dcrat | 7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b

Analysis

max time kernel
144s
max time network
143s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 11:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b.exe
Size

1.3MB
MD5

a22b9dcb54d9f6b45bbac93c2773fc43
SHA1

d95952f664b7667ec368753761b3d835ab67b0cc
SHA256

7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b
SHA512

71975080a298e5f2bb452c5e83dc2a5375d186d1a0887f2ce6bc80e555a1bf2951d60023a4fada954054317df80b7b164e3cf23e66265068274d320a17be8ac5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2900	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x00060000000186dd-9.dat	dcrat
behavioral1/memory/2824-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp	dcrat
behavioral1/memory/2348-157-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/692-276-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/1592-336-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/1252-397-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/1828-457-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/2768-517-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2084-637-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2752-698-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2640	powershell.exe
2276	powershell.exe
2244	powershell.exe
1252	powershell.exe
352	powershell.exe
1476	powershell.exe
2644	powershell.exe
2084	powershell.exe
2652	powershell.exe
2676	powershell.exe
2796	powershell.exe
2896	powershell.exe
1688	powershell.exe
1752	powershell.exe
880	powershell.exe
2856	powershell.exe
2868	powershell.exe
2696	powershell.exe
2968	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

DllCommonsvc.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

pid	Process
2824	DllCommonsvc.exe
2348	wininit.exe
2468	wininit.exe
692	wininit.exe
1592	wininit.exe
1252	wininit.exe
1828	wininit.exe
2768	wininit.exe
2828	wininit.exe
2084	wininit.exe
2752	wininit.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
1484	cmd.exe
1484	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
4	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Services\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\a76d7bf15d8370	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Services\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 8 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File created	C:\Windows\ModemLogs\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\Setup\State\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\de-DE\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\de-DE\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\PLA\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\WmiPrvSE.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b.exeWScript.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1720	schtasks.exe
2420	schtasks.exe
2652	schtasks.exe
2668	schtasks.exe
1716	schtasks.exe
3024	schtasks.exe
2360	schtasks.exe
1528	schtasks.exe
1660	schtasks.exe
2848	schtasks.exe
1508	schtasks.exe
1444	schtasks.exe
1972	schtasks.exe
932	schtasks.exe
1064	schtasks.exe
1952	schtasks.exe
1180	schtasks.exe
1164	schtasks.exe
1544	schtasks.exe
1696	schtasks.exe
760	schtasks.exe
1740	schtasks.exe
2816	schtasks.exe
2956	schtasks.exe
1892	schtasks.exe
1896	schtasks.exe
952	schtasks.exe
544	schtasks.exe
2492	schtasks.exe
2736	schtasks.exe
2800	schtasks.exe
596	schtasks.exe
2664	schtasks.exe
1908	schtasks.exe
2444	schtasks.exe
2192	schtasks.exe
1448	schtasks.exe
1060	schtasks.exe
2612	schtasks.exe
3052	schtasks.exe
2028	schtasks.exe
2976	schtasks.exe
2160	schtasks.exe
2484	schtasks.exe
1096	schtasks.exe
2044	schtasks.exe
2748	schtasks.exe
2684	schtasks.exe
2560	schtasks.exe
2728	schtasks.exe
3032	schtasks.exe
1964	schtasks.exe
2480	schtasks.exe
2328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exe

pid	Process
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2824	DllCommonsvc.exe
2868	powershell.exe
2644	powershell.exe
1688	powershell.exe
2640	powershell.exe
1752	powershell.exe
2856	powershell.exe
1252	powershell.exe
2276	powershell.exe
2696	powershell.exe
2084	powershell.exe
2968	powershell.exe
2652	powershell.exe
2896	powershell.exe
1476	powershell.exe
352	powershell.exe
2244	powershell.exe
880	powershell.exe
2796	powershell.exe
2676	powershell.exe
2348	wininit.exe
2468	wininit.exe
692	wininit.exe
1592	wininit.exe
1252	wininit.exe
1828	wininit.exe
2768	wininit.exe
2828	wininit.exe
2084	wininit.exe
2752	wininit.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2824	DllCommonsvc.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2348	wininit.exe
Token: SeDebugPrivilege	2468	wininit.exe
Token: SeDebugPrivilege	692	wininit.exe
Token: SeDebugPrivilege	1592	wininit.exe
Token: SeDebugPrivilege	1252	wininit.exe
Token: SeDebugPrivilege	1828	wininit.exe
Token: SeDebugPrivilege	2768	wininit.exe
Token: SeDebugPrivilege	2828	wininit.exe
Token: SeDebugPrivilege	2084	wininit.exe
Token: SeDebugPrivilege	2752	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b.exeWScript.execmd.exeDllCommonsvc.exe

description	pid	Process	procid_target
PID 1644 wrote to memory of 2084	1644	7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b.exe	31
PID 1644 wrote to memory of 2084	1644	7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b.exe	31
PID 1644 wrote to memory of 2084	1644	7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b.exe	31
PID 1644 wrote to memory of 2084	1644	7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b.exe	31
PID 2084 wrote to memory of 1484	2084	WScript.exe	32
PID 2084 wrote to memory of 1484	2084	WScript.exe	32
PID 2084 wrote to memory of 1484	2084	WScript.exe	32
PID 2084 wrote to memory of 1484	2084	WScript.exe	32
PID 1484 wrote to memory of 2824	1484	cmd.exe	34
PID 1484 wrote to memory of 2824	1484	cmd.exe	34
PID 1484 wrote to memory of 2824	1484	cmd.exe	34
PID 1484 wrote to memory of 2824	1484	cmd.exe	34
PID 2824 wrote to memory of 2244	2824	DllCommonsvc.exe	90
PID 2824 wrote to memory of 2244	2824	DllCommonsvc.exe	90
PID 2824 wrote to memory of 2244	2824	DllCommonsvc.exe	90
PID 2824 wrote to memory of 2084	2824	DllCommonsvc.exe	91
PID 2824 wrote to memory of 2084	2824	DllCommonsvc.exe	91
PID 2824 wrote to memory of 2084	2824	DllCommonsvc.exe	91
PID 2824 wrote to memory of 880	2824	DllCommonsvc.exe	92
PID 2824 wrote to memory of 880	2824	DllCommonsvc.exe	92
PID 2824 wrote to memory of 880	2824	DllCommonsvc.exe	92
PID 2824 wrote to memory of 2856	2824	DllCommonsvc.exe	94
PID 2824 wrote to memory of 2856	2824	DllCommonsvc.exe	94
PID 2824 wrote to memory of 2856	2824	DllCommonsvc.exe	94
PID 2824 wrote to memory of 2896	2824	DllCommonsvc.exe	96
PID 2824 wrote to memory of 2896	2824	DllCommonsvc.exe	96
PID 2824 wrote to memory of 2896	2824	DllCommonsvc.exe	96
PID 2824 wrote to memory of 2276	2824	DllCommonsvc.exe	97
PID 2824 wrote to memory of 2276	2824	DllCommonsvc.exe	97
PID 2824 wrote to memory of 2276	2824	DllCommonsvc.exe	97
PID 2824 wrote to memory of 2868	2824	DllCommonsvc.exe	98
PID 2824 wrote to memory of 2868	2824	DllCommonsvc.exe	98
PID 2824 wrote to memory of 2868	2824	DllCommonsvc.exe	98
PID 2824 wrote to memory of 1752	2824	DllCommonsvc.exe	99
PID 2824 wrote to memory of 1752	2824	DllCommonsvc.exe	99
PID 2824 wrote to memory of 1752	2824	DllCommonsvc.exe	99
PID 2824 wrote to memory of 2796	2824	DllCommonsvc.exe	100
PID 2824 wrote to memory of 2796	2824	DllCommonsvc.exe	100
PID 2824 wrote to memory of 2796	2824	DllCommonsvc.exe	100
PID 2824 wrote to memory of 2640	2824	DllCommonsvc.exe	101
PID 2824 wrote to memory of 2640	2824	DllCommonsvc.exe	101
PID 2824 wrote to memory of 2640	2824	DllCommonsvc.exe	101
PID 2824 wrote to memory of 2644	2824	DllCommonsvc.exe	102
PID 2824 wrote to memory of 2644	2824	DllCommonsvc.exe	102
PID 2824 wrote to memory of 2644	2824	DllCommonsvc.exe	102
PID 2824 wrote to memory of 1252	2824	DllCommonsvc.exe	103
PID 2824 wrote to memory of 1252	2824	DllCommonsvc.exe	103
PID 2824 wrote to memory of 1252	2824	DllCommonsvc.exe	103
PID 2824 wrote to memory of 352	2824	DllCommonsvc.exe	106
PID 2824 wrote to memory of 352	2824	DllCommonsvc.exe	106
PID 2824 wrote to memory of 352	2824	DllCommonsvc.exe	106
PID 2824 wrote to memory of 1476	2824	DllCommonsvc.exe	109
PID 2824 wrote to memory of 1476	2824	DllCommonsvc.exe	109
PID 2824 wrote to memory of 1476	2824	DllCommonsvc.exe	109
PID 2824 wrote to memory of 1688	2824	DllCommonsvc.exe	111
PID 2824 wrote to memory of 1688	2824	DllCommonsvc.exe	111
PID 2824 wrote to memory of 1688	2824	DllCommonsvc.exe	111
PID 2824 wrote to memory of 2676	2824	DllCommonsvc.exe	112
PID 2824 wrote to memory of 2676	2824	DllCommonsvc.exe	112
PID 2824 wrote to memory of 2676	2824	DllCommonsvc.exe	112
PID 2824 wrote to memory of 2652	2824	DllCommonsvc.exe	113
PID 2824 wrote to memory of 2652	2824	DllCommonsvc.exe	113
PID 2824 wrote to memory of 2652	2824	DllCommonsvc.exe	113
PID 2824 wrote to memory of 2968	2824	DllCommonsvc.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b.exe
"C:\Users\Admin\AppData\Local\Temp\7ea41388626813cbaffeab0f098c7a9eeb8a295b5b9f7b610bcf3d57ec217c7b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\de-DE\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hUI1pgqMqo.bat"
        5⤵
        
        PID:3020
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1720
      - C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"
        7⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3044
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
        9⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2464
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"
        11⤵
        
        PID:2712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2184
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
        13⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1100
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        15⤵
        
        PID:588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1812
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"
        17⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2852
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat"
        19⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1732
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
        21⤵
        
        PID:1236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2536
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
        23⤵
        
        PID:900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1948
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PLA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\ModemLogs\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
056f5d9cd844174760a6c16aa412f7f0

SHA1
0d558bc0686e1ce1742139d11551ae809365b2ff

SHA256
9ffee30d3b98adbef56f049157ae0c5744b61ab119c118fae953f14ad43d6bf8

SHA512
f28659e1a86625b0f690bf3a82575735f0774fb7ce7d72f54602c04425ac579ff9a76d74897479803b0cdb1594af39682dcebb99cef4e19f538ed2745ef56571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a70333f6905074ebeb48d2993bc91391

SHA1
4e93a606cc79c1b1f20c5f5b813de1f66b58774a

SHA256
12b13a89ef46cac437fcb327866923882bb4246140f7d99aa9f8f6267390bce5

SHA512
2380ef2a43790a7c265239e50eb6a3e6ecf65b544f5b500b67cbe7182f279a0309f98c883f75ccea7f95383409f990497187d4215d3c727cdcae2afe70d685c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
663a0768bc6a62b0ab3c1eacc4c6cc8e

SHA1
0a6b03013cf5e2237e1099d2372680013c3aba84

SHA256
04fdffaabe534b332db8d74a790dce56829623a036d8cf0c3efa2b5b5277dcf3

SHA512
4ec952f9e307d3af6dc3eee61e7ebdd3ffc605477d95a0728a0861a00a5925fd5f10d6448393f0658e7c34667a35016ceb571c8acc208cf67b32f40e8953f384

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb02ac7066d74fb019ec916194eb3a73

SHA1
0c0b874efc92b8eaf863964bcec49fafe9bfff01

SHA256
7c7c0e4a6f93e26291344bd46ed2ed837d35304ba9935f668a3b87124c28471f

SHA512
5379b1673d03e476ae1394e6ff9665eda2ec760d7c218c894567bc01c1d51fb6a7343296eac54bb4f6cffa47c07394f4555db0191c9cf0449df7f907b2bf32bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cd3a6a74f431937eeeba2205b2ba655

SHA1
595a69dc2689126942d03218a693e7f49b998713

SHA256
b2654ef619e77acad434ef2cebe16b0f68e4a98c9584feab05f31543bc7d66de

SHA512
bbc2eae10aaed1c5a5a640d200baee9b5179a423039bcc6b16eb44045ad0722540e41585694ccabce360a69bc58562df342f334a48198a4750fbf424517a6d5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea2ca5496f96d3ceb64d7eccaa397936

SHA1
95872a38f7d61c99138c2603409bf6767b5c5f2f

SHA256
a82746076a3f1f04a118caa10f3ee909827fd52ff218bba7b50cb97809fc19db

SHA512
ebc68b0dbcfed0e4513aa437ca1a28edc001b86b15f8d5f3d17db93233f9961d666ad48d6c6eccd3a3569fbb4355445d581a2e681551d261cac63f31c55c2122

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89db09999c5b5c11bb501e11e6c41d2f

SHA1
69dc05047cd1c002c1b5bb4cd0211d7aac2d90c1

SHA256
67f8922c0944e364217667ac17f841cdbe6ac66de3379b048a08ca708227cd88

SHA512
de3496811b389372a554af6a8bc760ea8cd5f706b78592e05de2ba0afb58ad4adb36cca4842d671e4176a16321c4b6d7254c979696cf12d03fe0d50507b87801

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a6e0a2835efbf1aaa1b31bce06c7c35

SHA1
ab2b5a40bd8b562058e507bd115655a24fd13519

SHA256
e3293f51ca11bbb129cb474650f15ccafdf2f9933c888a74032ab804a23d747f

SHA512
f4c59a97e19d8500b6b70084ec33fd21abf2ed53dc259c0a54a0944154452c12df5cfa98b5dab95e8c75813b866d3843d57c479184096f151fa3817837ca18df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab31CC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

Filesize
194B

MD5
98938b46b828e3c821e96bad8d2f6b41

SHA1
a8993fc7cc56fad5128757b0816bc6cb7252a4cd

SHA256
1094c74ebddd50cd2982dadeb5ae141db1b90b0c26539a46f0c907224d12f0c2

SHA512
958d8aaf88edd10e6d0b3e5ffca1995476ecfc551388206a719b3c1e426aa7435abd7da479686a9eb030173e43f25ed68a16a41ff0ece17be4959e7bbb46caf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat

Filesize
194B

MD5
3b560b275f68a013d498b5c574073966

SHA1
76e9956fbc2080895ada9c4ceaec6f6ea4fbfe41

SHA256
5db34238e0c1f9e6ffc8d9a918d0f4ff940451e799e437acaf37c57d318d74b3

SHA512
bfcf63f5ffb6c7e1cfc00f9e134067d4073a3ddc0cf9e4c54b2f77a71aa3947896e69d6fc13ae1d4c9e6d3accaf82c32880b5a8372b64a09829b8e9493def52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar31DF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

Filesize
194B

MD5
ca57c22d44629b085511ad4824aab2cb

SHA1
ce815b7327cf4896ca1b546def00e00eb25481be

SHA256
49549fef811d2324da12e6fe1d8dbbe92c791debc3b643d3088ac332b62e0d1c

SHA512
10115e2c143d735f0b0c7ec88532c0803c0481d043fc0ddfd0b0f54c3311d17874616749428a9c59e0242b08dfeecbf666278463110027cff2180c27260a2111

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat

Filesize
194B

MD5
546610121f394654e6287a53ccb631a4

SHA1
432c173c364d98966bc13bccfdb8db66de4ec0b6

SHA256
7e8e59e3c7d44b88c143b7939ae439e0008cad3102cc54e99092a43eb18a886c

SHA512
c5ba9bb827fc27b226b126aab6c844a19e331fa3b19007c8403335d978b4dc6a89182becdfa491d52431412630d4088c9688d38cbf59bf872b3ac4b560337416

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUI1pgqMqo.bat

Filesize
194B

MD5
95da113fe37a7bc3e5c5ef9b591e8616

SHA1
a9524814e0e244a541a9115d9775e4a88077e489

SHA256
aabecaafe4100c025ea6e6344a63a087eb0a401e9b661f19f64697f2e080f904

SHA512
ab47eaf49f6a5f24b40c75640e631d33a051b7c977bab4c2402589d494881b8a4e048daaf9429c357ef980d8feb73e7838a25c59f42c08fced21af5d8eafcaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

Filesize
194B

MD5
bd6bf006f564290e110d08789d0b3b66

SHA1
1b00fcc0d229ec7b9338975e5b3a8c4d43cab3ab

SHA256
8cdb64f03e2cb9c157d089b40f6f09840b83e9695d848301fb8700530ce4188a

SHA512
2e4b759b0bbdad0f208a98bff6dc165d8d3661ba91ea3df7ced86875e206cbfaa5e9d9233cec4bb2ecfece96905b7e09ff21d1bee7753ac0c2c9950b4827cac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat

Filesize
194B

MD5
425515e3ea9b00c1a4e019cb437b61db

SHA1
b512caf215b81063c10d58bb9929a6d87538e7db

SHA256
2cadf2076bbeeb3922ee81a2aa36a1d61815a462bdae1fd8f67bc2d55b2f21c9

SHA512
d787d0dd90c1009c19fad8b46be374497592f9161e68c4ef38b6fa6a1aaa424d748a0c6f84526e418b2196e2c786ca763aaa1a0e226bfeca5b166bff7c18327a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhzsSyDvNE.bat

Filesize
194B

MD5
237b1d76d663a441626b6ebea33157d9

SHA1
61aff9ce5ad8191c7bd157dd45be7bf1454ce92b

SHA256
a601ad9554e5cfb72b6c3cd8e9784b0ab13d7339296b2f139a2234ba7cdafcba

SHA512
43a03d3b5fc2956f7f97105570068b670eb5f7908d291a0ad83d59440f3aaf924304b2c353e5b5ac2e503bc8fafbecee2c6a468da89c0061b73d37d8c6add23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
194B

MD5
503fa6636cb2b231a2dacc05ba25210a

SHA1
6d4bcb4cd12d34b0b7b0e1136f5c6bdaece7f4ca

SHA256
39331b4533a3d7c2cc943921df643985076e9aed600c90caf6bb675c0fa1a5c2

SHA512
0076c27b480cae6dacfa4cb24ca9f89fbc175f49abff9a20684716ac83350db1b69247a0a10d77801ae25fd11ac2fe670263a6d52dd4afe245b12a40a8a59f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat

Filesize
194B

MD5
e045cfbff7f79c5b33c1a631cb8cbf73

SHA1
4ab242eebbe768250aadb39e705915aba058d3bd

SHA256
d615cbd5d11d5561fa3905dd9091497b5c0f3e2f891f96bd5b5bbf9bbb641970

SHA512
b9ca48b01acd3ee23e19dc33c2723b1e00e7718317e71ad8c9c8c9223309418fdb0475d78fbb6db15eb24449a1868e3cf8e7bafda31519f99b9a15c329d3fc99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ce6a2e0043cf66b37ef7fab3bae5f4c4

SHA1
3820b092bf0bf2c131ddde4785ea67b0320dce05

SHA256
88b279f47df05b241c3d6af6815b1879f694270088d6d5fd9e4e10a63302d4b8

SHA512
6177299e15e99357bde57e30503b065e192f767e2f8c43a0110d7e97a3eaf0ccc57f08de77198afed1436db78121df2dbe8a4010b7e28c2ed60cdd31ff75ee60

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/692-276-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/1252-397-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/1592-336-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/1592-337-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1828-457-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2084-638-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2084-637-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2348-157-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/2348-158-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2640-117-0x000000001B860000-0x000000001BB42000-memory.dmp

Filesize
2.9MB

Download
memory/2752-698-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/2768-517-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2768-518-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2824-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp

Filesize
1.1MB

Download
memory/2824-17-0x0000000000960000-0x000000000096C000-memory.dmp

Filesize
48KB

Download
memory/2824-14-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2824-15-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2824-16-0x0000000000950000-0x000000000095C000-memory.dmp

Filesize
48KB

Download
memory/2868-118-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download