-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/2452-404-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/2504-15-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2504-16-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2504-14-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2504-13-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2504-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2588-820-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2600-223-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2600-224-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download