dcrat | 82e3832d52413d37e20a7dc822ed59bbec29927716f5a9c8e90f1e710c744b82

Analysis

max time kernel
297s
max time network
300s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-uk
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-uklocale:uk-uaos:windows10-ltsc_2021-x64systemwindows
submitted
27/03/2025, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

1.9MB
MD5

fc06b895d807fd63de36914ddf278cd9
SHA1

3fc5e6bfaba1adfb44a5e2af8f6350b0f292b57c
SHA256

82e3832d52413d37e20a7dc822ed59bbec29927716f5a9c8e90f1e710c744b82
SHA512

fbf1b1a0c0a3175f4162e89b7285ead314770934767333bae5c60db0ecf0799e9ee3667ddb966b27367b45a2a4151ea4d4af43efdcfbf84828b86ef0fc3867a0
SSDEEP

49152:4p5fMbCt/PzfzpLzE+0X4XncPdQfukH7W9GHI/Dd5B5:8f+C1PzLpEnIXndG27iV/DHB

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\sysmon.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\sysmon.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\sysmon.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\sysmon.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\sysmon.exe\", \"C:\\b16b2accc1da7e68e24c\\explorer.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\sysmon.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\sysmon.exe\", \"C:\\b16b2accc1da7e68e24c\\explorer.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\spoolsv.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\sysmon.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\sysmon.exe\", \"C:\\b16b2accc1da7e68e24c\\explorer.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\spoolsv.exe\", \"C:\\msWebfontCommonsvc\\cmd.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\My Documents\\sysmon.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\sysmon.exe\", \"C:\\b16b2accc1da7e68e24c\\explorer.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\spoolsv.exe\", \"C:\\msWebfontCommonsvc\\cmd.exe\", \"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6016	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4436	564	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	564	schtasks.exe	84

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5536	powershell.exe
5192	powershell.exe
5900	powershell.exe
2944	powershell.exe
5924	powershell.exe
216	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	Wgpdo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\Control Panel\International\Geo\Nation	ContainerAgentBrowserSession.exe

Executes dropped EXE 4 IoCs

pid	Process
1988	Lcwlqtdj.exe
5372	Wgpdo.exe
4664	ContainerAgentBrowserSession.exe
400	spoolsv.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\My Documents\\sysmon.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\sysmon.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\sysmon.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\b16b2accc1da7e68e24c\\explorer.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\msWebfontCommonsvc\\cmd.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\b16b2accc1da7e68e24c\\explorer.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\spoolsv.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\spoolsv.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\msWebfontCommonsvc\\cmd.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ContainerAgentBrowserSession = "\"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ContainerAgentBrowserSession = "\"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Users\\Default\\My Documents\\sysmon.exe\""	ContainerAgentBrowserSession.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC62DAB6F68485401DA81230BD8C7AA265.TMP	csc.exe
File created	\??\c:\Windows\System32\3gwg4g.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\sysmon.exe	ContainerAgentBrowserSession.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\121e5b5079f7c0	ContainerAgentBrowserSession.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC694918011EB14955906B14BD71CE2A5.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe	ContainerAgentBrowserSession.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\f3b6ecef712a24	ContainerAgentBrowserSession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wgpdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	ContainerAgentBrowserSession.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	Wgpdo.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3288	schtasks.exe
3192	schtasks.exe
6016	schtasks.exe
3948	schtasks.exe
4436	schtasks.exe
1984	schtasks.exe
3548	schtasks.exe
3396	schtasks.exe
4012	schtasks.exe
1504	schtasks.exe
4792	schtasks.exe
6120	schtasks.exe
700	schtasks.exe
4248	schtasks.exe
4980	schtasks.exe
2176	schtasks.exe
3708	schtasks.exe
4196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe
4664	ContainerAgentBrowserSession.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5736	taskmgr.exe
400	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	ContainerAgentBrowserSession.exe
Token: SeDebugPrivilege	5536	powershell.exe
Token: SeDebugPrivilege	5900	powershell.exe
Token: SeDebugPrivilege	5924	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	5192	powershell.exe
Token: SeIncreaseQuotaPrivilege	5900	powershell.exe
Token: SeSecurityPrivilege	5900	powershell.exe
Token: SeTakeOwnershipPrivilege	5900	powershell.exe
Token: SeLoadDriverPrivilege	5900	powershell.exe
Token: SeSystemProfilePrivilege	5900	powershell.exe
Token: SeSystemtimePrivilege	5900	powershell.exe
Token: SeProfSingleProcessPrivilege	5900	powershell.exe
Token: SeIncBasePriorityPrivilege	5900	powershell.exe
Token: SeCreatePagefilePrivilege	5900	powershell.exe
Token: SeBackupPrivilege	5900	powershell.exe
Token: SeRestorePrivilege	5900	powershell.exe
Token: SeShutdownPrivilege	5900	powershell.exe
Token: SeDebugPrivilege	5900	powershell.exe
Token: SeSystemEnvironmentPrivilege	5900	powershell.exe
Token: SeRemoteShutdownPrivilege	5900	powershell.exe
Token: SeUndockPrivilege	5900	powershell.exe
Token: SeManageVolumePrivilege	5900	powershell.exe
Token: 33	5900	powershell.exe
Token: 34	5900	powershell.exe
Token: 35	5900	powershell.exe
Token: 36	5900	powershell.exe
Token: SeIncreaseQuotaPrivilege	5924	powershell.exe
Token: SeSecurityPrivilege	5924	powershell.exe
Token: SeTakeOwnershipPrivilege	5924	powershell.exe
Token: SeLoadDriverPrivilege	5924	powershell.exe
Token: SeSystemProfilePrivilege	5924	powershell.exe
Token: SeSystemtimePrivilege	5924	powershell.exe
Token: SeProfSingleProcessPrivilege	5924	powershell.exe
Token: SeIncBasePriorityPrivilege	5924	powershell.exe
Token: SeCreatePagefilePrivilege	5924	powershell.exe
Token: SeBackupPrivilege	5924	powershell.exe
Token: SeRestorePrivilege	5924	powershell.exe
Token: SeShutdownPrivilege	5924	powershell.exe
Token: SeDebugPrivilege	5924	powershell.exe
Token: SeSystemEnvironmentPrivilege	5924	powershell.exe
Token: SeRemoteShutdownPrivilege	5924	powershell.exe
Token: SeUndockPrivilege	5924	powershell.exe
Token: SeManageVolumePrivilege	5924	powershell.exe
Token: 33	5924	powershell.exe
Token: 34	5924	powershell.exe
Token: 35	5924	powershell.exe
Token: 36	5924	powershell.exe
Token: SeIncreaseQuotaPrivilege	5536	powershell.exe
Token: SeSecurityPrivilege	5536	powershell.exe
Token: SeTakeOwnershipPrivilege	5536	powershell.exe
Token: SeLoadDriverPrivilege	5536	powershell.exe
Token: SeSystemProfilePrivilege	5536	powershell.exe
Token: SeSystemtimePrivilege	5536	powershell.exe
Token: SeProfSingleProcessPrivilege	5536	powershell.exe
Token: SeIncBasePriorityPrivilege	5536	powershell.exe
Token: SeCreatePagefilePrivilege	5536	powershell.exe
Token: SeBackupPrivilege	5536	powershell.exe
Token: SeRestorePrivilege	5536	powershell.exe
Token: SeShutdownPrivilege	5536	powershell.exe
Token: SeDebugPrivilege	5536	powershell.exe
Token: SeSystemEnvironmentPrivilege	5536	powershell.exe
Token: SeRemoteShutdownPrivilege	5536	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe
5736	taskmgr.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 5664 wrote to memory of 1988	5664	Launcher.exe	82
PID 5664 wrote to memory of 1988	5664	Launcher.exe	82
PID 5664 wrote to memory of 5372	5664	Launcher.exe	83
PID 5664 wrote to memory of 5372	5664	Launcher.exe	83
PID 5664 wrote to memory of 5372	5664	Launcher.exe	83
PID 5372 wrote to memory of 2668	5372	Wgpdo.exe	85
PID 5372 wrote to memory of 2668	5372	Wgpdo.exe	85
PID 5372 wrote to memory of 2668	5372	Wgpdo.exe	85
PID 2668 wrote to memory of 6112	2668	WScript.exe	90
PID 2668 wrote to memory of 6112	2668	WScript.exe	90
PID 2668 wrote to memory of 6112	2668	WScript.exe	90
PID 6112 wrote to memory of 4664	6112	cmd.exe	92
PID 6112 wrote to memory of 4664	6112	cmd.exe	92
PID 4664 wrote to memory of 3360	4664	ContainerAgentBrowserSession.exe	96
PID 4664 wrote to memory of 3360	4664	ContainerAgentBrowserSession.exe	96
PID 3360 wrote to memory of 2236	3360	csc.exe	98
PID 3360 wrote to memory of 2236	3360	csc.exe	98
PID 4664 wrote to memory of 1056	4664	ContainerAgentBrowserSession.exe	99
PID 4664 wrote to memory of 1056	4664	ContainerAgentBrowserSession.exe	99
PID 1056 wrote to memory of 3076	1056	csc.exe	101
PID 1056 wrote to memory of 3076	1056	csc.exe	101
PID 4664 wrote to memory of 5536	4664	ContainerAgentBrowserSession.exe	117
PID 4664 wrote to memory of 5536	4664	ContainerAgentBrowserSession.exe	117
PID 4664 wrote to memory of 5192	4664	ContainerAgentBrowserSession.exe	118
PID 4664 wrote to memory of 5192	4664	ContainerAgentBrowserSession.exe	118
PID 4664 wrote to memory of 5900	4664	ContainerAgentBrowserSession.exe	119
PID 4664 wrote to memory of 5900	4664	ContainerAgentBrowserSession.exe	119
PID 4664 wrote to memory of 2944	4664	ContainerAgentBrowserSession.exe	120
PID 4664 wrote to memory of 2944	4664	ContainerAgentBrowserSession.exe	120
PID 4664 wrote to memory of 5924	4664	ContainerAgentBrowserSession.exe	121
PID 4664 wrote to memory of 5924	4664	ContainerAgentBrowserSession.exe	121
PID 4664 wrote to memory of 216	4664	ContainerAgentBrowserSession.exe	122
PID 4664 wrote to memory of 216	4664	ContainerAgentBrowserSession.exe	122
PID 4664 wrote to memory of 5832	4664	ContainerAgentBrowserSession.exe	129
PID 4664 wrote to memory of 5832	4664	ContainerAgentBrowserSession.exe	129
PID 5832 wrote to memory of 2136	5832	cmd.exe	132
PID 5832 wrote to memory of 2136	5832	cmd.exe	132
PID 5832 wrote to memory of 1336	5832	cmd.exe	133
PID 5832 wrote to memory of 1336	5832	cmd.exe	133
PID 5832 wrote to memory of 400	5832	cmd.exe	136
PID 5832 wrote to memory of 400	5832	cmd.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5664
- C:\Users\Admin\AppData\Local\Temp\Lcwlqtdj.exe
  "C:\Users\Admin\AppData\Local\Temp\Lcwlqtdj.exe"
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\Wgpdo.exe
  "C:\Users\Admin\AppData\Local\Temp\Wgpdo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5372
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\msWebfontCommonsvc\1Pqb55993gaAnMOQKOP1Zx4Ywr074Tyvs.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\msWebfontCommonsvc\xOY2DcV2ToDeh.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:6112
    - - C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
        
        "C:\msWebfontCommonsvc/ContainerAgentBrowserSession.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4664
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t2cv32fk\t2cv32fk.cmdline"
        6⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A50.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC694918011EB14955906B14BD71CE2A5.TMP"
        7⤵
        
        PID:2236
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hfbd220j\hfbd220j.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7ABE.tmp" "c:\Windows\System32\CSC62DAB6F68485401DA81230BD8C7AA265.TMP"
        7⤵
        
        PID:3076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\My Documents\sysmon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\sysmon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5192
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\b16b2accc1da7e68e24c\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msWebfontCommonsvc\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5924
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wNr6Y1689.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5832
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1336
        
        C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\My Documents\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\b16b2accc1da7e68e24c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\b16b2accc1da7e68e24c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\b16b2accc1da7e68e24c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\msWebfontCommonsvc\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\msWebfontCommonsvc\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\msWebfontCommonsvc\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSessionC" /sc MINUTE /mo 8 /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSession" /sc ONLOGON /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSessionC" /sc MINUTE /mo 6 /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4KB

MD5
4be1b04013d3d8202ce3ef783f238a0f

SHA1
2445bf604e03b4a61607cfcd3baee87b0dc473d5

SHA256
a10e541ceebb68ef4152ea8d498c2091bd3b16774626ddf8119ec30053dd3729

SHA512
ed93134aec2c15aa401081c1a5c5b3b979051dd377cd57a3bd7236a60c1938471e57d3c83951b0d71c6d16b3a74737e94cbca0be9ba137b65b75cfcadd71e4b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a84ed51976518ac8bf09c6111276ae1d

SHA1
0079c7ab81e834f4642de2b6e962a755c51c04c8

SHA256
50fa4aa61b5b4736cd8fee6b365a7f4a640e2d3be29a8c4c15f7b648a6a79e6f

SHA512
9672df6a130aaee4394be0f80eb9d890d650567662a74fef3978e2837641a256aab25f9d3ed0d277314633f00f6770188c726acb5864b4a7ef7273f94f4051fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cbaa18e6c548e450ef57accfc90413fa

SHA1
125bff35a947b27dc1402a87d16b7b7a0a2246b4

SHA256
9cf4829370c56d503fd17a38057ff840800de539770c7af6c445f3a59aa7da3a

SHA512
0c7100d9b9f2265b627bcd42bb797511b76d0eae997c1294d3a17b7d375ad860a57890cb3bfc235f04ea5ded0d41c6c5d90b5c606db6ac37de0526540d972954

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wNr6Y1689.bat

Filesize
239B

MD5
367a3b268a27765b1c295d158dac8ebd

SHA1
5a359672949301a428002b0769da4d248503beaf

SHA256
7c36d902475c3c7f03d4d57263685f8211b05a6b7e42ec3e64c880b7f8f1ed79

SHA512
c49343189bc40d42945886f364935dae824bc618360c83f58fd5a4fc158037e13a1ca72638ff04c050fe462c4a5cd2697a2775a3ffdbdd0d2abbc3c9fd858745

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lcwlqtdj.exe

Filesize
568KB

MD5
3547673370be6c843ebbe4ddb8e089b8

SHA1
de077a872cc8a932205e5c5b61984bf6e50f5d17

SHA256
c52244696cfefabb23cfebcae3cc134e2c0fd03a1175755cf867dd3e87a900b4

SHA512
7a87fad7872e6dfabb7aeb91790a7b2eb778ddeecb102406d4465a1c6661c89ee772624d54f7d47169564e935141c1f5ec90f09118dc59ba1f72b462e4d460bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7A50.tmp

Filesize
1KB

MD5
6948c0c88c37269d9688ef2964b80047

SHA1
5261c325ec4dcccc9a9897eb9fb7a3c05692a9d7

SHA256
e324a31a60142564dc1f816be90495ec2550b981eabd47370dcf73d17d140dae

SHA512
0b957abc1da886d70e454749abf9bf259a34ca697b21ab8bedfa5e055e9b39614d2c73338f1a57e8eb9385fd0e1942d7f530b2807e1705e0fa56c345ff21fdbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7ABE.tmp

Filesize
1KB

MD5
137e3963983347b18c767e904f715f77

SHA1
fd5fe91da913a5a65f4edb01d5df46dfdb507320

SHA256
e0b97c5499d191f8a9f929faa10b1e9aecd90b78c88754a0b736196a5eb6ce5f

SHA512
a6759d2cd09c4db64b6e3d3d515703097350bb8a030dbae5308dd6b3bf3975205cb28c7640225f4386905340d7897e84672d39026eac9c6daa71e70c305304de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wgpdo.exe

Filesize
2.1MB

MD5
fa7058193e55dcf22576be1d81ee4ec9

SHA1
7ac5c2aeff7da77ea0ea71e9e4244dec68ee7a18

SHA256
27beae1aeb07d9aa24f6f4f13d247c7f69d8c412ed9150ac0e13c36de80d159a

SHA512
fbb538fa4d26bd3c554f9e837b134c119a6acff43b0a8cc0b805bcb9a0acfa54d4b0ca18d745f7f167ba9bc9642d8e14e783c38ad7207d55389d8ea7dd1af74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_baablam3.hjv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\msWebfontCommonsvc\1Pqb55993gaAnMOQKOP1Zx4Ywr074Tyvs.vbe

Filesize
209B

MD5
7456528d87fdbbf7380081612a878945

SHA1
91a8b74ee56e559e664e7e41bc9c9d0cd7a1e344

SHA256
274fd47fcfe3c642aaed07e9d94fe524e1680020d5b63e0eff71e7155973a961

SHA512
4fa8dbfb2aa1c1117bcbd3d1de7bcbc4140efa1eddbada9652304d136b71cdb5de633ac8d48d68e58d0bb6317c7132b1e140003a6dd564e8114a6ab0501f7877

Download Submit
C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe

Filesize
1.8MB

MD5
4b48b143e95e5292b1700bd25ba63c76

SHA1
3b321290b54028f94d2b1736173d18ce16bcc260

SHA256
3b1888daacc09277d0f3daca114f05613f708d260e2950ee5620d77881c584cb

SHA512
f8fb811150f81f9636193506451445b77634b27ad36884bfaa4454887666bbcc7f88ff190e912e3a3f7bf8ed82080280075ad753041d5d9bb50717b22b71bcb0

Download Submit
C:\msWebfontCommonsvc\xOY2DcV2ToDeh.bat

Filesize
105B

MD5
d9b64ed326c6cfceaa29ddbee358a8e2

SHA1
42b494e3ffa836f173e1a2b1e3da8a93ffe39561

SHA256
576041699b52e2a3eddb04819000376696a1ad869711dc5d786473e9b9f3c2de

SHA512
32c74021848f6d9b5dc6d38287fe992299c8e1a12113203e1dbcab5f5d2abe922fa9fdf62e6ba0d6dac8c3d5ea5e66af5deca42fa51f2b0b699e90a89cd82e67

Download Submit
C:\windows\system32\3gwg4g.exe

Filesize
4KB

MD5
884c5fde1aaf8c8211b813da8d59547e

SHA1
5b20aa524e5256affb32c92b75fe304b0ac50e96

SHA256
c884e8a2ca08135c1ad6dcb92b2201f42abb794df06c2e6d2acc508b426b6549

SHA512
d6defd9b44712c71c0462b8149134a24e5d669b1890ab5e10505b38fe496ad30a8577862d36eac6872478825b02176f74e728408935c0564d58bb81e2c335db1

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC694918011EB14955906B14BD71CE2A5.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfbd220j\hfbd220j.0.cs

Filesize
372B

MD5
055fa4c3ac893b7b9fac1be4254ff011

SHA1
2948b705f8ae2409561f20165db44adc6fa33d8d

SHA256
7844b11d7520cfa83778498cdaae916287ab0d92dc05763d6643783dd234e7bf

SHA512
d02628e20859c4d4a8a6cd3ef384fc6a01f9ef9ecae34a6d4ea7eda7258639213694c8a6ecc1300433e78903c39125975a74d3f41dc657c8134d806a47064520

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hfbd220j\hfbd220j.cmdline

Filesize
235B

MD5
f87898ae08effd87f74a4bcd2d80969f

SHA1
fe4080831f8e35969a0ca669cd2fa918d5821842

SHA256
42b7d4ef5ebf7ac28592e7de8d7a1c0a6b29b1b34b720f959451d995c228656a

SHA512
0319a528a4d3290122fae2136b18a7f9177f53a72c193e0ca42cc460d1af348da7d165da3e1d3da4bacfe18c26d9aeb7d9990264404c312631ed714ca5b40b25

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t2cv32fk\t2cv32fk.0.cs

Filesize
402B

MD5
a64585688410cf4be5b36bd6200572c9

SHA1
51e7e36adf08abd25b0b467f1f3dd5b341a6cc06

SHA256
d96e7e20431eb939a8dec7d4d5058c7a019dc5d74b3e3a5e71dbe49c634f8c26

SHA512
c16ac904616d13a67edf38167545bed5db97a429ca31d010abc86d8f35189406f16a5a08226036cf4a31a0051784d0fdd5da15fe1f1b4816eb2fc58d28809658

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t2cv32fk\t2cv32fk.cmdline

Filesize
265B

MD5
cf2a4f87ba92b9977d501d7ecb71851d

SHA1
dc57bf9c790f20fd88f45de832f61d74baadfca8

SHA256
d7cc191e8498514183385bcf42655841daa9f959768fb7c2598262fd7b0c270e

SHA512
f7997b19e4fe00007a28ed7d4f1d5cd3b7538cb5703e86114ee30573b10e702748192ad999b10303da639c0ce1af8f89f47ae6251fb76f300ca5e42cce194a56

Download Submit
\??\c:\Windows\System32\CSC62DAB6F68485401DA81230BD8C7AA265.TMP

Filesize
1KB

MD5
647753e4c24c8cf8aa8424b6f449e7b9

SHA1
37f6a6359f4a5d6dea133c9d34fb5c493783a41f

SHA256
cf62ae203c5fe77bcf215b2cf3b3d8158e30aa41d19a2f799ef885e171892f83

SHA512
74d71fa48e5d9c81f65943915aba900698ea87c714b688670fd62e1473bd68088b86c4afc2720956ce86f08e356e65ad0323baec69998c18379eb0eb298717e8

Download Submit
memory/1988-22-0x00000000009C0000-0x0000000000A46000-memory.dmp

Filesize
536KB

Download
memory/1988-26-0x00007FFD6DF20000-0x00007FFD6E9E2000-memory.dmp

Filesize
10.8MB

Download
memory/1988-32-0x00007FFD6DF20000-0x00007FFD6E9E2000-memory.dmp

Filesize
10.8MB

Download
memory/4664-53-0x000000001B2F0000-0x000000001B30C000-memory.dmp

Filesize
112KB

Download
memory/4664-54-0x000000001B360000-0x000000001B3B0000-memory.dmp

Filesize
320KB

Download
memory/4664-58-0x000000001AF70000-0x000000001AF7C000-memory.dmp

Filesize
48KB

Download
memory/4664-51-0x0000000002650000-0x000000000265E000-memory.dmp

Filesize
56KB

Download
memory/4664-49-0x00000000001B0000-0x000000000038A000-memory.dmp

Filesize
1.9MB

Download
memory/4664-97-0x000000001B8C0000-0x000000001BA67000-memory.dmp

Filesize
1.7MB

Download
memory/4664-56-0x000000001B310000-0x000000001B328000-memory.dmp

Filesize
96KB

Download
memory/5536-103-0x000001FFE1380000-0x000001FFE13A2000-memory.dmp

Filesize
136KB

Download
memory/5664-31-0x00007FFD6DF20000-0x00007FFD6E9E2000-memory.dmp

Filesize
10.8MB

Download
memory/5664-0-0x00007FFD6DF23000-0x00007FFD6DF25000-memory.dmp

Filesize
8KB

Download
memory/5664-1-0x0000000000690000-0x000000000087C000-memory.dmp

Filesize
1.9MB

Download
memory/5664-2-0x00007FFD6DF20000-0x00007FFD6E9E2000-memory.dmp

Filesize
10.8MB

Download
memory/5736-182-0x000001A8D2FF0000-0x000001A8D2FF1000-memory.dmp

Filesize
4KB

Download
memory/5736-184-0x000001A8D2FF0000-0x000001A8D2FF1000-memory.dmp

Filesize
4KB

Download
memory/5736-183-0x000001A8D2FF0000-0x000001A8D2FF1000-memory.dmp

Filesize
4KB

Download
memory/5736-172-0x000001A8D2FF0000-0x000001A8D2FF1000-memory.dmp

Filesize
4KB

Download
memory/5736-181-0x000001A8D2FF0000-0x000001A8D2FF1000-memory.dmp

Filesize
4KB

Download
memory/5736-180-0x000001A8D2FF0000-0x000001A8D2FF1000-memory.dmp

Filesize
4KB

Download
memory/5736-179-0x000001A8D2FF0000-0x000001A8D2FF1000-memory.dmp

Filesize
4KB

Download
memory/5736-178-0x000001A8D2FF0000-0x000001A8D2FF1000-memory.dmp

Filesize
4KB

Download
memory/5736-173-0x000001A8D2FF0000-0x000001A8D2FF1000-memory.dmp

Filesize
4KB

Download
memory/5736-174-0x000001A8D2FF0000-0x000001A8D2FF1000-memory.dmp

Filesize
4KB

Download