dcrat | d1fb78c4ef45c686ea6b8b6c44fe19f2d2d155e04f8d1305e34e21e0d4300c61

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1fb78c4ef45c686ea6b8b6c44fe19f2d2d155e04f8d1305e34e21e0d4300c61.exe
Size

1.3MB
MD5

07390b562b02da9bea3786db7d59dbd3
SHA1

5f3c11b3450c0c957e90cd9d0103dfd97e090e46
SHA256

d1fb78c4ef45c686ea6b8b6c44fe19f2d2d155e04f8d1305e34e21e0d4300c61
SHA512

b9f830791aef1fb5f6d1a3b1277613cc44069f12c3564c77f5f2cae0b348a77b39dcedcb223636aa3aff998ca5f4a688d10e5c92a13135b15a5024aca477fc3a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2748	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2748	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186bf-12.dat	dcrat
behavioral1/memory/2936-13-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/2536-172-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/564-290-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2472-350-0x0000000000970000-0x0000000000A80000-memory.dmp	dcrat
behavioral1/memory/2976-470-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/2460-530-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/2204-590-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/828-710-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2652	powershell.exe
1608	powershell.exe
2124	powershell.exe
2212	powershell.exe
2936	powershell.exe
2076	powershell.exe
1260	powershell.exe
3028	powershell.exe
2432	powershell.exe
2040	powershell.exe
2264	powershell.exe
2580	powershell.exe
1812	powershell.exe
2428	powershell.exe
1760	powershell.exe
2076	powershell.exe
2580	powershell.exe
1796	powershell.exe
2220	powershell.exe
2252	powershell.exe
1464	powershell.exe
1036	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2936	DllCommonsvc.exe
2348	DllCommonsvc.exe
2536	smss.exe
1664	smss.exe
564	smss.exe
2472	smss.exe
2124	smss.exe
2976	smss.exe
2460	smss.exe
2204	smss.exe
692	smss.exe
828	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2836	cmd.exe
2836	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Speech\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\Speech\886983d96e3d3e	DllCommonsvc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\it-IT\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\e978f868350d50	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\Registration\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1fb78c4ef45c686ea6b8b6c44fe19f2d2d155e04f8d1305e34e21e0d4300c61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2056	schtasks.exe
2244	schtasks.exe
2504	schtasks.exe
2152	schtasks.exe
2552	schtasks.exe
2000	schtasks.exe
1992	schtasks.exe
2176	schtasks.exe
2208	schtasks.exe
888	schtasks.exe
2256	schtasks.exe
2204	schtasks.exe
328	schtasks.exe
1536	schtasks.exe
1324	schtasks.exe
1456	schtasks.exe
1592	schtasks.exe
2932	schtasks.exe
2840	schtasks.exe
268	schtasks.exe
1832	schtasks.exe
1688	schtasks.exe
1132	schtasks.exe
2548	schtasks.exe
1632	schtasks.exe
924	schtasks.exe
764	schtasks.exe
2852	schtasks.exe
2644	schtasks.exe
1612	schtasks.exe
796	schtasks.exe
688	schtasks.exe
840	schtasks.exe
3044	schtasks.exe
2244	schtasks.exe
2056	schtasks.exe
760	schtasks.exe
2992	schtasks.exe
2560	schtasks.exe
2872	schtasks.exe
880	schtasks.exe
1808	schtasks.exe
1200	schtasks.exe
1156	schtasks.exe
2528	schtasks.exe
2044	schtasks.exe
2916	schtasks.exe
1988	schtasks.exe
1564	schtasks.exe
2820	schtasks.exe
2788	schtasks.exe
1604	schtasks.exe
2896	schtasks.exe
528	schtasks.exe
2684	schtasks.exe
2080	schtasks.exe
1124	schtasks.exe
1584	schtasks.exe
1520	schtasks.exe
2408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2936	DllCommonsvc.exe
2936	DllCommonsvc.exe
2936	DllCommonsvc.exe
2264	powershell.exe
2580	powershell.exe
2076	powershell.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
2348	DllCommonsvc.exe
1464	powershell.exe
3028	powershell.exe
1796	powershell.exe
1760	powershell.exe
1260	powershell.exe
2124	powershell.exe
2936	powershell.exe
2212	powershell.exe
2580	powershell.exe
2040	powershell.exe
2220	powershell.exe
2428	powershell.exe
2252	powershell.exe
2432	powershell.exe
1812	powershell.exe
1036	powershell.exe
2652	powershell.exe
2076	powershell.exe
1608	powershell.exe
2536	smss.exe
1664	smss.exe
564	smss.exe
2472	smss.exe
2124	smss.exe
2976	smss.exe
2460	smss.exe
2204	smss.exe
692	smss.exe
828	smss.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	DllCommonsvc.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2348	DllCommonsvc.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2536	smss.exe
Token: SeDebugPrivilege	1664	smss.exe
Token: SeDebugPrivilege	564	smss.exe
Token: SeDebugPrivilege	2472	smss.exe
Token: SeDebugPrivilege	2124	smss.exe
Token: SeDebugPrivilege	2976	smss.exe
Token: SeDebugPrivilege	2460	smss.exe
Token: SeDebugPrivilege	2204	smss.exe
Token: SeDebugPrivilege	692	smss.exe
Token: SeDebugPrivilege	828	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2892	1824	d1fb78c4ef45c686ea6b8b6c44fe19f2d2d155e04f8d1305e34e21e0d4300c61.exe	30
PID 1824 wrote to memory of 2892	1824	d1fb78c4ef45c686ea6b8b6c44fe19f2d2d155e04f8d1305e34e21e0d4300c61.exe	30
PID 1824 wrote to memory of 2892	1824	d1fb78c4ef45c686ea6b8b6c44fe19f2d2d155e04f8d1305e34e21e0d4300c61.exe	30
PID 1824 wrote to memory of 2892	1824	d1fb78c4ef45c686ea6b8b6c44fe19f2d2d155e04f8d1305e34e21e0d4300c61.exe	30
PID 2892 wrote to memory of 2836	2892	WScript.exe	31
PID 2892 wrote to memory of 2836	2892	WScript.exe	31
PID 2892 wrote to memory of 2836	2892	WScript.exe	31
PID 2892 wrote to memory of 2836	2892	WScript.exe	31
PID 2836 wrote to memory of 2936	2836	cmd.exe	33
PID 2836 wrote to memory of 2936	2836	cmd.exe	33
PID 2836 wrote to memory of 2936	2836	cmd.exe	33
PID 2836 wrote to memory of 2936	2836	cmd.exe	33
PID 2936 wrote to memory of 2264	2936	DllCommonsvc.exe	41
PID 2936 wrote to memory of 2264	2936	DllCommonsvc.exe	41
PID 2936 wrote to memory of 2264	2936	DllCommonsvc.exe	41
PID 2936 wrote to memory of 2076	2936	DllCommonsvc.exe	42
PID 2936 wrote to memory of 2076	2936	DllCommonsvc.exe	42
PID 2936 wrote to memory of 2076	2936	DllCommonsvc.exe	42
PID 2936 wrote to memory of 2580	2936	DllCommonsvc.exe	43
PID 2936 wrote to memory of 2580	2936	DllCommonsvc.exe	43
PID 2936 wrote to memory of 2580	2936	DllCommonsvc.exe	43
PID 2936 wrote to memory of 2348	2936	DllCommonsvc.exe	47
PID 2936 wrote to memory of 2348	2936	DllCommonsvc.exe	47
PID 2936 wrote to memory of 2348	2936	DllCommonsvc.exe	47
PID 2348 wrote to memory of 2040	2348	DllCommonsvc.exe	102
PID 2348 wrote to memory of 2040	2348	DllCommonsvc.exe	102
PID 2348 wrote to memory of 2040	2348	DllCommonsvc.exe	102
PID 2348 wrote to memory of 1812	2348	DllCommonsvc.exe	103
PID 2348 wrote to memory of 1812	2348	DllCommonsvc.exe	103
PID 2348 wrote to memory of 1812	2348	DllCommonsvc.exe	103
PID 2348 wrote to memory of 2936	2348	DllCommonsvc.exe	104
PID 2348 wrote to memory of 2936	2348	DllCommonsvc.exe	104
PID 2348 wrote to memory of 2936	2348	DllCommonsvc.exe	104
PID 2348 wrote to memory of 1464	2348	DllCommonsvc.exe	105
PID 2348 wrote to memory of 1464	2348	DllCommonsvc.exe	105
PID 2348 wrote to memory of 1464	2348	DllCommonsvc.exe	105
PID 2348 wrote to memory of 1260	2348	DllCommonsvc.exe	106
PID 2348 wrote to memory of 1260	2348	DllCommonsvc.exe	106
PID 2348 wrote to memory of 1260	2348	DllCommonsvc.exe	106
PID 2348 wrote to memory of 3028	2348	DllCommonsvc.exe	107
PID 2348 wrote to memory of 3028	2348	DllCommonsvc.exe	107
PID 2348 wrote to memory of 3028	2348	DllCommonsvc.exe	107
PID 2348 wrote to memory of 1036	2348	DllCommonsvc.exe	108
PID 2348 wrote to memory of 1036	2348	DllCommonsvc.exe	108
PID 2348 wrote to memory of 1036	2348	DllCommonsvc.exe	108
PID 2348 wrote to memory of 1796	2348	DllCommonsvc.exe	109
PID 2348 wrote to memory of 1796	2348	DllCommonsvc.exe	109
PID 2348 wrote to memory of 1796	2348	DllCommonsvc.exe	109
PID 2348 wrote to memory of 2076	2348	DllCommonsvc.exe	110
PID 2348 wrote to memory of 2076	2348	DllCommonsvc.exe	110
PID 2348 wrote to memory of 2076	2348	DllCommonsvc.exe	110
PID 2348 wrote to memory of 2580	2348	DllCommonsvc.exe	111
PID 2348 wrote to memory of 2580	2348	DllCommonsvc.exe	111
PID 2348 wrote to memory of 2580	2348	DllCommonsvc.exe	111
PID 2348 wrote to memory of 2652	2348	DllCommonsvc.exe	115
PID 2348 wrote to memory of 2652	2348	DllCommonsvc.exe	115
PID 2348 wrote to memory of 2652	2348	DllCommonsvc.exe	115
PID 2348 wrote to memory of 2212	2348	DllCommonsvc.exe	117
PID 2348 wrote to memory of 2212	2348	DllCommonsvc.exe	117
PID 2348 wrote to memory of 2212	2348	DllCommonsvc.exe	117
PID 2348 wrote to memory of 1608	2348	DllCommonsvc.exe	118
PID 2348 wrote to memory of 1608	2348	DllCommonsvc.exe	118
PID 2348 wrote to memory of 1608	2348	DllCommonsvc.exe	118
PID 2348 wrote to memory of 1760	2348	DllCommonsvc.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d1fb78c4ef45c686ea6b8b6c44fe19f2d2d155e04f8d1305e34e21e0d4300c61.exe
"C:\Users\Admin\AppData\Local\Temp\d1fb78c4ef45c686ea6b8b6c44fe19f2d2d155e04f8d1305e34e21e0d4300c61.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\Speech\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\include\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IlZTI8QyFg.bat"
        6⤵
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2192
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
        8⤵
        
        PID:1720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:904
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"
        10⤵
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2816
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat"
        12⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3016
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"
        14⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:768
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
        16⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1508
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
        18⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2960
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
        20⤵
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2536
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat"
        22⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2964
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat"
        24⤵
        
        PID:880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2260
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\Speech\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SysWOW64\Speech\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\SysWOW64\Speech\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Favorites\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Registration\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\it-IT\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0948c1e006b9fb726f960d977b3b50fa

SHA1
6716ae872c9ab37c8ffdac98980204569363d7b7

SHA256
7915594a8c4cab26b020354a23fa57d47c3716591c45d66bfbec504dd81cd1b4

SHA512
7298dcaf800a6f0e3b7d7ec2cb26ba742657c40533f7cfe232efb6d3d6f626000516aaa70f822a4f9028481e0d322fbfdf26d054d0214e550f79633b512a3ecf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c9308ef4b5c9176b63b10a585485a89

SHA1
1ce3b333d18df4b3cf8315dc3a7e1a1490f7c82f

SHA256
5344f7831498c4b1f5c5b685bac7d0d938ff6f53026c2f8362a453f2e57eaef0

SHA512
6564622d7446044e3bcd61ecede69ea8aa3dc769a05870eda605f0482f7a65ca39735f85aaf16508eb87e5ed00015f13a894f06b20bd5b71a2465eb4c750de9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9a4b72081bf6b215250d1f0a08a8544

SHA1
9402eb5df0bef1aac9aedb27be93f68076d35278

SHA256
76d56ad764280d6190b9b25a6a0cb39aa52e04fc64bc90e76d5d06e85c268a3a

SHA512
c6a88092c63937269d110337671bd27b7def7c58f2a1040fdcef0941228cc9faa32a4320ee0996636fe95807ef054e7366cf1e9899ef42851c71e113b873a5c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce644d96c6e46be97e72077a00521b42

SHA1
dc290299b4bf06f3e933a95c1ec15c1e89a78616

SHA256
9b62f7be7f058f6f687494d7572e1f00dcb598587a3a9a6437689051f3f60598

SHA512
1ad940bae889f1905219704bcb85ea2933af6c8967eeb032ef493bd745cee37eb4e78404c29319acf385217aab91b7207825b7c69f08d35a98e7a88dacc77e3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5806d59cd6204e274a20f1a6f596a1c

SHA1
22016ce80b1d9462f492de1c15443d24d27a8d25

SHA256
7b94aeb6d42174aa6fb7e3060aec35f307c6e755c93421ad5d3c1afc47a2a9ee

SHA512
400936619cef30fb8274a457c4b6d68e6e7688c23edf271d194a54997b70ea8316479db2e631efc1e7cf457f7b9d5d02fa8d6ca41b61edad44e13b0e2c1cd1d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eeaab973ae0a2772113f964479b54982

SHA1
64a652504390f9e85fcf48b2936102999764f0c7

SHA256
8193a128b5113967ebfb79f0e6bd716c563f1687d2fb8d1d209d77a670874b0d

SHA512
f9cd6fccb5a17b45760a8f487027de1af51fb40c2e2b43f73a81071f3480defffbbfc60134eaf80c6be231bd5b9ce90b109e23403fb233b6b22878b59035822f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fbd67bf356a4dd8cda18e074b08bba6

SHA1
cb8ed8439ce51fa9388e1d6fb1e536c4df4a72ff

SHA256
116f2ef7bfb56732ae12090d8ab667046faa9f13ac1c803732c5684e8798a18a

SHA512
c68b2a62415d0e0772f85c1a468804a34119f18b524f8476176549c453d1d7ba2eb5a256455fa4fb6ae99aae3745942f94fb4ac20f5024e518e243bcbda97fd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a81dd3e504b32d1cf854d77b73f24e6e

SHA1
98ba833479b5652109223721b6b98bd3043399eb

SHA256
dc803547846dee3bac4a312ccf23bbda42eb1029808fa084972fa413b3748fb6

SHA512
f276bf806e17de6e07ef784bb4b0c0492ebc81b1ac014ef9005fc8911030e9228335e29e75b147414a9e018490c36701477e051d9af34f632a1775f0c0fa20f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat

Filesize
191B

MD5
b933f7145c9c5fa87e136456164ac207

SHA1
870ffd1d48b47ea472ebca3f4c16054273add157

SHA256
825980f06cc3635a97fda30ea6df22c47757515c2d23e056ee8ca83871638f75

SHA512
5cfcebb50861dc46f55616d07c3d3400fb6f86af11bd466dc9c88f3866dbc9f83eae8719a73c7f5e1bb7b47b19a807bc4da2442eecb590e2f62499fe49396a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

Filesize
191B

MD5
12667b9518845a4da3d30b08e943a9f9

SHA1
7cda4bc2f83f2fa6d6d2daacecb9f3623e012dac

SHA256
f8890e1f33a2f6a6c6e31310a0eb27cae8b4f84b979206ee11bffe835522e303

SHA512
d0344f0a60b122e194bd77778cb2763c0b9b15695369337838ec73403d4909561e2d8b6c3d5f76646b1750b86938e7eac9bed8006afe8b6e4c4fcdbd54d35595

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat

Filesize
191B

MD5
7d6d0fd9c01758ac4afc7a770509fd1f

SHA1
0fe0a5ad1902f597087d1c5582ba132b7c7c562a

SHA256
bc38c6a16343a8d558f3d4ef7ecbd2577714cbb9ab8b466d561ddde7bb450e14

SHA512
b8e51646481710a56f3910c3ad5bb0f5d9f29d96a70c891eb3903198f727f9486dbb55aeb134af1ab2bd4c30f7832e66c3c676cc54c3adabc2142eb7b83fb705

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC998.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IlZTI8QyFg.bat

Filesize
191B

MD5
e39c4b8984b8b7d47a8e8e42e3fc70c2

SHA1
b8cc4f4805d9dae60266d041fd537c41b55d0a8f

SHA256
a3939c55038253209c66922b6c0bff3c8272330e091721ee671f702250be16a2

SHA512
95d1737d0d524657bb16480e2e85ffbb59cc5e92097fba4ab0cc620e6a7fbfe2b73c7cef3576dd63fd745d25858f2b55b7413921bac46933ea34cd2f5794c590

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6LEBq1ChC.bat

Filesize
191B

MD5
adff1de0b420b4c539e7f7382a0b0a54

SHA1
3293d85fa1b4b3a5770f9516ebc78270fefe656e

SHA256
944342751e8c619223b03fb7e642ca4edf074e28099ae948b6135fb9118b4f82

SHA512
fe8e20ae2722dc930f01f36ffdbab488812efaae4e424a3e633dcb2097b600d16c7747d9736c512ac403c684b09a35b4766971c18e2748a0785b6bad9922b9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat

Filesize
191B

MD5
ba8240fd62e74ed46c2a123f77751a00

SHA1
51177b6693ed4a47449dc0a8b8095509863b3074

SHA256
47cf9939383a94b3b89ae1b1ddf052d5a995820803e7164a22bd115e8f8052b1

SHA512
b66a22b7f1818e307c9dbdcb42e627b8e44bafdec38ac5df9adee527ed80d7be4959bda764b05005d4649f84262098c21f6176873d542b0bee47dd497139b8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat

Filesize
191B

MD5
5401d6633759b8e9cd3587e686e5da31

SHA1
cdeebc1597a37440241eaac46578bd3035a55c41

SHA256
4cda739c21c671afacca7808614b1fe85a0746599aae0565456d6da4acd6c253

SHA512
95632a41e0bc40a119a7044497a5b8b5e439ffd3e920063ce72c5f823e7c4734646e782fa4b56b49d2af5508c2f9021540635a98bf01d388354d57b05dda497e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC9AA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat

Filesize
191B

MD5
a8a5f32094f803909da2949c85d6e7e8

SHA1
11c8978c9f6ee03965fbfdc57a4846d7d0054faa

SHA256
7487d7d4476a18a1e52cf2502037d388cbcf74d9caa13a46f7761fceae260d4b

SHA512
e3850f023440c7b3a8a46ebd04aa32f5733fb4374a318257b98faf8e9d1dfcae5be714a3f04aa7a9a3ee3448c21b30f842964b7c32ba4133f76f269d2a5de5e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat

Filesize
191B

MD5
ebd21d28accce4d2b689ce14c5c0b499

SHA1
cc0fa3f790ead1c95944e1a40a5b4c596ddf1f1f

SHA256
77910f03c2f373df1356e8401a398f0ab98529ca773d984488605f2dbe48a7bb

SHA512
c05d0781c44f174e3ef2705ea1fcdd70aac880e4a1e0fbf5c8619725509030a3416dec61f4caacfd1e00b2147d3d5431c9a812b23b2a4a1623fbc50c87257fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

Filesize
191B

MD5
a1d006bd913f9e92e0bbabc398ce53e8

SHA1
e877d4a7d7a46e65d706e68207e890b4aae63222

SHA256
80e318532fc79fbd7fcc9451169bfc33494d6a2196a1041a69ef90a66c1b161a

SHA512
8e16c523810c8cbe96a564d104bdb7946a3af84f486023f199af60fa7d2c3d4e5105d681d8570c7bafae94dfbf1755c0b93fabef181ad8e5858504c84ee2c4c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3fe858638f7927272926ad2ead8e049c

SHA1
fb04627a990a3974d0bf3c7d37df1fbdeb5b6704

SHA256
c817ab914efa687c3ff547ba048fd850b05903fcad04c213c5ec282553301060

SHA512
908ef3c49bf706ff91f5ca1515f68c91979237b9eeda766128360a664205d34d39279932820658a57f16fcb19ff26beab62cd8dd7011ae6d4c62f6b2ae2ce89d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\69ddcba757bf72

Filesize
849B

MD5
e46f9bf07625ef27841e1b2bc2950ae8

SHA1
23e5b4cd2206438dfac74b1addbed3b88a7eef75

SHA256
9cee0bc132f1e9ff4600c6fcb41d0e1e0e72f286e389535dcb7c29e4ebe4b801

SHA512
1226edc984c21b80018bc38a1cc7523f305969508fb8442b333421633abd9ca824e11c571403a07b8c538938ddd42aa9a410a2c3a77961762e8b2f21309bedaf

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/564-290-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/692-650-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/828-710-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/1464-89-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/1464-88-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2124-410-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2204-590-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/2264-34-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2264-33-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download
memory/2348-39-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2460-530-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2472-350-0x0000000000970000-0x0000000000A80000-memory.dmp

Filesize
1.1MB

Download
memory/2536-172-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/2936-17-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/2936-16-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2936-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2936-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2936-13-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2976-470-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download