dcrat | 00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe
Size

8.6MB
MD5

1ea4535c88b03713785f9303d4c522ae
SHA1

ee34a528ff322c5034105b6c6eb97bf13c3567fb
SHA256

00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546
SHA512

3ed3cf5296e8126743945c35f76324db516b503aa3dd62984613b2e522cdd4618fa997f6e339592e4838c53d49ec9269a3ed3e5b7f89e4d7639415ab4c712f0d
SSDEEP

196608:eSFFBadbelmNOxwuLlA1HeT39IigJ1ncKOVVtk7ZZtQcNP+P:l0Wmkqr1+TtIi00VQ/6Z

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\apppatch\\ja-JP\\fontdrvhost.exe\", \"C:\\Windows\\Prefetch\\sppsvc.exe\", \"C:\\Windows\\ImmersiveControlPanel\\spoolsv.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\dwm.exe\", \"C:\\MsComcomponentcrtSvc.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\apppatch\\ja-JP\\fontdrvhost.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\apppatch\\ja-JP\\fontdrvhost.exe\", \"C:\\Windows\\Prefetch\\sppsvc.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\apppatch\\ja-JP\\fontdrvhost.exe\", \"C:\\Windows\\Prefetch\\sppsvc.exe\", \"C:\\Windows\\ImmersiveControlPanel\\spoolsv.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\", \"C:\\Windows\\apppatch\\ja-JP\\fontdrvhost.exe\", \"C:\\Windows\\Prefetch\\sppsvc.exe\", \"C:\\Windows\\ImmersiveControlPanel\\spoolsv.exe\", \"C:\\Windows\\Temp\\MsEdgeCrashpad\\dwm.exe\""	MsComcomponentcrtSvc.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4048	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3768	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	4244	schtasks.exe	91
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	4244	schtasks.exe	91

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	BoosterX.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	MsComcomponentcrtSvc.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	MsComcomponentcrtSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 20 IoCs

pid	Process
1516	BoosterX.exe
3024	MsComcomponentcrtSvc.sfx.exe
2408	MsComcomponentcrtSvc.exe
2980	spoolsv.exe
2656	spoolsv.exe
5032	spoolsv.exe
1584	spoolsv.exe
3160	spoolsv.exe
4632	spoolsv.exe
3684	spoolsv.exe
2660	spoolsv.exe
2020	spoolsv.exe
2988	spoolsv.exe
2804	spoolsv.exe
4048	spoolsv.exe
4028	spoolsv.exe
1232	spoolsv.exe
4304	spoolsv.exe
1148	spoolsv.exe
1600	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
3632	00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe
3632	00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Recovery\\WindowsRE\\StartMenuExperienceHost.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\apppatch\\ja-JP\\fontdrvhost.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsComcomponentcrtSvc = "\"C:\\MsComcomponentcrtSvc.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MsComcomponentcrtSvc = "\"C:\\MsComcomponentcrtSvc.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\apppatch\\ja-JP\\fontdrvhost.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Prefetch\\sppsvc.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\Prefetch\\sppsvc.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\ImmersiveControlPanel\\spoolsv.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Windows\\ImmersiveControlPanel\\spoolsv.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\dwm.exe\""	MsComcomponentcrtSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Windows\\Temp\\MsEdgeCrashpad\\dwm.exe\""	MsComcomponentcrtSvc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\lhkpi-.exe	csc.exe
File created	\??\c:\Windows\System32\CSCF73CF76A91C44872A6087E9E787FC8A.TMP	csc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\f3b6ecef712a24	MsComcomponentcrtSvc.exe
File created	C:\Windows\Prefetch\sppsvc.exe	MsComcomponentcrtSvc.exe
File created	C:\Windows\Prefetch\0a1fd5f707cd16	MsComcomponentcrtSvc.exe
File created	C:\Windows\apppatch\ja-JP\fontdrvhost.exe	MsComcomponentcrtSvc.exe
File created	C:\Windows\apppatch\ja-JP\5b884080fd4f94	MsComcomponentcrtSvc.exe
File created	C:\Windows\ServiceState\EventLog\Data\Registry.exe	MsComcomponentcrtSvc.exe
File created	C:\Windows\ImmersiveControlPanel\spoolsv.exe	MsComcomponentcrtSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2548	PING.EXE
1956	PING.EXE
3040	PING.EXE
2272	PING.EXE
3064	PING.EXE
4856	PING.EXE
392	PING.EXE
2140	PING.EXE
4912	PING.EXE
1196	PING.EXE

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	MsComcomponentcrtSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	spoolsv.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
3040	PING.EXE
2272	PING.EXE
3064	PING.EXE
4856	PING.EXE
2548	PING.EXE
1956	PING.EXE
392	PING.EXE
2140	PING.EXE
4912	PING.EXE
1196	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2076	schtasks.exe
1724	schtasks.exe
2324	schtasks.exe
1792	schtasks.exe
4328	schtasks.exe
1336	schtasks.exe
3804	schtasks.exe
4048	schtasks.exe
3768	schtasks.exe
4360	schtasks.exe
4548	schtasks.exe
3964	schtasks.exe
4696	schtasks.exe
4488	schtasks.exe
1564	schtasks.exe
1992	schtasks.exe
1584	schtasks.exe
2616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2408	MsComcomponentcrtSvc.exe
2980	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe
2980	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	MsComcomponentcrtSvc.exe
Token: SeDebugPrivilege	2980	spoolsv.exe
Token: SeDebugPrivilege	2656	spoolsv.exe
Token: SeDebugPrivilege	5032	spoolsv.exe
Token: SeDebugPrivilege	1584	spoolsv.exe
Token: SeDebugPrivilege	3160	spoolsv.exe
Token: SeDebugPrivilege	4632	spoolsv.exe
Token: SeDebugPrivilege	3684	spoolsv.exe
Token: SeDebugPrivilege	2660	spoolsv.exe
Token: SeDebugPrivilege	2020	spoolsv.exe
Token: SeDebugPrivilege	2988	spoolsv.exe
Token: SeDebugPrivilege	2804	spoolsv.exe
Token: SeDebugPrivilege	4048	spoolsv.exe
Token: SeDebugPrivilege	4028	spoolsv.exe
Token: SeDebugPrivilege	1232	spoolsv.exe
Token: SeDebugPrivilege	4304	spoolsv.exe
Token: SeDebugPrivilege	1148	spoolsv.exe
Token: SeDebugPrivilege	1600	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 3632	3132	00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe	82
PID 3132 wrote to memory of 3632	3132	00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe	82
PID 3632 wrote to memory of 2892	3632	00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe	83
PID 3632 wrote to memory of 2892	3632	00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe	83
PID 2892 wrote to memory of 1516	2892	cmd.exe	85
PID 2892 wrote to memory of 1516	2892	cmd.exe	85
PID 1516 wrote to memory of 4136	1516	BoosterX.exe	86
PID 1516 wrote to memory of 4136	1516	BoosterX.exe	86
PID 4136 wrote to memory of 3024	4136	cmd.exe	89
PID 4136 wrote to memory of 3024	4136	cmd.exe	89
PID 3024 wrote to memory of 2408	3024	MsComcomponentcrtSvc.sfx.exe	90
PID 3024 wrote to memory of 2408	3024	MsComcomponentcrtSvc.sfx.exe	90
PID 2408 wrote to memory of 1508	2408	MsComcomponentcrtSvc.exe	95
PID 2408 wrote to memory of 1508	2408	MsComcomponentcrtSvc.exe	95
PID 1508 wrote to memory of 4876	1508	csc.exe	97
PID 1508 wrote to memory of 4876	1508	csc.exe	97
PID 2408 wrote to memory of 2720	2408	MsComcomponentcrtSvc.exe	113
PID 2408 wrote to memory of 2720	2408	MsComcomponentcrtSvc.exe	113
PID 2720 wrote to memory of 2732	2720	cmd.exe	115
PID 2720 wrote to memory of 2732	2720	cmd.exe	115
PID 2720 wrote to memory of 1956	2720	cmd.exe	116
PID 2720 wrote to memory of 1956	2720	cmd.exe	116
PID 2720 wrote to memory of 2980	2720	cmd.exe	120
PID 2720 wrote to memory of 2980	2720	cmd.exe	120
PID 2980 wrote to memory of 4584	2980	spoolsv.exe	122
PID 2980 wrote to memory of 4584	2980	spoolsv.exe	122
PID 4584 wrote to memory of 992	4584	cmd.exe	124
PID 4584 wrote to memory of 992	4584	cmd.exe	124
PID 4584 wrote to memory of 3040	4584	cmd.exe	125
PID 4584 wrote to memory of 3040	4584	cmd.exe	125
PID 4584 wrote to memory of 2656	4584	cmd.exe	128
PID 4584 wrote to memory of 2656	4584	cmd.exe	128
PID 2656 wrote to memory of 2916	2656	spoolsv.exe	129
PID 2656 wrote to memory of 2916	2656	spoolsv.exe	129
PID 2916 wrote to memory of 4772	2916	cmd.exe	131
PID 2916 wrote to memory of 4772	2916	cmd.exe	131
PID 2916 wrote to memory of 1408	2916	cmd.exe	132
PID 2916 wrote to memory of 1408	2916	cmd.exe	132
PID 2916 wrote to memory of 5032	2916	cmd.exe	134
PID 2916 wrote to memory of 5032	2916	cmd.exe	134
PID 5032 wrote to memory of 4872	5032	spoolsv.exe	135
PID 5032 wrote to memory of 4872	5032	spoolsv.exe	135
PID 4872 wrote to memory of 4904	4872	cmd.exe	137
PID 4872 wrote to memory of 4904	4872	cmd.exe	137
PID 4872 wrote to memory of 392	4872	cmd.exe	138
PID 4872 wrote to memory of 392	4872	cmd.exe	138
PID 4872 wrote to memory of 1584	4872	cmd.exe	140
PID 4872 wrote to memory of 1584	4872	cmd.exe	140
PID 1584 wrote to memory of 4196	1584	spoolsv.exe	141
PID 1584 wrote to memory of 4196	1584	spoolsv.exe	141
PID 4196 wrote to memory of 2108	4196	cmd.exe	143
PID 4196 wrote to memory of 2108	4196	cmd.exe	143
PID 4196 wrote to memory of 2272	4196	cmd.exe	144
PID 4196 wrote to memory of 2272	4196	cmd.exe	144
PID 4196 wrote to memory of 3160	4196	cmd.exe	145
PID 4196 wrote to memory of 3160	4196	cmd.exe	145
PID 3160 wrote to memory of 4892	3160	spoolsv.exe	146
PID 3160 wrote to memory of 4892	3160	spoolsv.exe	146
PID 4892 wrote to memory of 2652	4892	cmd.exe	148
PID 4892 wrote to memory of 2652	4892	cmd.exe	148
PID 4892 wrote to memory of 3064	4892	cmd.exe	149
PID 4892 wrote to memory of 3064	4892	cmd.exe	149
PID 4892 wrote to memory of 4632	4892	cmd.exe	150
PID 4892 wrote to memory of 4632	4892	cmd.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe
"C:\Users\Admin\AppData\Local\Temp\00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe
  "C:\Users\Admin\AppData\Local\Temp\00d8208f807a5ee119cc66670e639790dc9be238c866778e4abf8f628b142546.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI31322\BoosterX.exe -p1234
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\_MEI31322\BoosterX.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI31322\BoosterX.exe -p1234
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\1.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4136
      - C:\MsComcomponentcrtSvc.sfx.exe
        
        MsComcomponentcrtSvc.sfx.exe -p1234
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\MsComcomponentcrtSvc.exe
        
        "C:\MsComcomponentcrtSvc.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4rxmxemg\4rxmxemg.cmdline"
        8⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9848.tmp" "c:\Windows\System32\CSCF73CF76A91C44872A6087E9E787FC8A.TMP"
        9⤵
        
        PID:4876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9n6fQNof7y.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1956
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3040
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yY8shRuf5J.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1408
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7zpOYzElC.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:4904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:392
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J1i0UIQhNL.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2272
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CwMiVtjst0.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2652
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3064
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yY8shRuf5J.bat"
        20⤵
        
        PID:2116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1232
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat"
        22⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2140
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AhXa08j1h6.bat"
        24⤵
        
        PID:1516
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4856
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7z2CYqkT7L.bat"
        26⤵
        
        PID:4884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3484
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOQJjcW06d.bat"
        28⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2468
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wevF9pB6YZ.bat"
        30⤵
        
        PID:2108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4360
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PdP1UB7pUq.bat"
        32⤵
        
        PID:208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4912
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AhXa08j1h6.bat"
        34⤵
        
        PID:1204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:3676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1196
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7z2CYqkT7L.bat"
        36⤵
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:2252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:4240
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qTmai1Dpby.bat"
        38⤵
        
        PID:2660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        39⤵
        
        PID:2024
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZD0t5NKB6.bat"
        40⤵
        
        PID:3468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        41⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        41⤵
        
        PID:3016
        
        C:\Windows\ImmersiveControlPanel\spoolsv.exe
        
        "C:\Windows\ImmersiveControlPanel\spoolsv.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J1i0UIQhNL.bat"
        42⤵
        
        PID:3888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        43⤵
        
        PID:2972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\apppatch\ja-JP\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\apppatch\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Prefetch\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\ImmersiveControlPanel\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ImmersiveControlPanel\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\ImmersiveControlPanel\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsComcomponentcrtSvcM" /sc MINUTE /mo 9 /tr "'C:\MsComcomponentcrtSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsComcomponentcrtSvc" /sc ONLOGON /tr "'C:\MsComcomponentcrtSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsComcomponentcrtSvcM" /sc MINUTE /mo 7 /tr "'C:\MsComcomponentcrtSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1.bat

Filesize
54B

MD5
36fe1d3b2cd265e64a4ca66dc061645b

SHA1
d5286bc0407f435aee8c54f381173104dacb5dae

SHA256
c581a6cfb2a124ffd64017fa6d7c486c688e78e9270e0ebc4276bab387a32c33

SHA512
7b034b171ba2aecaa018cff19ba78637ff84b6a46f5b8d7a01c7f52bf7aa527dab2e67e8c7e0d87193f472d13330fd6fe8effa95c999077dbddd2f154830c409

Download Submit
C:\MsComcomponentcrtSvc.exe

Filesize
1.8MB

MD5
9fe6c4565fcad250f0875d5034034e38

SHA1
e05adc73592b367590253e3d40c2556166cfe8c2

SHA256
2cd575fc5079bd2930e7cd0c3a3b648afaa59c7d271d72a94efb50bfb22cc63b

SHA512
26372d76d75ef4608f842dcceab52105cfa56cf070385e223accac9fc4a589eac6d2f0c6277908348e398e35251e2d18f03d47f96c188ada363e0655a6509d54

Download Submit
C:\MsComcomponentcrtSvc.sfx.exe

Filesize
1.8MB

MD5
f764835721fd3997c913edaa6e63cfe6

SHA1
7d87a6f24b36e680596cd417839804a48e9c7ae3

SHA256
95e1b829abd2b2974d7568420dd614a658d219aee4b660bb1fc3901c53ad9b7b

SHA512
1f7630a9acaa962f24c3fc5a867f5e9d47bdd78c3b582a5200ffef93051793d3de9ca67caca2b1888efe8b5719aacc2ccf4ad57b448ab82ecea86017035f2bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z2CYqkT7L.bat

Filesize
220B

MD5
58909f8ffbceaa10f3a0102947d2769a

SHA1
b48a8c45ce203ff14c9dcf0c8089236850ed2d97

SHA256
ff34a6f6f2dbbc61f6ae70e4f783f8d79b7b3d166e76c3e8d10091e910fc4a06

SHA512
dbcd997ff6a648ee6cfa0aa3b849ad9909354ddeeb49bf792177ea7bf6988d3a51b0a20a6f314337c67431e8c441908d23608c407f37754155c5a91f97eaa9f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9n6fQNof7y.bat

Filesize
172B

MD5
bb13702801df61f9d696fae793b68ae4

SHA1
3fe0131c574efc2c8374f27cc76f1fc88b4a46db

SHA256
1ab29ef9d4ed100d6a696ddd3a4496442dd45cba48e7e9ab4a4c8de70418d010

SHA512
bbab50751c3738dd0b89e941215c3f59e442f7f303fdf8fe36f3c3beaf2c88cd66dd35f9531fff1821a6896bb26a97c2a786e06c8edc05f6271485ac54dc54b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AhXa08j1h6.bat

Filesize
172B

MD5
fdecdaa66829efa0eb11d88247963277

SHA1
da8957cfd9be526c57e7d80b46a712ecc3e76747

SHA256
ce499a4fd43604f6ed432b68a9292311fd53bcb19d25c756a4d4833e47ed9e9c

SHA512
ecdf95f62680b0b8be6b86c9f0ad32a79f4024408d65494a502643b2133f96c7f30630b4e327bca2537ee79a0847abac7446dbefecc9e36d50a655cb092023a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CwMiVtjst0.bat

Filesize
172B

MD5
9acd5319e5cea7539f74491421c569de

SHA1
5b2ad7f3c64453c5f5c4d96ef626d30e85c2da55

SHA256
71f8ec6bce9e07d1595e3a77486efa38d29ccc1f264a00a565ab11d84a33e0d5

SHA512
e0ccfa3e408df5550e053213840cccc63e1c589be40e9923531193666983a4b6eca0da864a6c3b9cd7f532dc9c1edb395bcace0449c00d10557f410ffa055018

Download Submit
C:\Users\Admin\AppData\Local\Temp\J1i0UIQhNL.bat

Filesize
172B

MD5
a9ec38fd192b674e448d05ea07aec30b

SHA1
c61461ee03bce99fcfd7191d9afd3048cd4428a5

SHA256
52c2b3d9f7cd77f7eefa0e80e52f570b3a25632c4d45fca3a7fd5ab9de53b216

SHA512
2aa3db7b0c8ac0114f0944bf19e179bd46e29031bfb19874ac2ce4725ca4de43cb8d9876066ff60ad060dad98401470a59f29d26b930defb9d7c90adc7ac8629

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdP1UB7pUq.bat

Filesize
172B

MD5
65aee3f2e7bc0e7b51386e2d83371003

SHA1
7138c9ff051533be01f1f942cb39d880d6069622

SHA256
d1fe2917fc044123cdf78eb39b5a75a95dccf539be5517107999f0fa5284c254

SHA512
900035bddbe291836f3276d068c3ece1b78043d5e05a44fb1e1416f7f8afef3f783eab38b91e368629394682be4d41f477158142ce0a4739f08b5daeb971c3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9848.tmp

Filesize
1KB

MD5
fe422312a3f9e3f7d6cc48928f2ee3c7

SHA1
1d25ea7caf0117c4d5ec6121d1782e5ebf954145

SHA256
a1c719d0579e1fc16e6ad64728325b79038c9473624958312806cc310cbd1471

SHA512
250d83a81cc4648a0683c5c5a90eb575cd02948c4935cf28d00af524358ea72939d0728eb552c0c53a584f0d79ad7f0069361082f57256237ab14621dd8485ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7zpOYzElC.bat

Filesize
172B

MD5
943f1acb5e30a5ce23c0759db6913a33

SHA1
58f89a16ce80eda4085ac29ec7aa7e9d8fd7ccb9

SHA256
18a503eabcfe33ea1ebdee79e8868342df1c3984bf0085e2b2944a0d612b7e56

SHA512
c0f69fb6de1a8ff4dc5f4c483c292cc0650303381785a88b3b2f1eeb1e54d71e036d4feae8c3d54ffe5d6e7ad9a503fe50eaae64b6bcee1a16c096342ea6d8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\BoosterX.exe

Filesize
2.0MB

MD5
07bca6291ca09ee9ae15ad2424063579

SHA1
b975e2cbb5ca257155d2bec47475e042c71dceb9

SHA256
b9d69b3ba71ed3b691ae0b455e3a84443be1aa026f563a9c04e3506b106595e5

SHA512
5b9f315f389eb3671b08c054e18fa13a1a2d2bb4f063168a621ae176214301ed6794d425445fa96d99474d58628abb7e787799363fabaf85392d8119ab1bf4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\base_library.zip

Filesize
1.3MB

MD5
43935f81d0c08e8ab1dfe88d65af86d8

SHA1
abb6eae98264ee4209b81996c956a010ecf9159b

SHA256
c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

SHA512
06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31322\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZD0t5NKB6.bat

Filesize
220B

MD5
ff77cfb3acb3a1edcefac36fa70e6b45

SHA1
1ed163986660bf0fd6909f5ce1114ac5651aaaa5

SHA256
bea5d14f567a577a2a2f8456ab43ed2069d47b0ecec922514770521ceac0d744

SHA512
3a93a11698b331d8bbfe5f65e92b64b49e1f74f86381d8624156ff0fe05356657b9fce33d137ef209561eb9c58dcd1d9918ff0c8f14e6de4656a5160fc987d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOQJjcW06d.bat

Filesize
220B

MD5
f92d5a62b9e8b7d632649bb583f7d48f

SHA1
534128d2dcfdee12f9429568cf99d37c6a35de34

SHA256
4ce3fe0bcce4e2e41365b6cad522e210b4172c0cee3a828d80966590ad4ff143

SHA512
d0f23b5082d82c7dcde59c034be409e579fe707b4deb64d4e640c5bb9ceef20d097b26c1199a32d89640807fc11c06f1b24059f82e6ae889383007a57dbc65fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qTmai1Dpby.bat

Filesize
220B

MD5
3cd6c563a46d36e1b5b2b462ccf2f6da

SHA1
814081ab0e3d16574fca86b3c231601acc023c8b

SHA256
54e8774dcc1a44a9efad68fa5a71dbf9572f00dce18aeb8ad473834839d3d1b0

SHA512
7844fb21ef1a20c2d06586448b8df553748028de2b951f297fa3883a84df5c2fefc963756a9ee22eab85c3e201883d610cb87e3ae056c27ee43602c7037449c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uBGyBJCOAj.bat

Filesize
172B

MD5
39d8dae1359348b3badcff6b61ea9c75

SHA1
489b0f867414b35212911ae13d40b14d6ee578eb

SHA256
9ba037f3764ba5f19b79b391724d5666f64ee88dd12a93190f88b7f47934c0be

SHA512
b08233e3d027c68c5e41dbe5b4f4c035a14c5f883b1c95c2588b2315d2d8ad8dcceb634d13aab22b9817441b62987ca62d813c3dde9ac0c2c017ec3e5417a63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\v5TcjuvxiT.bat

Filesize
172B

MD5
0c26924ebdbd7a92dbf346e9d6784bb7

SHA1
1831d567f8eb96105785612ac658fd3c2f14267b

SHA256
68511ec5732da706f2edf050643bc926418eadd8a5d8a5a423fd6de50fe71b09

SHA512
ea34a6d4c31deb508d68b52e4fc3e6dca6acd955aaa658584b015942e367f5b95ae46a351872681c8fd7a891af4ca0df79acda7e000c76ebbb3c030159db29d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wevF9pB6YZ.bat

Filesize
220B

MD5
72f91c3cd1f438e10dd38e9eb120be64

SHA1
91e553a67c27682158cd86c0aeeda7419be45495

SHA256
736b1710d538661c395a553f0af5511e0850db9e4a091dbd52fb3f9b7aacf223

SHA512
ed69eb5e04c8e7cd8efc0525dd7df6be5dce24c539fde067882ca27aa1685cc7fba2dd2bbc7fb62ce955c1f0d35dda484b8b7d55d8867ddcba75c3927c6659a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yY8shRuf5J.bat

Filesize
220B

MD5
f78ff3a51fe421f496aca4fec1bc05d2

SHA1
a95b9f75d7b2477e220f25cfc9b626c500792978

SHA256
6f6a5df34734c0cb10462e0d94e2d6ce1d99161a2e5a187fe38f5d0681872d3d

SHA512
e2a4fe5923e8facea2447fab16b96c404ad4d9bda6e2d7ffa533e18fa480beaf781789d70dfcab704c2ca21acae04aaacf7a607018349369bfadfe3c2331e198

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4rxmxemg\4rxmxemg.0.cs

Filesize
381B

MD5
67a6cfcf80b6de70ce3837ac73f046a6

SHA1
67b2a50d2f852c34364c96f073207444fda1e991

SHA256
451189d23df3842049ae68c5449d907e6961901006dd9bec6fb6c36167aae42b

SHA512
c381378b1dbe8d362e93019f0c19a49dc442112496f45b9f5b3ca0fedd29cd16fb41ae1346064da5da56d248276a680da3cfa4ed8653e06bd199ce6d65f17e6d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4rxmxemg\4rxmxemg.cmdline

Filesize
235B

MD5
1b9b11b73074856bdfe572eb3379064c

SHA1
ef6a1369ce0e2b57906c652b62749f7e285e74f6

SHA256
e6779dce23fc47b933a04579d4d85b3bed40ea70837d0f06d9cb4eec9ad46940

SHA512
a6ed76e2366433e66e58146b60338854f28fd115f877bfc76d384e03f7009b981a7325e3086fa8c9b43121f0240cdf260f384217e9ac46fd777c28b0b4b52a5e

Download Submit
\??\c:\Windows\System32\CSCF73CF76A91C44872A6087E9E787FC8A.TMP

Filesize
1KB

MD5
75e32610d8ef6143201c7c28465fcda9

SHA1
b2bae99fade2dda07aecbe1659d184be0fc4e7a6

SHA256
97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

SHA512
b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

Download Submit
memory/2408-56-0x0000000002B70000-0x0000000002B88000-memory.dmp

Filesize
96KB

Download
memory/2408-54-0x000000001B5B0000-0x000000001B600000-memory.dmp

Filesize
320KB

Download
memory/2408-53-0x0000000002B50000-0x0000000002B6C000-memory.dmp

Filesize
112KB

Download
memory/2408-51-0x0000000001250000-0x000000000125E000-memory.dmp

Filesize
56KB

Download
memory/2408-49-0x0000000000730000-0x0000000000902000-memory.dmp

Filesize
1.8MB

Download