dcrat | bc8bc64e94c989d0b0d92049a3037270f199728fb0f18380e2b98d126ea9c125

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc8bc64e94c989d0b0d92049a3037270f199728fb0f18380e2b98d126ea9c125.exe
Size

1.3MB
MD5

7b7afd392137d099482621c53f0b7039
SHA1

3254f9e542e89039a781233e6605dfa721bfe971
SHA256

bc8bc64e94c989d0b0d92049a3037270f199728fb0f18380e2b98d126ea9c125
SHA512

337583582be8dcec39843211cfc1002a10430f0637b279f1a09bafc4b85e9c9d31e58055e1c406646012472aba9250207a6574cfb311b0ca85e83088d333ff1e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	1376	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1376	schtasks.exe	33

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193b8-11.dat	dcrat
behavioral1/memory/2880-13-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/2216-145-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/2300-205-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/2796-265-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/2312-325-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/3008-385-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/1932-446-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2724-506-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/1464-566-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/2184-626-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/2908-686-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2156	powershell.exe
2884	powershell.exe
2972	powershell.exe
2172	powershell.exe
388	powershell.exe
2020	powershell.exe
2092	powershell.exe
3036	powershell.exe
984	powershell.exe
2820	powershell.exe
1536	powershell.exe
2796	powershell.exe
1744	powershell.exe
1936	powershell.exe
2716	powershell.exe
2792	powershell.exe
2620	powershell.exe
588	powershell.exe
3056	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2880	DllCommonsvc.exe
2216	sppsvc.exe
2300	sppsvc.exe
2796	sppsvc.exe
2312	sppsvc.exe
3008	sppsvc.exe
1932	sppsvc.exe
2724	sppsvc.exe
1464	sppsvc.exe
2184	sppsvc.exe
2908	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2204	cmd.exe
2204	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
23	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\de-DE\services.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Nature\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Nature\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\5940a34987c991	DllCommonsvc.exe
File opened for modification	C:\Windows\Web\Wallpaper\Nature\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\de-DE\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc8bc64e94c989d0b0d92049a3037270f199728fb0f18380e2b98d126ea9c125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2028	schtasks.exe
940	schtasks.exe
1444	schtasks.exe
1184	schtasks.exe
1068	schtasks.exe
2984	schtasks.exe
2928	schtasks.exe
868	schtasks.exe
3056	schtasks.exe
2820	schtasks.exe
1388	schtasks.exe
2448	schtasks.exe
2940	schtasks.exe
1992	schtasks.exe
1668	schtasks.exe
2480	schtasks.exe
2348	schtasks.exe
2656	schtasks.exe
1692	schtasks.exe
2368	schtasks.exe
1748	schtasks.exe
2096	schtasks.exe
2892	schtasks.exe
1204	schtasks.exe
2520	schtasks.exe
2260	schtasks.exe
2388	schtasks.exe
316	schtasks.exe
3024	schtasks.exe
1956	schtasks.exe
1108	schtasks.exe
2316	schtasks.exe
964	schtasks.exe
2876	schtasks.exe
1760	schtasks.exe
1464	schtasks.exe
908	schtasks.exe
2220	schtasks.exe
2872	schtasks.exe
2708	schtasks.exe
2312	schtasks.exe
1716	schtasks.exe
2288	schtasks.exe
2712	schtasks.exe
2492	schtasks.exe
2224	schtasks.exe
2648	schtasks.exe
2012	schtasks.exe
1200	schtasks.exe
1768	schtasks.exe
2404	schtasks.exe
2024	schtasks.exe
860	schtasks.exe
664	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
2216	sppsvc.exe
2300	sppsvc.exe
2796	sppsvc.exe
2312	sppsvc.exe
3008	sppsvc.exe
1932	sppsvc.exe
2724	sppsvc.exe
1464	sppsvc.exe
2184	sppsvc.exe
2908	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2880	DllCommonsvc.exe
2880	DllCommonsvc.exe
2880	DllCommonsvc.exe
2884	powershell.exe
2972	powershell.exe
2792	powershell.exe
3036	powershell.exe
588	powershell.exe
2620	powershell.exe
3056	powershell.exe
2820	powershell.exe
2716	powershell.exe
2156	powershell.exe
1536	powershell.exe
2092	powershell.exe
984	powershell.exe
1744	powershell.exe
2796	powershell.exe
388	powershell.exe
2020	powershell.exe
2172	powershell.exe
1936	powershell.exe
2216	sppsvc.exe
2300	sppsvc.exe
2796	sppsvc.exe
2312	sppsvc.exe
3008	sppsvc.exe
1932	sppsvc.exe
2724	sppsvc.exe
1464	sppsvc.exe
2184	sppsvc.exe
2908	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	DllCommonsvc.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	388	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2216	sppsvc.exe
Token: SeDebugPrivilege	2300	sppsvc.exe
Token: SeDebugPrivilege	2796	sppsvc.exe
Token: SeDebugPrivilege	2312	sppsvc.exe
Token: SeDebugPrivilege	3008	sppsvc.exe
Token: SeDebugPrivilege	1932	sppsvc.exe
Token: SeDebugPrivilege	2724	sppsvc.exe
Token: SeDebugPrivilege	1464	sppsvc.exe
Token: SeDebugPrivilege	2184	sppsvc.exe
Token: SeDebugPrivilege	2908	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2896	2248	bc8bc64e94c989d0b0d92049a3037270f199728fb0f18380e2b98d126ea9c125.exe	29
PID 2248 wrote to memory of 2896	2248	bc8bc64e94c989d0b0d92049a3037270f199728fb0f18380e2b98d126ea9c125.exe	29
PID 2248 wrote to memory of 2896	2248	bc8bc64e94c989d0b0d92049a3037270f199728fb0f18380e2b98d126ea9c125.exe	29
PID 2248 wrote to memory of 2896	2248	bc8bc64e94c989d0b0d92049a3037270f199728fb0f18380e2b98d126ea9c125.exe	29
PID 2896 wrote to memory of 2204	2896	WScript.exe	30
PID 2896 wrote to memory of 2204	2896	WScript.exe	30
PID 2896 wrote to memory of 2204	2896	WScript.exe	30
PID 2896 wrote to memory of 2204	2896	WScript.exe	30
PID 2204 wrote to memory of 2880	2204	cmd.exe	32
PID 2204 wrote to memory of 2880	2204	cmd.exe	32
PID 2204 wrote to memory of 2880	2204	cmd.exe	32
PID 2204 wrote to memory of 2880	2204	cmd.exe	32
PID 2880 wrote to memory of 2884	2880	DllCommonsvc.exe	88
PID 2880 wrote to memory of 2884	2880	DllCommonsvc.exe	88
PID 2880 wrote to memory of 2884	2880	DllCommonsvc.exe	88
PID 2880 wrote to memory of 2792	2880	DllCommonsvc.exe	89
PID 2880 wrote to memory of 2792	2880	DllCommonsvc.exe	89
PID 2880 wrote to memory of 2792	2880	DllCommonsvc.exe	89
PID 2880 wrote to memory of 2972	2880	DllCommonsvc.exe	90
PID 2880 wrote to memory of 2972	2880	DllCommonsvc.exe	90
PID 2880 wrote to memory of 2972	2880	DllCommonsvc.exe	90
PID 2880 wrote to memory of 2620	2880	DllCommonsvc.exe	91
PID 2880 wrote to memory of 2620	2880	DllCommonsvc.exe	91
PID 2880 wrote to memory of 2620	2880	DllCommonsvc.exe	91
PID 2880 wrote to memory of 2796	2880	DllCommonsvc.exe	92
PID 2880 wrote to memory of 2796	2880	DllCommonsvc.exe	92
PID 2880 wrote to memory of 2796	2880	DllCommonsvc.exe	92
PID 2880 wrote to memory of 1744	2880	DllCommonsvc.exe	93
PID 2880 wrote to memory of 1744	2880	DllCommonsvc.exe	93
PID 2880 wrote to memory of 1744	2880	DllCommonsvc.exe	93
PID 2880 wrote to memory of 1936	2880	DllCommonsvc.exe	94
PID 2880 wrote to memory of 1936	2880	DllCommonsvc.exe	94
PID 2880 wrote to memory of 1936	2880	DllCommonsvc.exe	94
PID 2880 wrote to memory of 2172	2880	DllCommonsvc.exe	95
PID 2880 wrote to memory of 2172	2880	DllCommonsvc.exe	95
PID 2880 wrote to memory of 2172	2880	DllCommonsvc.exe	95
PID 2880 wrote to memory of 388	2880	DllCommonsvc.exe	96
PID 2880 wrote to memory of 388	2880	DllCommonsvc.exe	96
PID 2880 wrote to memory of 388	2880	DllCommonsvc.exe	96
PID 2880 wrote to memory of 2716	2880	DllCommonsvc.exe	97
PID 2880 wrote to memory of 2716	2880	DllCommonsvc.exe	97
PID 2880 wrote to memory of 2716	2880	DllCommonsvc.exe	97
PID 2880 wrote to memory of 2020	2880	DllCommonsvc.exe	98
PID 2880 wrote to memory of 2020	2880	DllCommonsvc.exe	98
PID 2880 wrote to memory of 2020	2880	DllCommonsvc.exe	98
PID 2880 wrote to memory of 984	2880	DllCommonsvc.exe	99
PID 2880 wrote to memory of 984	2880	DllCommonsvc.exe	99
PID 2880 wrote to memory of 984	2880	DllCommonsvc.exe	99
PID 2880 wrote to memory of 588	2880	DllCommonsvc.exe	100
PID 2880 wrote to memory of 588	2880	DllCommonsvc.exe	100
PID 2880 wrote to memory of 588	2880	DllCommonsvc.exe	100
PID 2880 wrote to memory of 2092	2880	DllCommonsvc.exe	101
PID 2880 wrote to memory of 2092	2880	DllCommonsvc.exe	101
PID 2880 wrote to memory of 2092	2880	DllCommonsvc.exe	101
PID 2880 wrote to memory of 2156	2880	DllCommonsvc.exe	102
PID 2880 wrote to memory of 2156	2880	DllCommonsvc.exe	102
PID 2880 wrote to memory of 2156	2880	DllCommonsvc.exe	102
PID 2880 wrote to memory of 3036	2880	DllCommonsvc.exe	104
PID 2880 wrote to memory of 3036	2880	DllCommonsvc.exe	104
PID 2880 wrote to memory of 3036	2880	DllCommonsvc.exe	104
PID 2880 wrote to memory of 2820	2880	DllCommonsvc.exe	106
PID 2880 wrote to memory of 2820	2880	DllCommonsvc.exe	106
PID 2880 wrote to memory of 2820	2880	DllCommonsvc.exe	106
PID 2880 wrote to memory of 3056	2880	DllCommonsvc.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bc8bc64e94c989d0b0d92049a3037270f199728fb0f18380e2b98d126ea9c125.exe
"C:\Users\Admin\AppData\Local\Temp\bc8bc64e94c989d0b0d92049a3037270f199728fb0f18380e2b98d126ea9c125.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Nature\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\de-DE\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfKdbWW4Uq.bat"
        5⤵
        
        PID:2064
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2176
      - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        7⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2924
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        9⤵
        
        PID:112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2568
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"
        11⤵
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2404
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"
        13⤵
        
        PID:2400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2832
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
        15⤵
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1584
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
        17⤵
        
        PID:884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2404
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat"
        19⤵
        
        PID:1956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2936
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"
        21⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2160
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"
        23⤵
        
        PID:1144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2884
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Nature\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Nature\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Wallpaper\Nature\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\ShellBrd\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Prefetch\ReadyBoot\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Temp\Crashpad\reports\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\Crashpad\reports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c52ac70b607fbf01cc8d62b3da46a9d3

SHA1
ee590a8c3eae846eac23739c8695562603fe503a

SHA256
9bf18d2c363426f3a9b8875a1338fcb9113b6e61e161f8f5c6456ce336ff0e45

SHA512
bef57965fc8849a0e99d9bda2da7fa13a41c3a4c265de7ec9ad74794a8d8df19e242e2c2c0666e77b316d0ef096252d62b8633d5c7431fad34ba6eb8507edca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59d92bf95da4266558d7b92f76d4c2f4

SHA1
abf59fa067d88eea79436ee582910da8d6061591

SHA256
b59e9d92923c5bdeafd4eba49bec6f69f98859e23dbe866e7f1c05551aa8e517

SHA512
943145e0730cedfa8c281374b3ee9a2dac68edb7538ab627801f2ed028d7e028e9b8d82781fcaa75ea9559536a71287ea8f21dbac7b6629069c85710b8bdadc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5381c993c2c1b7876b144eab267f63e4

SHA1
124d5a775a5996a57493253ebf3df27e41007878

SHA256
4918ed6372b1b6746a6a07ba0b76997044b70211149c9870ea8f7d964dfc17d3

SHA512
96db79abba738fcbe58ef1ce195e799000fee13767e72d62e28f8f2b7ac010a860a88b82d1f9e7f83cfe1e53e286440a055a5e6ecd1f0c37e62a1be9f8d77e49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4caccc385e4fffe9d119df7fa8a2de1d

SHA1
1769fb8d9ebd94f6e4fc732cd104a9573dd258c0

SHA256
1eb885942f06cf63f8c7c734e9ac8895c50dde021e080f0ef1ddceb97eb5ebaf

SHA512
11e0b90044d766b43661e3db0f36603dba07eb21a3ddb2582b27254258d1febc7542533d0ac180b4124f64b906dbc66bc6b040dbf0702ee6ae1b642133488793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45de005122b4846ac74ca86576430f1e

SHA1
bffbea8812aa098cced16cfd62842ad8a628e747

SHA256
8b8a2e15fd7e7d0aa5f239608d9043c4827c8fce5fbe2e8e1e5e5e2fd7b01c45

SHA512
6680faae2164ac1cc084adf237cee4b5303f445698aeef1fae67b5a2cadc5836979007bb81cfebcff29ea2c0f66dc145fa5e2ca915adae50a8e4e95444917e66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09440c1c453dd1254a656db66c454273

SHA1
4ced003ce42ede8a9b76cace1297f9a5048af82e

SHA256
bb2401c152322d80f6ec945006cf28c94a6466b198d24dd3efc1c489f40a0b1b

SHA512
8e3388f56905a3ec0a0e6bf6b73f3e23e1cceae3bd18b32df423e5caf11afdc5e91cc81a25cbefc09ef31aba405e0816925ea62feebe887890ba06afa414b89f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c00e87a907a60ee04e81bb52f840fe2

SHA1
40ea5ccb561d837d78cbc7bc61f380d331e503bd

SHA256
8033c3f378d6ba5ec22d30ad322276147d05149c2c27c92e39e0c1ce117218f5

SHA512
150c0d183c857d96c646bea76b71c03b11a506d6469aa710484a8e3ca74f442cd4f713cadc67a30e5ab963e6b82ae4ee34b4f9f486644d39d2917094e2908764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60e84192e432caeaec851f7727ca3fab

SHA1
a31b2c03fd0cff9363a991ba5ca0a65b23e43197

SHA256
fa4e38d20ea07c96182d63b4ec7d25c70d745d554f529d0c3180008d9e48c22e

SHA512
b5043e966713aa35c19d768804e31dea4560611ef09e024cb8bcd146c8d81e81b90c4871a5708bfd2eae5bab71df31c605e3ce78c22e1194e1f25a1c1e7cffbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

Filesize
246B

MD5
4c465286d00e923d2129594618af0ace

SHA1
d154cf967964f557100797f2cdff91e0f70dabce

SHA256
9c9368f7ce5fb6696932f3c6365314a935f902744b3791d151e65928915e36e8

SHA512
ee468ed654f8e8f2976a4c6ac273ab0d46b5e920c0bffb217d914c3c87a5351b02fc8ce80dbf4e54e251a5c2e23c79091da1b3382e706b38b7b6e6e766bf3fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
246B

MD5
c18c24503e04df1077257d1bfa330c37

SHA1
063f611a9b5d01cd18ae7c66ee1c54abf1355fbf

SHA256
9ef29711188dbbe4733cdc904a8a2db51f395c5cb1823a3be23f8a1fec12844b

SHA512
b38caab5af9375c76fd1fe347a6acb14002cf91de0c5aa1add9d48e7a1537ff9466250ee722e2c182cd9d4e1c6a7554c5acbdaab2f4431e5e2517e29f6b1e5b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab49AF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
246B

MD5
0efcf6e30bd50861dcf2aafadeb316db

SHA1
c4eb4f7be75cb99128b1a58c05df4fca7fe60725

SHA256
242b6985645d9b7f79916e5b1d8e1bed84787f29d389a7a55bacb0a3fb82bba1

SHA512
91d7b873f51bbdaa12d10488aaa445649e7afde453165926b4e5b3ab37ffa45d2bd8bd25741930bb17d623350c8092949cac43c96baf6b2efe6fd34f9547a3fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

Filesize
246B

MD5
87d88982559af09e221248f814a87314

SHA1
f2a4f2b5632ee1be8a24bf38e7357761be662b6c

SHA256
3ecf53074c05b57de95d05e30ff760fa2c9858ae752342a604ce052b9056c774

SHA512
78fe4b490d07f1faf319bbee2ae9b9160b4efdd712f1d3c544b78cc9f05d30f67bcd4c20a9e8e9d9bbee797e31c9431a7f4edb761a3b36aaac428eb1af6458fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat

Filesize
246B

MD5
cda21b17f3e574bbcb36276d49b86de0

SHA1
7e4249267ed22f9b3597051b4ae5112512b743ef

SHA256
87c0b0a9bb09168a0283998e3e5b07c6cd982ef18d8456abb1be679ad14cee20

SHA512
429dfe53f7cfceb9fc1473e42cf825ee95a205e880ed31aaa0695c71dbcc3cde8327ee10831aa9593d239a2761d94c84793639e937a7c43ba504ca45db2efe15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat

Filesize
246B

MD5
c52679ca41f7e859739e83075ab4e524

SHA1
79b613d170d4bfae1b99c3785758050afc5c28e8

SHA256
91e12f57607041f5dcc62001239b2203870935c7cbbd8a5612f6b695c6a2fb42

SHA512
47a5d5ac8ec112cddb5e09fc32b2629a1bc3c7e293008f219c2c67f9da9d9d7939e097f45b22bbf2c57b1e36925b77b8658c085d7c14c63d27c11a14a83f9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A1F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat

Filesize
246B

MD5
a10945637550de4ce4cc67ceed959394

SHA1
0ee14b3df4deb1329d818148aa2c5b80a70d46b5

SHA256
dc5786d454ce74cddda38e1007fe8a1dc26cf50a2409925da53ea3a0803a22d4

SHA512
bdb217696a0fb12112ca6c315de58be17847ff1780a3c3d5be5eff5f5ae7d170f87a5f4122d94a2d581d82494feefd0895cae55321ccee2476db5e6f7fd08001

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1RNSv4oba.bat

Filesize
246B

MD5
93bd894e02ed26ebcae152ba4fc7ba6c

SHA1
310e931d8f22f49a75819a8291223e5df8a9159a

SHA256
9b6297ba52ec99b79c9954a00d83b5218eea4dc787403943558a013079530e77

SHA512
7daf82f84baa75777c84ba1bec428f5fe1cabe2ca303a44d7b61e1636d345dd3c91f058193031e64aa615fd9665e29b5ffe26c6c36c62908308b78de1017e158

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfKdbWW4Uq.bat

Filesize
246B

MD5
c4ec15caa8bcc97489fb682757a62df8

SHA1
92fb9e8a4704ea0e3de1f18888c5d112a81ec714

SHA256
c37120c8bd9b9b6035884e140440d231e3fd16cc21142a2eb73aacbee932baec

SHA512
d5605f47cf33c1fa32c8c1fff3088901b0ec90d35f38ec916ffab8df8df1d792d704fcce8a11aee82d55325caa270797e9fd0d528a4123209d6586684262e33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat

Filesize
246B

MD5
f3062797fc77d853114d9a54efb1e3a6

SHA1
ec12be7faa3576f8465b1b33190817d940eef160

SHA256
9927512bae772b0d184a0bf67ea5e85b4fa3a2e8f907bbc61985330be9b507ab

SHA512
a9b1467c1b89429a5fa367e77344393b9b363b8cab67f47596fbf04a742232bd60571891fde4657620cd1fb79ab3809700fa4b7b7d3b54a7d5698212f12adab2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dfcf810d181396135ae2192d5af55b9d

SHA1
82efd498caff6756b8bc09d71cd673d674112d0f

SHA256
fea93253b7f6e2748705b7f233e8e54d51de2113798d6b10ca257dad33b20896

SHA512
6cf9ec9fdee58778133da45d079481329fed759eef94428c0476b672f84afe97fe1dd92b5b617755842f33680e211712d3c4af97b035893f6fb91bc34737d151

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1464-566-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/1932-446-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/2184-626-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/2216-145-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2216-146-0x0000000001FF0000-0x0000000002002000-memory.dmp

Filesize
72KB

Download
memory/2300-205-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2312-325-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/2724-506-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2796-265-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2880-17-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2880-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2880-15-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/2880-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2880-13-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/2884-68-0x000000001B120000-0x000000001B402000-memory.dmp

Filesize
2.9MB

Download
memory/2884-69-0x0000000002590000-0x0000000002598000-memory.dmp

Filesize
32KB

Download
memory/2908-686-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/3008-386-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/3008-385-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download