e564512cd804822bb78cb0a81de39833e283d1a26fc1c3e81402a75c98eb4e0d

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315e0272c25fcf22ac2b4023f6e9d02f.exe
Size

2.1MB
MD5

315e0272c25fcf22ac2b4023f6e9d02f
SHA1

c5d91607832ff900ac945ae9d030204e4de747f2
SHA256

e564512cd804822bb78cb0a81de39833e283d1a26fc1c3e81402a75c98eb4e0d
SHA512

b3b791cf698a333cf099aa298cd2838a7d6b8564252d48e8ef4a283efcaaa463ea8a5cfbc0f3bad9812050f22b66947e1fcbd1f53e075747532c568ed0078522
SSDEEP

49152:IBJTPdd11t3B0ks2MOavodMFf6obivfxI4R8Q:ydPdbL3B/4OaQiA1vfxI4R8Q

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

AgentmonitorSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\PortContainerdhcp\\dllhost.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\PortContainerdhcp\\dllhost.exe\", \"C:\\Program Files\\Java\\sppsvc.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\PortContainerdhcp\\dllhost.exe\", \"C:\\Program Files\\Java\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\PortContainerdhcp\\dllhost.exe\", \"C:\\Program Files\\Java\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\PortContainerdhcp\\StartMenuExperienceHost.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\PortContainerdhcp\\dllhost.exe\", \"C:\\Program Files\\Java\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\PortContainerdhcp\\StartMenuExperienceHost.exe\", \"C:\\PortContainerdhcp\\AgentmonitorSvc.exe\""	AgentmonitorSvc.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3828	4772	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	4772	schtasks.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sppsvc.exesppsvc.exesppsvc.exe315e0272c25fcf22ac2b4023f6e9d02f.exeWScript.exesppsvc.exesppsvc.exesppsvc.exeAgentmonitorSvc.exesppsvc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	315e0272c25fcf22ac2b4023f6e9d02f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	AgentmonitorSvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 8 IoCs

Processes:

AgentmonitorSvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

pid process

3504 AgentmonitorSvc.exe
2196 sppsvc.exe
3368 sppsvc.exe
3572 sppsvc.exe
2228 sppsvc.exe
4200 sppsvc.exe
1980 sppsvc.exe
2068 sppsvc.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AgentmonitorSvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PortContainerdhcp\\dllhost.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PortContainerdhcp\\dllhost.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Java\\sppsvc.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\PortContainerdhcp\\StartMenuExperienceHost.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgentmonitorSvc = "\"C:\\PortContainerdhcp\\AgentmonitorSvc.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Java\\sppsvc.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\PortContainerdhcp\\StartMenuExperienceHost.exe\""	AgentmonitorSvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgentmonitorSvc = "\"C:\\PortContainerdhcp\\AgentmonitorSvc.exe\""	AgentmonitorSvc.exe

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description ioc process

File created \??\c:\Windows\System32\CSC59B6B8E38F8E4C2C96D771E25B19419F.TMP csc.exe
File created \??\c:\Windows\System32\rpvymf.exe csc.exe
Drops file in Program Files directory 2 IoCs

Processes:

AgentmonitorSvc.exe

description ioc process

File created C:\Program Files\Java\sppsvc.exe AgentmonitorSvc.exe
File created C:\Program Files\Java\0a1fd5f707cd16 AgentmonitorSvc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	\??\c:\Windows\System32\CSC59B6B8E38F8E4C2C96D771E25B19419F.TMP	csc.exe
File created	\??\c:\Windows\System32\rpvymf.exe	csc.exe

description	ioc	process
File created	C:\Program Files\Java\sppsvc.exe	AgentmonitorSvc.exe
File created	C:\Program Files\Java\0a1fd5f707cd16	AgentmonitorSvc.exe

Modifies registry class 9 IoCs

Processes:

AgentmonitorSvc.exesppsvc.exesppsvc.exesppsvc.exe315e0272c25fcf22ac2b4023f6e9d02f.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	AgentmonitorSvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	315e0272c25fcf22ac2b4023f6e9d02f.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	sppsvc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1556 reg.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1980 PING.EXE
1212 PING.EXE
1008 PING.EXE

pid	process
1556	reg.exe

pid	process
1980	PING.EXE
1212	PING.EXE
1008	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
316	schtasks.exe
2452	schtasks.exe
2032	schtasks.exe
4192	schtasks.exe
2624	schtasks.exe
436	schtasks.exe
3736	schtasks.exe
2272	schtasks.exe
3828	schtasks.exe
4180	schtasks.exe
2168	schtasks.exe
3596	schtasks.exe
4628	schtasks.exe
1900	schtasks.exe
1804	schtasks.exe
3612	schtasks.exe
4528	schtasks.exe
2156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AgentmonitorSvc.exesppsvc.exe

pid	process
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
3504	AgentmonitorSvc.exe
2196	sppsvc.exe
2196	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AgentmonitorSvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exesppsvc.exe

description	pid	process
Token: SeDebugPrivilege	3504	AgentmonitorSvc.exe
Token: SeDebugPrivilege	2196	sppsvc.exe
Token: SeDebugPrivilege	3368	sppsvc.exe
Token: SeDebugPrivilege	3572	sppsvc.exe
Token: SeDebugPrivilege	2228	sppsvc.exe
Token: SeDebugPrivilege	4200	sppsvc.exe
Token: SeDebugPrivilege	1980	sppsvc.exe
Token: SeDebugPrivilege	2068	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

315e0272c25fcf22ac2b4023f6e9d02f.exeWScript.execmd.exeAgentmonitorSvc.execsc.execmd.exesppsvc.execmd.exesppsvc.execmd.exesppsvc.execmd.exesppsvc.execmd.exesppsvc.execmd.exesppsvc.exe

description	pid	process	target process
PID 2524 wrote to memory of 600	2524	315e0272c25fcf22ac2b4023f6e9d02f.exe	WScript.exe
PID 2524 wrote to memory of 600	2524	315e0272c25fcf22ac2b4023f6e9d02f.exe	WScript.exe
PID 2524 wrote to memory of 600	2524	315e0272c25fcf22ac2b4023f6e9d02f.exe	WScript.exe
PID 600 wrote to memory of 2964	600	WScript.exe	cmd.exe
PID 600 wrote to memory of 2964	600	WScript.exe	cmd.exe
PID 600 wrote to memory of 2964	600	WScript.exe	cmd.exe
PID 2964 wrote to memory of 1556	2964	cmd.exe	reg.exe
PID 2964 wrote to memory of 1556	2964	cmd.exe	reg.exe
PID 2964 wrote to memory of 1556	2964	cmd.exe	reg.exe
PID 2964 wrote to memory of 3504	2964	cmd.exe	AgentmonitorSvc.exe
PID 2964 wrote to memory of 3504	2964	cmd.exe	AgentmonitorSvc.exe
PID 3504 wrote to memory of 2908	3504	AgentmonitorSvc.exe	csc.exe
PID 3504 wrote to memory of 2908	3504	AgentmonitorSvc.exe	csc.exe
PID 2908 wrote to memory of 4176	2908	csc.exe	cvtres.exe
PID 2908 wrote to memory of 4176	2908	csc.exe	cvtres.exe
PID 3504 wrote to memory of 5096	3504	AgentmonitorSvc.exe	cmd.exe
PID 3504 wrote to memory of 5096	3504	AgentmonitorSvc.exe	cmd.exe
PID 5096 wrote to memory of 2460	5096	cmd.exe	chcp.com
PID 5096 wrote to memory of 2460	5096	cmd.exe	chcp.com
PID 5096 wrote to memory of 1980	5096	cmd.exe	PING.EXE
PID 5096 wrote to memory of 1980	5096	cmd.exe	PING.EXE
PID 5096 wrote to memory of 2196	5096	cmd.exe	sppsvc.exe
PID 5096 wrote to memory of 2196	5096	cmd.exe	sppsvc.exe
PID 2196 wrote to memory of 3724	2196	sppsvc.exe	cmd.exe
PID 2196 wrote to memory of 3724	2196	sppsvc.exe	cmd.exe
PID 3724 wrote to memory of 2092	3724	cmd.exe	chcp.com
PID 3724 wrote to memory of 2092	3724	cmd.exe	chcp.com
PID 3724 wrote to memory of 1140	3724	cmd.exe	w32tm.exe
PID 3724 wrote to memory of 1140	3724	cmd.exe	w32tm.exe
PID 3724 wrote to memory of 3368	3724	cmd.exe	sppsvc.exe
PID 3724 wrote to memory of 3368	3724	cmd.exe	sppsvc.exe
PID 3368 wrote to memory of 1408	3368	sppsvc.exe	cmd.exe
PID 3368 wrote to memory of 1408	3368	sppsvc.exe	cmd.exe
PID 1408 wrote to memory of 996	1408	cmd.exe	chcp.com
PID 1408 wrote to memory of 996	1408	cmd.exe	chcp.com
PID 1408 wrote to memory of 348	1408	cmd.exe	w32tm.exe
PID 1408 wrote to memory of 348	1408	cmd.exe	w32tm.exe
PID 1408 wrote to memory of 3572	1408	cmd.exe	sppsvc.exe
PID 1408 wrote to memory of 3572	1408	cmd.exe	sppsvc.exe
PID 3572 wrote to memory of 2408	3572	sppsvc.exe	cmd.exe
PID 3572 wrote to memory of 2408	3572	sppsvc.exe	cmd.exe
PID 2408 wrote to memory of 2752	2408	cmd.exe	chcp.com
PID 2408 wrote to memory of 2752	2408	cmd.exe	chcp.com
PID 2408 wrote to memory of 1504	2408	cmd.exe	w32tm.exe
PID 2408 wrote to memory of 1504	2408	cmd.exe	w32tm.exe
PID 2408 wrote to memory of 2228	2408	cmd.exe	sppsvc.exe
PID 2408 wrote to memory of 2228	2408	cmd.exe	sppsvc.exe
PID 2228 wrote to memory of 316	2228	sppsvc.exe	cmd.exe
PID 2228 wrote to memory of 316	2228	sppsvc.exe	cmd.exe
PID 316 wrote to memory of 808	316	cmd.exe	chcp.com
PID 316 wrote to memory of 808	316	cmd.exe	chcp.com
PID 316 wrote to memory of 1212	316	cmd.exe	PING.EXE
PID 316 wrote to memory of 1212	316	cmd.exe	PING.EXE
PID 316 wrote to memory of 4200	316	cmd.exe	sppsvc.exe
PID 316 wrote to memory of 4200	316	cmd.exe	sppsvc.exe
PID 4200 wrote to memory of 1156	4200	sppsvc.exe	cmd.exe
PID 4200 wrote to memory of 1156	4200	sppsvc.exe	cmd.exe
PID 1156 wrote to memory of 3788	1156	cmd.exe	chcp.com
PID 1156 wrote to memory of 3788	1156	cmd.exe	chcp.com
PID 1156 wrote to memory of 1008	1156	cmd.exe	PING.EXE
PID 1156 wrote to memory of 1008	1156	cmd.exe	PING.EXE
PID 1156 wrote to memory of 1980	1156	cmd.exe	sppsvc.exe
PID 1156 wrote to memory of 1980	1156	cmd.exe	sppsvc.exe
PID 1980 wrote to memory of 2296	1980	sppsvc.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\315e0272c25fcf22ac2b4023f6e9d02f.exe
"C:\Users\Admin\AppData\Local\Temp\315e0272c25fcf22ac2b4023f6e9d02f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PortContainerdhcp\AapWJ8OdgRI5ePB4uiL5KTMmYWkrnvGGYGk6ZysW03KsiwYhlXR.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\PortContainerdhcp\B3U7B7.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:1556

C:\PortContainerdhcp\AgentmonitorSvc.exe
"C:\PortContainerdhcp/AgentmonitorSvc.exe"
4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0evqb0uc\0evqb0uc.cmdline"
5⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES566D.tmp" "c:\Windows\System32\CSC59B6B8E38F8E4C2C96D771E25B19419F.TMP"
6⤵
PID:4176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LyTXQ9bZ9h.bat"
5⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:2460

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:1980

C:\Program Files\Java\sppsvc.exe
"C:\Program Files\Java\sppsvc.exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UeH86Hd8X1.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\system32\chcp.com
chcp 65001
8⤵
PID:2092

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
8⤵
PID:1140

C:\Program Files\Java\sppsvc.exe
"C:\Program Files\Java\sppsvc.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\abWCzBUFCD.bat"
9⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\chcp.com
chcp 65001
10⤵
PID:996

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
10⤵
PID:348

C:\Program Files\Java\sppsvc.exe
"C:\Program Files\Java\sppsvc.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8rw0eVXoN.bat"
11⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:2752

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
12⤵
PID:1504

C:\Program Files\Java\sppsvc.exe
"C:\Program Files\Java\sppsvc.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\upHCHH0RIK.bat"
13⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\chcp.com
chcp 65001
14⤵
PID:808

C:\Windows\system32\PING.EXE
ping -n 10 localhost
14⤵
- Runs ping.exe
PID:1212

C:\Program Files\Java\sppsvc.exe
"C:\Program Files\Java\sppsvc.exe"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFkRehGdMQ.bat"
15⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\chcp.com
chcp 65001
16⤵
PID:3788

C:\Windows\system32\PING.EXE
ping -n 10 localhost
16⤵
- Runs ping.exe
PID:1008

C:\Program Files\Java\sppsvc.exe
"C:\Program Files\Java\sppsvc.exe"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat"
17⤵
PID:2296

C:\Windows\system32\chcp.com
chcp 65001
18⤵
PID:4704

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
18⤵
PID:2292

C:\Program Files\Java\sppsvc.exe
"C:\Program Files\Java\sppsvc.exe"
18⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7mooz1sjZ.bat"
19⤵
PID:2508

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:3772

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
20⤵
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\PortContainerdhcp\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PortContainerdhcp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\PortContainerdhcp\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\PortContainerdhcp\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\PortContainerdhcp\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\PortContainerdhcp\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentmonitorSvcA" /sc MINUTE /mo 9 /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentmonitorSvc" /sc ONLOGON /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentmonitorSvcA" /sc MINUTE /mo 12 /tr "'C:\PortContainerdhcp\AgentmonitorSvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortContainerdhcp\AapWJ8OdgRI5ePB4uiL5KTMmYWkrnvGGYGk6ZysW03KsiwYhlXR.vbe
Filesize
212B

MD5
e45367c7c8d8b48cb95c0435542ced32

SHA1
b9943a98ac59cc77ba9a8a1506ccec234decc2d0

SHA256
b6d021a7f89875f3f34cc565bf7bc46d6a7e0f00837281e7106738a7cea54d68

SHA512
67b5c1904e8592a90166ed27e5ae3211add2d1cac3ac13447b28749d6fb5c0aef7ea2b152a102e89845d926d10dc749ae9812717d77da5732295bd6c4692b2af

Download Submit
C:\PortContainerdhcp\AgentmonitorSvc.exe
Filesize
1.8MB

MD5
b3c40f02fd5de8f3d6879868965241ac

SHA1
f8f600aa7dfa91b91e327264e8ca6c5cb28fe877

SHA256
60c2806a3fbf26b6de8457f8cc4040a25a52ec2f222de938aaee3d402de010c2

SHA512
fbfe0fac2dc53215c72a1265e0fc335c983270ef3ecba7893ecdeda283e03713c31bc607f20593e838aba8dec35ce5dc2ced63f8e72526c47864578454a00fa0

Download Submit
C:\PortContainerdhcp\B3U7B7.bat
Filesize
220B

MD5
d3988f3dce0461b3f5618c74ff9805ce

SHA1
4884569eb70550373ca220ba37d9c19c90a795fd

SHA256
8345b3c447b9512bce7dd8989a10d8dcd35bce4893a08d472d28d39e5052a3b0

SHA512
2a1bcb3bd3183230cfb438782089ee12640b644193efe1eb6b5043745b648097a3d8504dbb2776a960a160d5f2d206688d73645cb615ef2fd1d588dee7542fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log
Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFkRehGdMQ.bat
Filesize
160B

MD5
e6136789d5c4cb68dd08b240c28e430b

SHA1
fc4e0b5888618e25a07ffbbf6bb49f063a0a0271

SHA256
9c1723b52a88197f4bb57fd3760e2fceada841c7b4cc19cfa6f22db8181a6620

SHA512
55ba803cd70111bca02c1c8506f7272c68171663d8a3b6ccd5be68e970ae158d5706c6f6e18137413c70ae367b18a08b9ee755da5f7df402dd047521de393001

Download Submit
C:\Users\Admin\AppData\Local\Temp\LyTXQ9bZ9h.bat
Filesize
160B

MD5
80cfc94f36404d078979f5581cbc0084

SHA1
04ed94e6fbe6c766e7212b285fcfa6c6ad1b2b63

SHA256
e29ce841c64795692d14f68ff5a0d3e6229e7704a57e7a0d06772c28d8f0314d

SHA512
531e940c5f4af52d122cde1646cf1d70fd23727a7a6aed6df0f3e455d04828a70977bc0da9dc7f62df3fb6927a878b0e8e16f48c9c83e52afc7b7bfeb9bf258a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES566D.tmp
Filesize
1KB

MD5
f6683401360a9861650fa5f62ad5188b

SHA1
3ced806746bcbb2cb0025c9302e144bb6e326831

SHA256
521b515ed1458153ccc58bb710b54fb471d3058662dfbd754b5cddee5839a37d

SHA512
9d7e69b6ff05ab69a2fb4ed5877f13a06795032c06db60e32e44fdf0cb0de8222426f11d38c8fa2d21a7694f67d58922a5e1be4b8804f75fd46ececf5625a3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UeH86Hd8X1.bat
Filesize
208B

MD5
9fec967e7e12364892fa43453af98ebc

SHA1
788879dd0e0b9f7addba540d544b3de4d53560cd

SHA256
897bcfa43e96f1cb2257b461e944b01288e14ee5b257717dd73a83625a0efd73

SHA512
3cf3495678ec80a0f955307649ae6a40df05f8f1152b2c01c834e8d64eabda948e667992e854ac2b5d682d876048bac00262c5de0426eea17d07000cb563b8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8rw0eVXoN.bat
Filesize
208B

MD5
0ed839deadc6a030e7a74180089fcdc9

SHA1
c14ca0aa1ac16e53d09922a5e4941697d269f154

SHA256
9ff75434475037bc854adcdad25361526adaef6a4e2e64edd58dad95d394db11

SHA512
3f6480c1bbd47f06fb849071c410312dc89f4bcc723e7a529856a11435246b47194585b175ae6906434034ab0ddb01ac86588a6c82c21beef1dbe1bab01810c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\abWCzBUFCD.bat
Filesize
208B

MD5
08744d1960b9cae83d59e4435d61a048

SHA1
668518f401a5ce4c888f1a52827db98b79fbbdd0

SHA256
b2d4f68ae03b84880de5c16130ef579e31692cccf18b201072eb9010ad290c5c

SHA512
f10efe662f5c6d5d4d8b499f28e37059c2fb40aabd19de23908f45ffcc19011684a1bb69d6324205f871ee9ad57b1cdb3b15cad52701da586f1ccf853edfce13

Download Submit
C:\Users\Admin\AppData\Local\Temp\eJ0bRSTnly.bat
Filesize
208B

MD5
30b11651ce9b04e0820eedf3c5f644c4

SHA1
04f70e38e7696dd264ed066dcdcd0299e1a25847

SHA256
ea0d566bf737c2f28ab7ecb86fd70d1030861ce8882eca023c5fc27d7f819d0d

SHA512
7bfbcff4144fcac3f7873bc7fbcdf69e4d634e2217666f76fe1bd865382ef1bba025cc63c324f5eff049564ae7e0215cbdf08417fd119774a8eb114e51a7a2b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7mooz1sjZ.bat
Filesize
208B

MD5
34bc11b58e69cfad222d94ec41a2cabb

SHA1
bc4f8591bdb90b1d7fe25e10762b834585491c4a

SHA256
df43cc0ad6756948dcbe6ae2009660e9579c9615b1e0bee60e0129c12146a619

SHA512
e7198f7dfd8c1adc45b0895c1dcdc7d16633b1d30af6102e670a86bf3b9413d489a54538390c92cdd2283af5245d7dadcc9985ea8d8249117de36112bb526751

Download Submit
C:\Users\Admin\AppData\Local\Temp\upHCHH0RIK.bat
Filesize
160B

MD5
8304dce220a19a7742728de0474c4d29

SHA1
b777e117b8abef4894038390a6beefece1b80514

SHA256
69d65635c003d2eac5d5820d782b18a7b032cb14ef4c19bd589b0e6eae333f6b

SHA512
da2c61cfca71e44dea877dc0baece7e7360aaa9d287a311485b5da86e11b70192f224e2bcbccec467283b7cb837a9e7cf35716d7ebc9a0a815c95ca8f8ee55df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0evqb0uc\0evqb0uc.0.cs
Filesize
370B

MD5
947b04274dda4fce9f992b14bdf4d504

SHA1
6ca86828f914944f1658c3f5d5b67056964f357c

SHA256
5e199e0c5be27796ce1978a57e6cea70173676d0aac2faaa8d00f1debea2dff6

SHA512
fbe6c4927414831424cd308cf05c0f31810de3e021e55ca79753c6a4f9e81a34d399d0877b50b192c9e287fb4fc01e11c9e709bfae25fb243bed2fcb0486cd43

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0evqb0uc\0evqb0uc.cmdline
Filesize
235B

MD5
eda99c0831a775e40f0005894bf2eb7d

SHA1
de7a479c69553c379d37d626de23415e0c0681e8

SHA256
bf4e33521751b9aae60a89d38452eda465c7ea0a4b6aa3ff0d3528b8439f60fe

SHA512
71756b7b2ede76e5c3b47b7c8dc361d58fdde480eebf3848c64752a5e1b6465c5aa80cc8b2737c65d407934078f67d662919246badb18c0303d6a2ee25c95afd

Download Submit
\??\c:\Windows\System32\CSC59B6B8E38F8E4C2C96D771E25B19419F.TMP
Filesize
1KB

MD5
76193a570fc043b07f2da69ddc0d2266

SHA1
ff4eaaa5d3abed0831c72bbff23adae30f02e4ff

SHA256
a47b908b5cadfac55e3a1702f4e1bb4cfd9b5d7b27e1f6bfb395bc2b29cd3cc8

SHA512
4588c0ddfd356f096aed916e2aecfec09612595fa3864f1896d642a6d0c9294dd21287dadd6e2ccdfde0b6199de6985eba7b25d71364ef9dc17f2f49b6ac7473

Download Submit
memory/3504-21-0x00000000025D0000-0x00000000025DC000-memory.dmp

Filesize
48KB

Download
memory/3504-19-0x0000000002610000-0x0000000002628000-memory.dmp

Filesize
96KB

Download
memory/3504-17-0x000000001B280000-0x000000001B2D0000-memory.dmp

Filesize
320KB

Download
memory/3504-16-0x00000000025F0000-0x000000000260C000-memory.dmp

Filesize
112KB

Download
memory/3504-14-0x0000000002580000-0x000000000258E000-memory.dmp

Filesize
56KB

Download
memory/3504-12-0x00000000002E0000-0x00000000004BA000-memory.dmp

Filesize
1.9MB

Download