dcrat | e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550

Analysis

max time kernel
1653s
max time network
1557s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/10/2024, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput(1).exe
Size

607KB
MD5

19d31479381cfda2c9878b427f51a0c2
SHA1

5b8774c60b71dd32e7325d0fbceb3434975ca7cc
SHA256

e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550
SHA512

14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2
SSDEEP

12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK

Score

10^/10

dcrat credential_access defense_evasion discovery infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	spoolsv.exe

Process spawned unexpected child process 43 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3040	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2036	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2036	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2036	schtasks.exe	79
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2036	schtasks.exe	79

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a000000012280-6.dat	dcrat
behavioral1/files/0x0008000000016890-21.dat	dcrat
behavioral1/memory/2564-22-0x0000000001040000-0x0000000001116000-memory.dmp	dcrat
behavioral1/memory/2000-55-0x00000000003B0000-0x0000000000486000-memory.dmp	dcrat

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\srvnet.sys	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\volmgrx.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\hidbth.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\isapnp.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\bthpan.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\en-US\RNDISMP.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\fltmgr.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\RNDISMP.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\amdk8.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\bfe.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\disk.sys	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\en-US\fltmgr.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\en-US\pnpmem.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\nwifi.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\cdrom.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\UAGP35.SYS.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\acpi.sys	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\discache.sys	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\amdide.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\HdAudio.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\usbhub.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\ndisuio.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\mountmgr.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\nwifi.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\vwifibus.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\afd.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\en-US\fvevol.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\en-US\intelppm.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\msdsm.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\fvevol.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\mssmbios.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\vhdmp.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\pacer.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\rndismp6.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\fltmgr.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\usbhub.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\rdpvideominiport.sys	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\BTHUSB.SYS.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\battc.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\parport.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\beep.sys	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\BrParwdm.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\NV_AGP.SYS.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\rdpwd.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\usbrpm.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\amdppm.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\bfe.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\Dot4usb.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\bfe.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\ks.sys	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\msrpc.sys	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\en-US\MTConfig.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\tunnel.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\usbrpm.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\vhdmp.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\en-US\acpi.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\en-US\vdrvroot.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\Dot4usb.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\rndismp6.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\amdide.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\serial.sys.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\WUDFUsbccidDriver.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\drivers\HdAudio.sys	spoolsv.exe

Manipulates Digital Signatures 4 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\wintrust.dll	spoolsv.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	spoolsv.exe

Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.

persistence

Print Processors

T1547.012

description	ioc	Process
File opened for modification	C:\Windows\System32\spool\prtprocs\x64\winprint.dll	spoolsv.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Deletes itself 1 IoCs

pid	Process
2000	spoolsv.exe

Executes dropped EXE 3 IoCs

pid	Process
2784	kendalcp.exe
2564	reviewDll.exe
2000	spoolsv.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 36 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Key Management Service.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Application.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Internet Explorer.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\System.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Security.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Media Center.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\OAlerts.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\HardwareEvents.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx	spoolsv.exe
File opened for modification	C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	cmd.exe
2844	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_8.0.7601.17514_none_da0c2f9edf5b1353\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_8.0.7600.16385_none_add5a10aa4d614d5\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..dthemes-calligraphy_31bf3856ad364e35_6.1.7600.16385_none_c1407bc73caf8dfc\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_6.1.7600.16385_none_bf396ba9226e0702\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_6.1.7600.16385_none_7ff91f5d2dd6c770\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_6.1.7600.16385_none_61fc91b36f901b87\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-landscape_31bf3856ad364e35_6.1.7600.16385_none_7a83a914edc3de49\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-scenes_31bf3856ad364e35_6.1.7600.16385_none_a4393b1a254aeaee\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_f35f9773adf74c06\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_6.1.7600.16385_none_73076dd9cf3a9dce\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-wallpaper-nature_31bf3856ad364e35_6.1.7600.16385_none_d5909570704a09c0\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_6.1.7600.16385_none_ba8f25a3b6d81a68\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ndthemes-characters_31bf3856ad364e35_6.1.7600.16385_none_08da32b0fdad9220\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..lpaper-architecture_31bf3856ad364e35_6.1.7600.16385_none_d99106b927aa7782\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.2.9600.16428_none_4382f60666c7c23b\desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini	spoolsv.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	spoolsv.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_6.1.7600.16385_none_de06b4fbd5b45f78\autorun.inf	spoolsv.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomeBasicN\license.rtf	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.dll	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00i.inf_amd64_neutral_09ff5ee0a0cf0233\Amd64\CNBJOP9A.DLL	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\netxex64.inf_loc	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\MUI\040C\mscorees.dll	spoolsv.exe
File opened for modification	C:\Windows\System32\de-DE\erofflps.txt	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\C_28592.NLS	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\desk.cpl.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\es-ES\about_job_details.help.txt	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\wiabr002.inf_loc	spoolsv.exe
File opened for modification	C:\Windows\System32\en-US\qdv.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\it-IT\p2phost.exe.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\ja-JP\Display.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\getmac.exe.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\de-DE\rstrtmgr.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\de-DE\eappcfg.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVP14.GPD	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\en-US\xmlfilter.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\PresentationSettings.exe	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\C_1141.NLS	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_debuggers.help.txt	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\msdv.inf_loc	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\KYFS3900.GPD	spoolsv.exe
File opened for modification	C:\Windows\System32\it-IT\bdesvc.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\it-IT\msvfw32.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\api-ms-win-core-libraryloader-l1-1-0.dll	spoolsv.exe
File opened for modification	C:\Windows\System32\fr-FR\SystemPropertiesAdvanced.exe.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPO7200T.XML	spoolsv.exe
File opened for modification	C:\Windows\System32\wbem\msfeeds.mof	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\tr-TR\cdosys.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00b.inf_amd64_neutral_4412894f52d39895\Amd64\CNB_0331.DLL	spoolsv.exe
File opened for modification	C:\Windows\System32\es-ES\wbiosrvc.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\fr-FR\scrptadm.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\kerberos.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\de-DE\aclui.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\fr-FR\icsigd.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-TextServicesFramework-Migration-DL\imscmig.dll	spoolsv.exe
File opened for modification	C:\Windows\System32\Setup\tssysprep.dll	spoolsv.exe
File opened for modification	C:\Windows\System32\wbem\fr-FR\vds.mfl	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\nslookup.exe.mui	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\shell32.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\en-US\prnep00a.inf_loc	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sti.inf_amd64_neutral_9d9a7113099a28a2\WSDScan.sys	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\ramdisk.inf_loc	spoolsv.exe
File opened for modification	C:\Windows\System32\es-ES\qcap.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\it-IT\getuname.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\en-US\printui.exe.mui	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\en-US\UserAccountControlSettings.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\prnrc004.inf_loc	spoolsv.exe
File opened for modification	C:\Windows\System32\en-US\comres.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\mprddm.dll	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\gpprnext.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\de-DE\RunLegacyCPLElevated.exe.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\prnep002.inf_loc	spoolsv.exe
File opened for modification	C:\Windows\System32\secproc.dll	spoolsv.exe
File opened for modification	C:\Windows\System32\es-ES\pegi.rs.mui	spoolsv.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_debuggers.help.txt	spoolsv.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\fr-FR\about_escape_characters.help.txt	spoolsv.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_remote_output.help.txt	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_neutral_eeaccb8f1560f5fb\ws3cap.inf	spoolsv.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\ql40xx.inf_loc	spoolsv.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-WAB-DL.man	spoolsv.exe
File opened for modification	C:\Windows\System32\de-DE\DShowRdpFilter.dll.mui	spoolsv.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	spoolsv.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll	spoolsv.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\activity16v.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOnNotificationInAcrobat.gif	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full.png	spoolsv.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Windows.Presentation.resources.dll	spoolsv.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.png	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_snow.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\F12Tools.dll.mui	spoolsv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat	spoolsv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsita.xml	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.RunTime.Serialization.Resources.dll	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\icon.png	spoolsv.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IO.Log.Resources.dll	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\gadget.xml	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_left_hover.png	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\DVDMaker.exe.mui	spoolsv.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Entity.Resources.dll	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\22.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\19.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\flower.png	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationProvider.resources.dll	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\drag.png	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_windy.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\wmpnssci.dll.mui	spoolsv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui	spoolsv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	spoolsv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	spoolsv.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Data.Entity.Design.dll	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-desk.png	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\settings.css	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ie9props.propdesc	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\settings.html	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\203x8subpicture.png	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\currency.css	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoViewer.dll.mui	spoolsv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresslm.dat	spoolsv.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml	spoolsv.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\bg_sidebar.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-down.png	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\navBack.png	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.AddIn.dll	spoolsv.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\Journal.exe.mui	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\PresentationFramework.resources.dll	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\setup_wm.exe.mui	spoolsv.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\cloud_Thumbnail.bmp	spoolsv.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationProvider.resources.dll	spoolsv.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\clock.css	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\DefaultID.pdf	spoolsv.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui	spoolsv.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-c..r-name-ui.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e808f1f0bbdbf83e.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-s..clientext.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f2c4550f195b8ca8.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_ql2300.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_e1af702fea4fbaef\ql2300.inf_loc	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-i..ional-codepage-1254_31bf3856ad364e35_6.1.7600.16385_none_22d533776b0da1a5_c_1254.nls_7254a9cb	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-secinit_31bf3856ad364e35_6.1.7600.16385_none_e3ace21ee6af3fb6.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_vhdmp.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_4628d1bdd2cbeb22.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..libraries.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_bc22e6f5ead49f76.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-a..c-performance-layer_31bf3856ad364e35_6.1.7600.16385_none_100d67cc0062d5b0.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_prnky006.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d1137faaac5c4b95.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_it-it_77e724931dfeb870\Microsoft.BackgroundIntelligentTransfer.Management.dll-Help.xml	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..rectinput.resources_31bf3856ad364e35_6.1.7600.16385_en-us_09395f7bc9e271bb\dinput.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\Microsoft-Windows-OfflineFiles-DL.man	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-sonata_31bf3856ad364e35_6.1.7600.16385_none_201752c112c5078c\Windows User Account Control.wav	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Backup\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_fi-fi_24ff5a886963291e.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-photoviewer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_aa23fddc0d4178de.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..essmodel-deployment_31bf3856ad364e35_6.1.7601.17514_none_1e97b98138782a9f.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\x86_system.printing_31bf3856ad364e35_6.1.7601.17514_none_7547cca8d45e66b2\System.Printing.dll	spoolsv.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-w..ywmdmshellextension_31bf3856ad364e35_6.1.7601.17514_none_8ff5b6498cc24750\audiodev.dll	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..iles-help.resources_31bf3856ad364e35_6.1.7600.16385_it-it_78b5fdc5a0480aa3\stopwrds.stp	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1d33a477a4819f9c\license.rtf	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..interface.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c2301b7ddfc2b852\cmdkey.exe.mui	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-w..veryagent.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0e23a45fb665794e.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-wpt-perfcore_31bf3856ad364e35_6.3.9600.16428_none_81794ce7f04ffd99.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\wow64_microsoft-windows-i..ntication.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3295df835ceafc0b.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-mspaint.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5ebfd8a8e83ebb2d\mspaint.exe.mui	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..nailcache.resources_31bf3856ad364e35_6.1.7600.16385_it-it_c31a53c507855e31\thumbcache.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_prnle004.inf_31bf3856ad364e35_6.1.7600.16385_none_3c624bcdff41cce3\Amd64\LN3171E3.PPD	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_prnsv004.inf_31bf3856ad364e35_6.1.7600.16385_none_622bdff1f27c66b3\Amd64\SV1332E3.PPD	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_wialx002.inf_31bf3856ad364e35_6.1.7600.16385_none_04a3e5f268636849\lxa1WIA.DLL	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-m..mscli-pro.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0ab672b781f911b8.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..ets-slideshowgadget_31bf3856ad364e35_6.1.7600.16385_none_253e8c58002c48e1\icon.png	spoolsv.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-utilman.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5f5ad4d6e4612081\Utilman.exe.mui	spoolsv.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\System.Transactions.resources.dll	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_it-it_ee5384e8731ae742\findUsers.aspx.it.resx	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-profsvc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c2b105891e24eb61_userprofilewmiprovider.mfl_b1cb99f9	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-f..opycompareutilities_31bf3856ad364e35_6.1.7600.16385_none_3575d2dc8edf4a22.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-s..eparation.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_46f7e138c0b8a66f.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-n..n-shvhost.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_e6f492d891776b7d.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\x86_microsoft-windows-license-oem-homebasic_31bf3856ad364e35_6.1.7600.16385_none_f06cde43fa90969a.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft.backgroun..nt.module.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_1a0ca3a01119ca4b\about_BITS_Cmdlets.help.txt	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-forfiles.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_d7268e8af6db0ae3\forfiles.exe.mui	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..ients-svc.resources_31bf3856ad364e35_6.1.7600.16385_de-de_707013a6e181cb77\polstore.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_prnle004.inf_31bf3856ad364e35_6.1.7600.16385_none_3c624bcdff41cce3\Amd64\LN1394E3.PPD	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_641a5485f7dc7cab.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\FileMaps\program_files_x86_windows_sidebar_gadgets_picturepuzzle.gadget_en-us_js_791c32b58463166b.cdf-ms	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-r..onmanager.resources_31bf3856ad364e35_6.1.7600.16385_it-it_16bc9f3fe70222f8.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-deviceuxres_31bf3856ad364e35_6.1.7600.16385_none_7c639e00e7a86c14.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-e..rting-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a5b5f9305b2d73c0.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_13dfc4b03a7d762c\flyout.css	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_907903f56635f91d\System.Windows.Forms.Resources.dll	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1da743febb1ea38d\about_Windows_PowerShell_2.0.help.txt	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-svc.resources_31bf3856ad364e35_6.1.7601.17514_es-es_ea99aa6d431922eb\WMIsvc.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_prnsv002.inf_31bf3856ad364e35_6.1.7600.16385_none_6119bb87c03fede1\Amd64\SV9033.GPD	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Catalogs\d05f3e99016d05ade187bf69d30335a8a2c576782ba8c476970f0b5c70e68c58.cat	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_rdvgwddm.inf.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_39009965b6e92a0c.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_server-help-chm.sys_srv.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_7b5510a43647fbde.manifest	spoolsv.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\XPThemes.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..cy-script.resources_31bf3856ad364e35_6.1.7600.16385_it-it_226b88686bee2384\gpscript.dll.mui	spoolsv.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-resampledmo_31bf3856ad364e35_6.1.7600.16385_none_fb60e757f221f37e\RESAMPLEDMO.DLL	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Backup\amd64_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_22415d369426c24f.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-t..director-deployment_31bf3856ad364e35_6.1.7601.17514_none_460ec81d0898cbf1.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\Manifests\amd64_microsoft-windows-wsdscanproxy_31bf3856ad364e35_6.1.7600.16385_none_e3615368e2581740.manifest	spoolsv.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-winre-recoveryagent_31bf3856ad364e35_6.1.7601.17514_none_bcd407cfce259313\ReAgent.xml	spoolsv.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SUA-Package~31bf3856ad364e35~amd64~de-DE~6.1.7601.17514.cat	spoolsv.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kendalcp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2648	schtasks.exe
1416	schtasks.exe
2976	schtasks.exe
1824	schtasks.exe
3020	schtasks.exe
2024	schtasks.exe
2160	schtasks.exe
1324	schtasks.exe
2520	schtasks.exe
328	schtasks.exe
1380	schtasks.exe
1612	schtasks.exe
2356	schtasks.exe
2248	schtasks.exe
1084	schtasks.exe
2656	schtasks.exe
588	schtasks.exe
1956	schtasks.exe
616	schtasks.exe
1196	schtasks.exe
600	schtasks.exe
680	schtasks.exe
1312	schtasks.exe
760	schtasks.exe
2500	schtasks.exe
1776	schtasks.exe
2880	schtasks.exe
2364	schtasks.exe
2044	schtasks.exe
1452	schtasks.exe
840	schtasks.exe
1988	schtasks.exe
1752	schtasks.exe
620	schtasks.exe
2540	schtasks.exe
872	schtasks.exe
1012	schtasks.exe
1004	schtasks.exe
908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2564	reviewDll.exe
2000	spoolsv.exe
2000	spoolsv.exe
2000	spoolsv.exe
2000	spoolsv.exe
2000	spoolsv.exe
2000	spoolsv.exe
2000	spoolsv.exe
2000	spoolsv.exe
2000	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2000	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	reviewDll.exe
Token: SeDebugPrivilege	2000	spoolsv.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2784	2188	XBinderOutput(1).exe	30
PID 2188 wrote to memory of 2784	2188	XBinderOutput(1).exe	30
PID 2188 wrote to memory of 2784	2188	XBinderOutput(1).exe	30
PID 2188 wrote to memory of 2784	2188	XBinderOutput(1).exe	30
PID 2784 wrote to memory of 2944	2784	kendalcp.exe	31
PID 2784 wrote to memory of 2944	2784	kendalcp.exe	31
PID 2784 wrote to memory of 2944	2784	kendalcp.exe	31
PID 2784 wrote to memory of 2944	2784	kendalcp.exe	31
PID 2944 wrote to memory of 2844	2944	WScript.exe	32
PID 2944 wrote to memory of 2844	2944	WScript.exe	32
PID 2944 wrote to memory of 2844	2944	WScript.exe	32
PID 2944 wrote to memory of 2844	2944	WScript.exe	32
PID 2844 wrote to memory of 2564	2844	cmd.exe	34
PID 2844 wrote to memory of 2564	2844	cmd.exe	34
PID 2844 wrote to memory of 2564	2844	cmd.exe	34
PID 2844 wrote to memory of 2564	2844	cmd.exe	34
PID 2564 wrote to memory of 2000	2564	reviewDll.exe	75
PID 2564 wrote to memory of 2000	2564	reviewDll.exe	75
PID 2564 wrote to memory of 2000	2564	reviewDll.exe	75
PID 2000 wrote to memory of 1056	2000	spoolsv.exe	84
PID 2000 wrote to memory of 1056	2000	spoolsv.exe	84
PID 2000 wrote to memory of 1056	2000	spoolsv.exe	84
PID 1056 wrote to memory of 2112	1056	cmd.exe	86
PID 1056 wrote to memory of 2112	1056	cmd.exe	86
PID 1056 wrote to memory of 2112	1056	cmd.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
  "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\spoolsv.exe"
        6⤵
        Modifies WinLogon for persistence
        Drops file in Drivers directory
        Manipulates Digital Signatures
        Boot or Logon Autostart Execution: Print Processors
        Deletes itself
        Executes dropped EXE
        Indicator Removal: Clear Windows Event Logs
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Drops file in System32 directory
        Modifies termsrv.dll
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewDllr" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\reviewDll.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewDll" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\reviewDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewDllr" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\reviewDll.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\taskeng.exe
taskeng.exe {B449CD01-0B1B-4130-B9F5-9443F95B1742} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "spoolsv" /f
1⤵
- Process spawned unexpected child process
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "spoolsvs" /f
1⤵
- Process spawned unexpected child process
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "spoolsv" /f
1⤵
- Process spawned unexpected child process
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "spoolsvs" /f
1⤵
- Process spawned unexpected child process
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Print Processors

T1547.012

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\f3b6ecef712a24

Filesize
449B

MD5
ba025e78cea131b7af8ffeb52ffee200

SHA1
582a10773f338d95c2cf22fc47313e13f77fa100

SHA256
1f2bf4a33737ed3f05ef82e2c73ed0b546e0f57da286a31df6a29d26b7153a3f

SHA512
bc096e931b64242c2f4e4b266c3494078b1494f83c8440fb87adaddae837a680dc9ca8fd8e52b7fc170ed7416660b19e34eb86265398fe0eddd0e2ac66a79104

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\05124c6dd8237f

Filesize
342B

MD5
996b009cbcdbc9d479d3d245a4520640

SHA1
b3ac6c880b235bffa67913217a3b867898db0e43

SHA256
26111f50cd109f821e37e11ace52ead48e29676ba6f52750510d8cdecb7b6602

SHA512
65b9bd451cf84a8329e8382978fad75ff2f8bd4ec3b292715229ef3aa584dc1897e422e76df6209eba3b7ff1279f0300a63eeb7067e9fae21e0ce8fdf9030f2b

Download Submit
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\7a0fd90576e088

Filesize
950B

MD5
c00ef3ed9381ad811e2e5dd94ebb6a5b

SHA1
c177c627db76e196d1fe107507418c761e9f60e2

SHA256
654df55c3a9ad04db94e73980ab12d65fd24bde68c7c0d01a9f9dcc524cd3a7e

SHA512
adba0862c084954675be37d54fd5eb070f467a01bdf2fcb55d2695814bbecdb422019aebc37de75880c3298d7f184bc4856f6a0f491f12e7e4aea01dea7ae049

Download Submit
C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\6cb0b6c459d5d3

Filesize
126B

MD5
85140f9a132b7a0787357c3586a7417f

SHA1
fa0f4b69e259ca87a7d174397e287e7ba3c0c955

SHA256
8a89400a8a08950c7256090476d935897f56d55f2c4860f65130485ecda55f23

SHA512
d344865f98b2812ae3de12eb16ce566a3cd72af7ce7789b06c6b2c5fa8b4cacc9fccc8b1a5f93e150235d2fcde3c3f48908fcb4e9ef93b1f8c0c597752945d94

Download Submit
C:\Program Files (x86)\Google\Update\6ccacd8608530f

Filesize
613B

MD5
28dfef6693d65042f5e2338bf91d98f0

SHA1
82aa03c14ae46f9c45ca427f3aeda40828cdbbaf

SHA256
62d2bd08a5ddb5afc6451d15a1ec0831a86291e1cc68b7e45af472bdfbfbc27f

SHA512
7fb9d45a46103b6d2e836f0009835c02e5eb546c916219f8352e72c5cee4a152e7db1b5a86805a1d8fc640fce4d732694dc47e676d571fb5e368b398d99aebd7

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6ccacd8608530f

Filesize
31B

MD5
21da6a3dcd4ed5cfdb7f903beca787c0

SHA1
6676ad9d2cbefd097bf4e403afac18efb24cdf5b

SHA256
d5f36b545046df25014134fa17d4b38c649ccd4fc70aacac08cbfc71c43cf030

SHA512
536adeb318166beeadde04f017ac270178558c479ebef9beb389dad59d3496989d1ddb18b8ffc2a7288a28c56f9c2b130f2cb6ba395d8f442c75fa0b06c5a6cd

Download Submit
C:\Program Files (x86)\Windows NT\5940a34987c991

Filesize
339B

MD5
9b73328d8450dd2f2547fb9a7da89100

SHA1
592b498d97e2028ad3757f948def08aac86488ad

SHA256
5fef504d1981536ad1f0290a18cfb76d376048a101e343c8ea8fa3b3c742abc5

SHA512
fe08074819e67dfaa758482270d75ed0a53982da8d60eccc609ea7c54733151472d2229569ff688a948988a7edb068b44b731a9009815c5ed6ab029da8395b1b

Download Submit
C:\Program Files\Common Files\56085415360792

Filesize
205B

MD5
59a824c12caf16ccc97c9fb6d0740332

SHA1
dfdbe03ab65af813867f398a89833ecf240fcaf8

SHA256
ca75f6d81834f6102adefbbc12a2efce61e43d87f15f5441d97fa7648492fb3e

SHA512
71301f0116f7a1677a680b4d45379703b32cb993557eaeda765c2724dad2e996a135b455d7f046db5d8ed08d96a47c9b8d9d5243ecf687a558969ced59c73ee4

Download Submit
C:\Program Files\Uninstall Information\5940a34987c991

Filesize
150B

MD5
974a310d5d96cab4eca2b5550bebcd2b

SHA1
28e2ba6b9a3b4ae28bed037e0aa799cf4c340928

SHA256
de03a3dde8183f217b1b21e1020c778b66227301c963381ae69a42393e5b4216

SHA512
215fd6220e4454515beacacc14cc1563b9d2648985963a02072535f51a7e8f9a15bcae376e21f100d81ac1716b07fac4f4dae8647ae7620650e994e35797c10f

Download Submit
C:\Program Files\Windows NT\Accessories\886983d96e3d3e

Filesize
32B

MD5
6df8f96dd421082c8427ba4279461fd1

SHA1
ea297358f312320315667074d999b392e381305c

SHA256
160694735204506dfb2e9b0ec79ab47a8995cd745a66defc3fb5d5c9e07bb000

SHA512
11980c79f292410af9d5b95ace3169d1ece53a299437e130731e394bcd32a771cf40dc1f985f3e9a631ed657cb786e1371cf725246fc423aedf6fd90dffa4199

Download Submit
C:\Program Files\Windows Sidebar\es-ES\f3b6ecef712a24

Filesize
433B

MD5
c7719b30d7e60c8ea3e86cf89396cf13

SHA1
38994c9c896e0316acf40de950aa04953d047c69

SHA256
c9b70b1696ef092eb1596c47f1472c1c9917328ce52ae7555c33a9578f45243a

SHA512
837b8f73f65109f1b7e2a7cf11e8079f309287a76ed562bf493b715d7ffb07cf9bac3ebf5e8df986ebdf7af7b6ee36d107ddbd99721bc5e504bfe0c5dd54c173

Download Submit
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\42af1c969fbb7b

Filesize
845B

MD5
7f26bbc270c17663e93f7e628723bf9e

SHA1
64435ad9cd85371f818be6b40a660a98667afcf7

SHA256
0b3c250232add398e4af8d525cb957943d34624dd455ccc2d5139eb14740331c

SHA512
15779da5749d0c8c1dbfe120d667526cb5885eaaa7ee1a48d35b3e7693972edd207c18886821ffc58a780379dc53a182821fca8356910ac00f48c15098c5275e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
355B

MD5
9778900948d870e5dd70cb516b1b9747

SHA1
6fb620237c43522b21128f2a195bbbaaaaa5c037

SHA256
f5e4e92da4bfecea8634273c7dab692f68306eacbdde93bcc067568e30d6c232

SHA512
1e6e670b3644e3246d1a75c54108c5f5d0f1c8176946ff0894cc5f2df56b55e2352ea60bbbbb2f2383b46785ff0ee3b30dd94130d6eaa8d8216ec901abde3ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe

Filesize
1.1MB

MD5
0d015cc111d53a019e680b0bed11fcad

SHA1
3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

SHA256
2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

SHA512
c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

Download Submit
C:\Windows\AppCompat\Programs\5940a34987c991

Filesize
833B

MD5
aa96ffdb8fd70a9949dd8df95ac63b57

SHA1
6418f73a243ee1c8945669682190786d5c4da9c8

SHA256
a26379d44e218188d48968a45383ecbfa0fda3d31de3327bc484ebd5442265f9

SHA512
1b5bdb9afdc6657fd9bbb22fe74136b7aaaffd747e1a2f21caa9d71ef040821f45dab07c6d49777edc668201f7bdfb7fd5feb7a8a13fe9d3e4ba7e2efc846599

Download Submit
C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe

Filesize
222B

MD5
a6f295a2e58c722b5935cc905e81fd8b

SHA1
a2a30408197320a639e3e2f18a57fc8578c97b58

SHA256
8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

SHA512
839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

Download Submit
C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat

Filesize
43B

MD5
7c582abd8874b9cc60df72d62bd86440

SHA1
564e7b01338d08f657f2c02fa8fc5b8dadb92331

SHA256
c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

SHA512
444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

Download Submit
C:\blocksavesperfMonitorDll\reviewDll.exe

Filesize
828KB

MD5
d9dac9e1d95e84e6aec084cf2ddb3f3a

SHA1
a231a41c7ad994879b15116dcea41fdc09bb5879

SHA256
0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

SHA512
c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

Download Submit
memory/2000-55-0x00000000003B0000-0x0000000000486000-memory.dmp

Filesize
856KB

Download
memory/2188-0-0x000007FEF5173000-0x000007FEF5174000-memory.dmp

Filesize
4KB

Download
memory/2188-7-0x000007FEF5170000-0x000007FEF5B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-1-0x0000000000130000-0x00000000001CE000-memory.dmp

Filesize
632KB

Download
memory/2564-22-0x0000000001040000-0x0000000001116000-memory.dmp

Filesize
856KB

Download