dcrat | 00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BoosterX.exe
Size

8.6MB
MD5

1ea4535c88b03713785f9303d4c522ae
SHA1

ee34a528ff322c5034105b6c6eb97bf13c3567fb
SHA256

00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546
SHA512

3ed3cf5296e8126743945c35f76324db516b503aa3dd62984613b2e522cdd4618fa997f6e339592e4838c53d49ec9269a3ed3e5b7f89e4d7639415ab4c712f0d
SSDEEP

196608:eSFFBadbelmNOxwuLlA1HeT39IigJ1ncKOVVtk7ZZtQcNP+P:l0Wmkqr1+TtIi00VQ/6Z

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\lsass.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\lsass.exe\", \"C:\\Program Files\\Common Files\\Services\\RuntimeBroker.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\lsass.exe\", \"C:\\Program Files\\Common Files\\Services\\RuntimeBroker.exe\", \"C:\\Program Files\\Internet Explorer\\services.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\lsass.exe\", \"C:\\Program Files\\Common Files\\Services\\RuntimeBroker.exe\", \"C:\\Program Files\\Internet Explorer\\services.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\lsass.exe\", \"C:\\Program Files\\Common Files\\Services\\RuntimeBroker.exe\", \"C:\\Program Files\\Internet Explorer\\services.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Users\\Admin\\unsecapp.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office 15\\ClientX64\\lsass.exe\", \"C:\\Program Files\\Common Files\\Services\\RuntimeBroker.exe\", \"C:\\Program Files\\Internet Explorer\\services.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\", \"C:\\Users\\Admin\\unsecapp.exe\", \"C:\\MsComcomponentcrtSvc.exe\""	MsComcomponentcrtSvc.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	1536	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	1536	schtasks.exe	92

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsComcomponentcrtSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MsComcomponentcrtSvc.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	BoosterX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 19 IoCs

pid	Process
4792	BoosterX.exe
2980	MsComcomponentcrtSvc.sfx.exe
2792	MsComcomponentcrtSvc.exe
2148	services.exe
1836	services.exe
1088	services.exe
4516	services.exe
4672	services.exe
1216	services.exe
2808	services.exe
4304	services.exe
4516	services.exe
2388	services.exe
3816	services.exe
2524	services.exe
2764	services.exe
1944	services.exe
4516	services.exe
4456	services.exe

Loads dropped DLL 2 IoCs

pid	Process
3820	BoosterX.exe
3820	BoosterX.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Admin\\unsecapp.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\lsass.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Common Files\\Services\\RuntimeBroker.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Common Files\\Services\\RuntimeBroker.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Internet Explorer\\services.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Internet Explorer\\services.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Admin\\unsecapp.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsComcomponentcrtSvc = "\"C:\\MsComcomponentcrtSvc.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsComcomponentcrtSvc = "\"C:\\MsComcomponentcrtSvc.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Microsoft Office 15\\ClientX64\\lsass.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\""	MsComcomponentcrtSvc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCC5900AE748AE45B3A83EAC225EBFBAF7.TMP	csc.exe
File created	\??\c:\Windows\System32\kpkopw.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\services.exe	MsComcomponentcrtSvc.exe
File created	C:\Program Files\Internet Explorer\c5b4cb5e9653cc	MsComcomponentcrtSvc.exe
File created	C:\Program Files\Common Files\Services\RuntimeBroker.exe	MsComcomponentcrtSvc.exe
File created	C:\Program Files\Common Files\Services\9e8d7a4ca61bd9	MsComcomponentcrtSvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe	MsComcomponentcrtSvc.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\6203df4a6bafc7	MsComcomponentcrtSvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\WaaS\services\SearchApp.exe	MsComcomponentcrtSvc.exe
File created	C:\Windows\diagnostics\system\Device\dllhost.exe	MsComcomponentcrtSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 11 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4760	PING.EXE
4292	PING.EXE
2488	PING.EXE
1076	PING.EXE
3036	PING.EXE
1048	PING.EXE
3988	PING.EXE
2432	PING.EXE
4032	PING.EXE
3548	PING.EXE
4312	PING.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	MsComcomponentcrtSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
2488	PING.EXE
4032	PING.EXE
4760	PING.EXE
2432	PING.EXE
3548	PING.EXE
1076	PING.EXE
4312	PING.EXE
3988	PING.EXE
3036	PING.EXE
1048	PING.EXE
4292	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4596	schtasks.exe
3320	schtasks.exe
4032	schtasks.exe
3192	schtasks.exe
1412	schtasks.exe
4772	schtasks.exe
4028	schtasks.exe
1696	schtasks.exe
2696	schtasks.exe
4956	schtasks.exe
2468	schtasks.exe
4296	schtasks.exe
912	schtasks.exe
3988	schtasks.exe
4876	schtasks.exe
1596	schtasks.exe
1836	schtasks.exe
4420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2792	MsComcomponentcrtSvc.exe
2148	services.exe
2148	services.exe
2148	services.exe
2148	services.exe
2148	services.exe
2148	services.exe
2148	services.exe
2148	services.exe
2148	services.exe
2148	services.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	MsComcomponentcrtSvc.exe
Token: SeDebugPrivilege	2148	services.exe
Token: SeDebugPrivilege	1836	services.exe
Token: SeDebugPrivilege	1088	services.exe
Token: SeDebugPrivilege	4516	services.exe
Token: SeDebugPrivilege	4672	services.exe
Token: SeDebugPrivilege	1216	services.exe
Token: SeDebugPrivilege	2808	services.exe
Token: SeDebugPrivilege	4304	services.exe
Token: SeDebugPrivilege	4516	services.exe
Token: SeDebugPrivilege	2388	services.exe
Token: SeDebugPrivilege	3816	services.exe
Token: SeDebugPrivilege	2524	services.exe
Token: SeDebugPrivilege	2764	services.exe
Token: SeDebugPrivilege	1944	services.exe
Token: SeDebugPrivilege	4516	services.exe
Token: SeDebugPrivilege	4456	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 3820	820	BoosterX.exe	83
PID 820 wrote to memory of 3820	820	BoosterX.exe	83
PID 3820 wrote to memory of 4332	3820	BoosterX.exe	84
PID 3820 wrote to memory of 4332	3820	BoosterX.exe	84
PID 4332 wrote to memory of 4792	4332	cmd.exe	86
PID 4332 wrote to memory of 4792	4332	cmd.exe	86
PID 4792 wrote to memory of 220	4792	BoosterX.exe	87
PID 4792 wrote to memory of 220	4792	BoosterX.exe	87
PID 220 wrote to memory of 2980	220	cmd.exe	90
PID 220 wrote to memory of 2980	220	cmd.exe	90
PID 2980 wrote to memory of 2792	2980	MsComcomponentcrtSvc.sfx.exe	91
PID 2980 wrote to memory of 2792	2980	MsComcomponentcrtSvc.sfx.exe	91
PID 2792 wrote to memory of 1276	2792	MsComcomponentcrtSvc.exe	96
PID 2792 wrote to memory of 1276	2792	MsComcomponentcrtSvc.exe	96
PID 1276 wrote to memory of 4092	1276	csc.exe	98
PID 1276 wrote to memory of 4092	1276	csc.exe	98
PID 2792 wrote to memory of 860	2792	MsComcomponentcrtSvc.exe	114
PID 2792 wrote to memory of 860	2792	MsComcomponentcrtSvc.exe	114
PID 860 wrote to memory of 2692	860	cmd.exe	116
PID 860 wrote to memory of 2692	860	cmd.exe	116
PID 860 wrote to memory of 2488	860	cmd.exe	117
PID 860 wrote to memory of 2488	860	cmd.exe	117
PID 860 wrote to memory of 2148	860	cmd.exe	123
PID 860 wrote to memory of 2148	860	cmd.exe	123
PID 2148 wrote to memory of 3012	2148	services.exe	127
PID 2148 wrote to memory of 3012	2148	services.exe	127
PID 3012 wrote to memory of 1264	3012	cmd.exe	129
PID 3012 wrote to memory of 1264	3012	cmd.exe	129
PID 3012 wrote to memory of 2432	3012	cmd.exe	130
PID 3012 wrote to memory of 2432	3012	cmd.exe	130
PID 3012 wrote to memory of 1836	3012	cmd.exe	136
PID 3012 wrote to memory of 1836	3012	cmd.exe	136
PID 1836 wrote to memory of 5048	1836	services.exe	138
PID 1836 wrote to memory of 5048	1836	services.exe	138
PID 5048 wrote to memory of 3988	5048	cmd.exe	140
PID 5048 wrote to memory of 3988	5048	cmd.exe	140
PID 5048 wrote to memory of 4032	5048	cmd.exe	141
PID 5048 wrote to memory of 4032	5048	cmd.exe	141
PID 5048 wrote to memory of 1088	5048	cmd.exe	146
PID 5048 wrote to memory of 1088	5048	cmd.exe	146
PID 1088 wrote to memory of 4164	1088	services.exe	148
PID 1088 wrote to memory of 4164	1088	services.exe	148
PID 4164 wrote to memory of 5060	4164	cmd.exe	150
PID 4164 wrote to memory of 5060	4164	cmd.exe	150
PID 4164 wrote to memory of 3548	4164	cmd.exe	151
PID 4164 wrote to memory of 3548	4164	cmd.exe	151
PID 4164 wrote to memory of 4516	4164	cmd.exe	153
PID 4164 wrote to memory of 4516	4164	cmd.exe	153
PID 4516 wrote to memory of 2136	4516	services.exe	155
PID 4516 wrote to memory of 2136	4516	services.exe	155
PID 2136 wrote to memory of 3716	2136	cmd.exe	157
PID 2136 wrote to memory of 3716	2136	cmd.exe	157
PID 2136 wrote to memory of 1076	2136	cmd.exe	158
PID 2136 wrote to memory of 1076	2136	cmd.exe	158
PID 2136 wrote to memory of 4672	2136	cmd.exe	160
PID 2136 wrote to memory of 4672	2136	cmd.exe	160
PID 4672 wrote to memory of 944	4672	services.exe	162
PID 4672 wrote to memory of 944	4672	services.exe	162
PID 944 wrote to memory of 3684	944	cmd.exe	164
PID 944 wrote to memory of 3684	944	cmd.exe	164
PID 944 wrote to memory of 4312	944	cmd.exe	165
PID 944 wrote to memory of 4312	944	cmd.exe	165
PID 944 wrote to memory of 1216	944	cmd.exe	168
PID 944 wrote to memory of 1216	944	cmd.exe	168

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BoosterX.exe
"C:\Users\Admin\AppData\Local\Temp\BoosterX.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Local\Temp\BoosterX.exe
  "C:\Users\Admin\AppData\Local\Temp\BoosterX.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI8202\BoosterX.exe -p1234
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\_MEI8202\BoosterX.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI8202\BoosterX.exe -p1234
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\1.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\MsComcomponentcrtSvc.sfx.exe
        
        MsComcomponentcrtSvc.sfx.exe -p1234
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\MsComcomponentcrtSvc.exe
        
        "C:\MsComcomponentcrtSvc.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\arbfbdwz\arbfbdwz.cmdline"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA827.tmp" "c:\Windows\System32\CSCC5900AE748AE45B3A83EAC225EBFBAF7.TMP"
        9⤵
        
        PID:4092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uRFxLXVm6V.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2488
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qM3gKm3hFC.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1264
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2432
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HRKp7XGsej.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4032
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RXbe2nqO2a.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3548
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9mWviDJuKI.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1076
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HRKp7XGsej.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3684
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4312
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yRPxJCkWkW.bat"
        20⤵
        
        PID:1020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3988
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ycxw1CWDXu.bat"
        22⤵
        
        PID:4068
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat"
        24⤵
        
        PID:1588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4472
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PImWX2qXqf.bat"
        26⤵
        
        PID:404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1708
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat"
        28⤵
        
        PID:2944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1048
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat"
        30⤵
        
        PID:3512
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4760
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EjpRfFHJ5y.bat"
        32⤵
        
        PID:1676
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:3952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:4676
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2oGrqKSnf6.bat"
        34⤵
        
        PID:3088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:3632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:2236
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PImWX2qXqf.bat"
        36⤵
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:4380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:468
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XilJTboezA.bat"
        38⤵
        
        PID:5052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:2672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4292
        
        C:\Program Files\Internet Explorer\services.exe
        
        "C:\Program Files\Internet Explorer\services.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsComcomponentcrtSvcM" /sc MINUTE /mo 13 /tr "'C:\MsComcomponentcrtSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsComcomponentcrtSvc" /sc ONLOGON /tr "'C:\MsComcomponentcrtSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsComcomponentcrtSvcM" /sc MINUTE /mo 8 /tr "'C:\MsComcomponentcrtSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.bat

Filesize
54B

MD5
36fe1d3b2cd265e64a4ca66dc061645b

SHA1
d5286bc0407f435aee8c54f381173104dacb5dae

SHA256
c581a6cfb2a124ffd64017fa6d7c486c688e78e9270e0ebc4276bab387a32c33

SHA512
7b034b171ba2aecaa018cff19ba78637ff84b6a46f5b8d7a01c7f52bf7aa527dab2e67e8c7e0d87193f472d13330fd6fe8effa95c999077dbddd2f154830c409

Download Submit
C:\MsComcomponentcrtSvc.exe

Filesize
1.8MB

MD5
9fe6c4565fcad250f0875d5034034e38

SHA1
e05adc73592b367590253e3d40c2556166cfe8c2

SHA256
2cd575fc5079bd2930e7cd0c3a3b648afaa59c7d271d72a94efb50bfb22cc63b

SHA512
26372d76d75ef4608f842dcceab52105cfa56cf070385e223accac9fc4a589eac6d2f0c6277908348e398e35251e2d18f03d47f96c188ada363e0655a6509d54

Download Submit
C:\MsComcomponentcrtSvc.sfx.exe

Filesize
1.8MB

MD5
f764835721fd3997c913edaa6e63cfe6

SHA1
7d87a6f24b36e680596cd417839804a48e9c7ae3

SHA256
95e1b829abd2b2974d7568420dd614a658d219aee4b660bb1fc3901c53ad9b7b

SHA512
1f7630a9acaa962f24c3fc5a867f5e9d47bdd78c3b582a5200ffef93051793d3de9ca67caca2b1888efe8b5719aacc2ccf4ad57b448ab82ecea86017035f2bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2oGrqKSnf6.bat

Filesize
223B

MD5
3f45a4adbeee533df053b5f5df987434

SHA1
d9e3ea1c03b7820a1b36eb0e43b19bd04e24fe06

SHA256
48879de93fee91059d7ebdefc378414186ee7c4e5008897aa945b56b3169ed36

SHA512
a8e8dead161f07f7692a3239a0de758249a150e98fe55ad82a0b7fed3b86dd3a75eacab7e7b345cbcb96f4eafc54d4889e82df2d1edfa1de06f19cf85fcbee25

Download Submit
C:\Users\Admin\AppData\Local\Temp\9mWviDJuKI.bat

Filesize
175B

MD5
8a4d659379df69b5b932ac7ca0c721f1

SHA1
a39ee0ff5ce65562adce25abd619b76c13fc74d5

SHA256
c432e33187c35207ce80e58595a1b4528f3a8506baf6ac5173e15335314dd51e

SHA512
ee16841d301dd3157353f1389260c7a33c6970b317088686cd925ecfeb41803ad07349b13c476eab69db58a1301c8ad6e5b6afdc313e528b3f8f18b59fe00966

Download Submit
C:\Users\Admin\AppData\Local\Temp\EjpRfFHJ5y.bat

Filesize
223B

MD5
b2d705c494f2701984a3c591634de52a

SHA1
0175333cca6f1d109963038ee8619a26a9697124

SHA256
78750d4c56215c383197fe803f5c1856ebf06c9019a644389b4aff700853c6a0

SHA512
17418da9bc24c7e957b9be47d8d57cf77b034812b0f797b1415cbe579481020a1e675deba7dc1c7f0b5daa3b8dd1a31933db627cb385f4a342cbbf8dd4fc5f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FxfZ91HAHt.bat

Filesize
175B

MD5
8f2331804e780e35740b5c29ede46389

SHA1
02f3b76f28cb619398686acc34a4d2b32630b16d

SHA256
6d3b15c3c48863f74188d5efb5f4393b9358fc77935ed902ce83a608e249bebd

SHA512
b16353bc203d79723bb9a92ebcd1176d289ef8566f2ce2cd7dcda9c4dfaf1374981866580a1a69f3d14de556309dde055ec0aa15141258a570becd12052a04d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRKp7XGsej.bat

Filesize
175B

MD5
0b74c65d2b5ee4937306d075c99a53d5

SHA1
50d724d6d513d96ec417b3c804b1276df0b457ab

SHA256
b7345ef85464efc11280bc21df753e024f2fd897b063a274d920b1e7ac738aa2

SHA512
e40adad5a7b15c0b74e66ef7588034c53bec464ab2e63c8c6d0058d7cb95caea789298956311cbd350deccd37b2ca8f1da9effd2382984d72dad4132754b1788

Download Submit
C:\Users\Admin\AppData\Local\Temp\PImWX2qXqf.bat

Filesize
223B

MD5
114b7c6e429215b448fc784fae67a74f

SHA1
6d82cd6b3a8f2445987d8253b4347198059f26b9

SHA256
6894efdc9da7dc5acfd9bfc292f40b39032303ff5840572d49ae26bbae90bb16

SHA512
9f60a56278db60944d81537a0faf31e6b0ef5335b9f7362819c2acb0784d654dff807088732572db90d41df7220bea42158f484c9baeb5571f744fac73984853

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA827.tmp

Filesize
1KB

MD5
79ecbdd8654338dfee5f1fa59144cb08

SHA1
146d2d119f4b28bc99a493ff5822c7d573ac73c0

SHA256
acd177c87a269381f9c18d41cecc83168d69de7cdfd72670fe0a150cc01ddd40

SHA512
2a96a63575508ced59d7f995a0ed09b5972d85944074a7a5dfeec28b10e629ce86c24471807aaf0f256515f047f0339a3c8f7cc64af275007436c6d621f23bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RXbe2nqO2a.bat

Filesize
175B

MD5
8288df92fb12c4c7d34d4ef9cb5b1b8c

SHA1
002f54e53cc57bc40a47367cd9684825325830d9

SHA256
d86eb4538a0344609f756ad35232c974f470afbdf99418022acac0a465c1dd2a

SHA512
ac9280474fafe8f8d181d57548241d187668d909bde1e96e62f9d9f021129fe7d9fd40cb8dc0462c98e5b2f4721d2df70df517b813cca2bc9c8939bd31530220

Download Submit
C:\Users\Admin\AppData\Local\Temp\XilJTboezA.bat

Filesize
175B

MD5
af958375d2a1ff7a61e8a342ca9f2e02

SHA1
c22427974da748ae37f039a49026615e9761efdd

SHA256
dc67dd18892e740781b1632c5e59b60229f34abce89c3169cd8b656dd746870b

SHA512
436c5e770245ce858d4346e37f44f889bd738dafbf00c6a2e8506b29c6ff34672b312d9b5406f6c4c6fb42f43779fa5d59c3c49b1ccf86ffb0da61dec6f443d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycxw1CWDXu.bat

Filesize
175B

MD5
4f1f1c4492c671cbb5debfc033536ce6

SHA1
f9fe821fb1b794bbd0f808eb48dead9385ab507e

SHA256
be1686736ce101f15b5bfac3d0c21c0187f5bb317259a4db5b32f4751b7e8723

SHA512
17ea67d119f5dfcedbc36f0a58c654fe68dd0c5e682fe35e56a780a5d231014222995799852e7fbd9f935088777ca7de644ba380f5d6fc14bee59df7f218aeb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\BoosterX.exe

Filesize
2.0MB

MD5
07bca6291ca09ee9ae15ad2424063579

SHA1
b975e2cbb5ca257155d2bec47475e042c71dceb9

SHA256
b9d69b3ba71ed3b691ae0b455e3a84443be1aa026f563a9c04e3506b106595e5

SHA512
5b9f315f389eb3671b08c054e18fa13a1a2d2bb4f063168a621ae176214301ed6794d425445fa96d99474d58628abb7e787799363fabaf85392d8119ab1bf4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\base_library.zip

Filesize
1.3MB

MD5
43935f81d0c08e8ab1dfe88d65af86d8

SHA1
abb6eae98264ee4209b81996c956a010ecf9159b

SHA256
c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

SHA512
06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8202\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hv8MUNDtDA.bat

Filesize
175B

MD5
fd8457312eb059100321e69d94390135

SHA1
e2d7e36ba9f9d833226c50ebf4f16853011fc0ff

SHA256
346898839f8f1320ea82f8bdbbbc8ed5cba1f1311a02c88a1a77bd82f12fc5a4

SHA512
3d893e4e7e7050db509c1c13fc92d29593eee1c265f0ed5f32d0d3948160e63bc30bfa31e8dda4a2bc86b0684e0f10dc44946c61a8a45a9f616a9725eaf28271

Download Submit
C:\Users\Admin\AppData\Local\Temp\otOQMG40sM.bat

Filesize
223B

MD5
9fbaffe81bfbd607c12a796424e3846a

SHA1
3ddfcc54ef402b0bba5bb100a83d6d2f7a4f8714

SHA256
22c54dbe75e7bc06c2be66d9d08d4bdce8e4bba51048e42822c5a2ae914c3695

SHA512
9d8baee8d887d9ce1613c1f349a66880ca623704110983bb95ae6498eabdea1ec0fb82589838882e8361e79e6e4b41eee6620c51ee0097b4a0f8592822ce27c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qM3gKm3hFC.bat

Filesize
175B

MD5
81e4ede0c7fe0defc328fbfce18943bc

SHA1
7189a0c49ff7be9c8e1087bcde3cb0f9829d4cd8

SHA256
f790828f8f9e63fb4ea4334ea093356642c4b60841e9e01780212407e3b10a2f

SHA512
9550bec9bc49df4af8ce83ddf44d766927f71d301d36dcb27c3fd6b2d50f0ba7ce69cf784fa1db9b4c888f206f641b18e34bd4d466354d0d61209f9a00580511

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRFxLXVm6V.bat

Filesize
175B

MD5
10fff664ae7a8c4286496f5e60c70545

SHA1
495e9e086e76fa71d1f8c513b4b145946f983162

SHA256
85e12733a9858c2fbf88ae07806c21c685035f44c0be48a10b1c22b795f10b2b

SHA512
a9ce84af780dff8d94e5a3d6aefe1cabd442bd7e5148c8551d0dccd40f96a5541499fd9b0ff6a5d9cd9ffe7994c284fff12c7cb6bc406a41842fb320eac590f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yRPxJCkWkW.bat

Filesize
175B

MD5
6952bcb39c823226603f6b75c73213b5

SHA1
b78dd215abdb8a9bcca5bf555ed2d1c449b1807c

SHA256
6b35f70d1159c8c1afa039412a7e7eb63ffb829eef4ce6a70b49af2b1e66969b

SHA512
32d2a187e87a9c9dee39ad9ad17f0899a4ee86262a1022ec2dfc9a9fdb3e1fd508870f9f53ea07934acf1f092cf5b3aaa10be3bab401edc4f60b263133c3e109

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\arbfbdwz\arbfbdwz.0.cs

Filesize
388B

MD5
4a60cfa72496ad4c6cad2dc84649d61a

SHA1
8391cec7cb29081d4750ecfe535a71187fe2196a

SHA256
5e4505e85dc7d08352da15909b6b621b90aa94eeb9bef94cc498fd975cd4b2ff

SHA512
7588edf5251e3027d6b5d57df00f67c04fe4ecefb02928e9ebd882f01d1500362d3c8c383d90f1c4a1f0a51feec532dd29cb9a9fb20993569aae642ceb902d95

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\arbfbdwz\arbfbdwz.cmdline

Filesize
235B

MD5
ab1eab60c7fe721a3764ff4744de45a4

SHA1
d42a0a96ad9414f071c7b3c03145d1eb385985ba

SHA256
c146c4b67044cc9a0f760822bf91a3f60e1a49e9b25b2fe64492e033846553fe

SHA512
f24b3fac34e7d80c97e33697ef41c60ee17f6d4fa2418dd6d864bbb8d7b9bf769dcab59d5372fbeb8cb23d7c586264f900f476749cc43192d70ac3414de51a34

Download Submit
\??\c:\Windows\System32\CSCC5900AE748AE45B3A83EAC225EBFBAF7.TMP

Filesize
1KB

MD5
7bbfaf1199741b237d2493615c95c6d7

SHA1
86d466217c4dc1e0808f83ceda8f4b4df948b5dc

SHA256
e20e4619dbc932a216fd93f86fe0af2e915f4c2ba6177fc3581da59885094476

SHA512
2eda9bf71dc4a4583b7b8e9a6aab0f91d98cca68ee4309df1a4d26541917678da09a15d712397ae4b95fe95b65c8aa6eeab94d7620a5546b3df6c00306ef4a5c

Download Submit
memory/2792-51-0x0000000001440000-0x000000000144E000-memory.dmp

Filesize
56KB

Download
memory/2792-49-0x0000000000B40000-0x0000000000D12000-memory.dmp

Filesize
1.8MB

Download
memory/2792-53-0x000000001BC90000-0x000000001BCAC000-memory.dmp

Filesize
112KB

Download
memory/2792-54-0x000000001BD00000-0x000000001BD50000-memory.dmp

Filesize
320KB

Download
memory/2792-56-0x000000001BCB0000-0x000000001BCC8000-memory.dmp

Filesize
96KB

Download