dcrat | 82e3832d52413d37e20a7dc822ed59bbec29927716f5a9c8e90f1e710c744b82

Analysis

max time kernel
103s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

1.9MB
MD5

fc06b895d807fd63de36914ddf278cd9
SHA1

3fc5e6bfaba1adfb44a5e2af8f6350b0f292b57c
SHA256

82e3832d52413d37e20a7dc822ed59bbec29927716f5a9c8e90f1e710c744b82
SHA512

fbf1b1a0c0a3175f4162e89b7285ead314770934767333bae5c60db0ecf0799e9ee3667ddb966b27367b45a2a4151ea4d4af43efdcfbf84828b86ef0fc3867a0
SSDEEP

49152:4p5fMbCt/PzfzpLzE+0X4XncPdQfukH7W9GHI/Dd5B5:8f+C1PzLpEnIXndG27iV/DHB

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2b5f15c5afe01f70d7f71092\\taskhostw.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\\fontdrvhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2b5f15c5afe01f70d7f71092\\taskhostw.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\\fontdrvhost.exe\", \"C:\\Windows\\Web\\4K\\Wallpaper\\fontdrvhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2b5f15c5afe01f70d7f71092\\taskhostw.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\\fontdrvhost.exe\", \"C:\\Windows\\Web\\4K\\Wallpaper\\fontdrvhost.exe\", \"C:\\Windows\\Panther\\actionqueue\\fontdrvhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2b5f15c5afe01f70d7f71092\\taskhostw.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\\fontdrvhost.exe\", \"C:\\Windows\\Web\\4K\\Wallpaper\\fontdrvhost.exe\", \"C:\\Windows\\Panther\\actionqueue\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2b5f15c5afe01f70d7f71092\\taskhostw.exe\", \"C:\\Users\\All Users\\Packages\\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\\fontdrvhost.exe\", \"C:\\Windows\\Web\\4K\\Wallpaper\\fontdrvhost.exe\", \"C:\\Windows\\Panther\\actionqueue\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\2b5f15c5afe01f70d7f71092\\taskhostw.exe\""	ContainerAgentBrowserSession.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5348	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5912	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5548	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6140	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	184	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	3744	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5916	3744	schtasks.exe	90

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1872	powershell.exe
5852	powershell.exe
5252	powershell.exe
5760	powershell.exe
3600	powershell.exe
1420	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Wgpdo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	ContainerAgentBrowserSession.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	Launcher.exe

Executes dropped EXE 16 IoCs

pid	Process
2988	Lcwlqtdj.exe
1536	Wgpdo.exe
2280	ContainerAgentBrowserSession.exe
408	taskhostw.exe
1456	taskhostw.exe
3004	fontdrvhost.exe
3552	fontdrvhost.exe
5376	fontdrvhost.exe
2452	fontdrvhost.exe
4416	fontdrvhost.exe
1732	fontdrvhost.exe
2264	TextInputHost.exe
1156	TextInputHost.exe
1860	ContainerAgentBrowserSession.exe
4084	ContainerAgentBrowserSession.exe
2216	taskhostw.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\2b5f15c5afe01f70d7f71092\\taskhostw.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\Packages\\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\\fontdrvhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Web\\4K\\Wallpaper\\fontdrvhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Panther\\actionqueue\\fontdrvhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ContainerAgentBrowserSession = "\"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\All Users\\Packages\\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\\fontdrvhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Web\\4K\\Wallpaper\\fontdrvhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\Panther\\actionqueue\\fontdrvhost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ContainerAgentBrowserSession = "\"C:\\msWebfontCommonsvc\\ContainerAgentBrowserSession.exe\""	ContainerAgentBrowserSession.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\2b5f15c5afe01f70d7f71092\\taskhostw.exe\""	ContainerAgentBrowserSession.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC16FD105CA34F4471B2249FD21CD9E4E0.TMP	csc.exe
File created	\??\c:\Windows\System32\nrww0o.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCCBD02A02436E4CF18C47825E8A3BDC36.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Panther\actionqueue\fontdrvhost.exe	ContainerAgentBrowserSession.exe
File created	C:\Windows\Panther\actionqueue\5b884080fd4f94	ContainerAgentBrowserSession.exe
File created	C:\Windows\Web\4K\Wallpaper\fontdrvhost.exe	ContainerAgentBrowserSession.exe
File created	C:\Windows\Web\4K\Wallpaper\5b884080fd4f94	ContainerAgentBrowserSession.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wgpdo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	Wgpdo.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000_Classes\Local Settings	ContainerAgentBrowserSession.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2496	schtasks.exe
1092	schtasks.exe
624	schtasks.exe
2012	schtasks.exe
3844	schtasks.exe
5348	schtasks.exe
4380	schtasks.exe
5548	schtasks.exe
6140	schtasks.exe
1428	schtasks.exe
184	schtasks.exe
3356	schtasks.exe
5916	schtasks.exe
5912	schtasks.exe
552	schtasks.exe
3000	schtasks.exe
6120	schtasks.exe
3748	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe
2280	ContainerAgentBrowserSession.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	ContainerAgentBrowserSession.exe
Token: SeDebugPrivilege	408	taskhostw.exe
Token: SeDebugPrivilege	1456	taskhostw.exe
Token: SeDebugPrivilege	3004	fontdrvhost.exe
Token: SeDebugPrivilege	3552	fontdrvhost.exe
Token: SeDebugPrivilege	5376	fontdrvhost.exe
Token: SeDebugPrivilege	2452	fontdrvhost.exe
Token: SeDebugPrivilege	4416	fontdrvhost.exe
Token: SeDebugPrivilege	1156	TextInputHost.exe
Token: SeDebugPrivilege	2264	TextInputHost.exe
Token: SeDebugPrivilege	5252	powershell.exe
Token: SeDebugPrivilege	5760	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	5852	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	1860	ContainerAgentBrowserSession.exe
Token: SeDebugPrivilege	4084	ContainerAgentBrowserSession.exe
Token: SeDebugPrivilege	2216	taskhostw.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2988	2224	Launcher.exe	88
PID 2224 wrote to memory of 2988	2224	Launcher.exe	88
PID 2224 wrote to memory of 1536	2224	Launcher.exe	89
PID 2224 wrote to memory of 1536	2224	Launcher.exe	89
PID 2224 wrote to memory of 1536	2224	Launcher.exe	89
PID 1536 wrote to memory of 4544	1536	Wgpdo.exe	93
PID 1536 wrote to memory of 4544	1536	Wgpdo.exe	93
PID 1536 wrote to memory of 4544	1536	Wgpdo.exe	93
PID 4544 wrote to memory of 4900	4544	WScript.exe	97
PID 4544 wrote to memory of 4900	4544	WScript.exe	97
PID 4544 wrote to memory of 4900	4544	WScript.exe	97
PID 4900 wrote to memory of 2280	4900	cmd.exe	99
PID 4900 wrote to memory of 2280	4900	cmd.exe	99
PID 2280 wrote to memory of 2088	2280	ContainerAgentBrowserSession.exe	104
PID 2280 wrote to memory of 2088	2280	ContainerAgentBrowserSession.exe	104
PID 2088 wrote to memory of 3888	2088	csc.exe	106
PID 2088 wrote to memory of 3888	2088	csc.exe	106
PID 2280 wrote to memory of 2116	2280	ContainerAgentBrowserSession.exe	107
PID 2280 wrote to memory of 2116	2280	ContainerAgentBrowserSession.exe	107
PID 2116 wrote to memory of 5620	2116	csc.exe	109
PID 2116 wrote to memory of 5620	2116	csc.exe	109
PID 1720 wrote to memory of 408	1720	cmd.exe	122
PID 1720 wrote to memory of 408	1720	cmd.exe	122
PID 5648 wrote to memory of 1456	5648	cmd.exe	123
PID 5648 wrote to memory of 1456	5648	cmd.exe	123
PID 5084 wrote to memory of 3004	5084	cmd.exe	130
PID 5084 wrote to memory of 3004	5084	cmd.exe	130
PID 1924 wrote to memory of 3552	1924	cmd.exe	132
PID 1924 wrote to memory of 3552	1924	cmd.exe	132
PID 1952 wrote to memory of 5376	1952	cmd.exe	140
PID 1952 wrote to memory of 5376	1952	cmd.exe	140
PID 460 wrote to memory of 2452	460	cmd.exe	141
PID 460 wrote to memory of 2452	460	cmd.exe	141
PID 1196 wrote to memory of 4416	1196	cmd.exe	147
PID 1196 wrote to memory of 4416	1196	cmd.exe	147
PID 2136 wrote to memory of 1732	2136	cmd.exe	150
PID 2136 wrote to memory of 1732	2136	cmd.exe	150
PID 2140 wrote to memory of 2264	2140	cmd.exe	153
PID 2140 wrote to memory of 2264	2140	cmd.exe	153
PID 5448 wrote to memory of 1156	5448	cmd.exe	154
PID 5448 wrote to memory of 1156	5448	cmd.exe	154
PID 2280 wrote to memory of 3600	2280	ContainerAgentBrowserSession.exe	156
PID 2280 wrote to memory of 3600	2280	ContainerAgentBrowserSession.exe	156
PID 2280 wrote to memory of 5760	2280	ContainerAgentBrowserSession.exe	157
PID 2280 wrote to memory of 5760	2280	ContainerAgentBrowserSession.exe	157
PID 2280 wrote to memory of 5252	2280	ContainerAgentBrowserSession.exe	158
PID 2280 wrote to memory of 5252	2280	ContainerAgentBrowserSession.exe	158
PID 2280 wrote to memory of 5852	2280	ContainerAgentBrowserSession.exe	159
PID 2280 wrote to memory of 5852	2280	ContainerAgentBrowserSession.exe	159
PID 2280 wrote to memory of 1872	2280	ContainerAgentBrowserSession.exe	160
PID 2280 wrote to memory of 1872	2280	ContainerAgentBrowserSession.exe	160
PID 2280 wrote to memory of 1420	2280	ContainerAgentBrowserSession.exe	161
PID 2280 wrote to memory of 1420	2280	ContainerAgentBrowserSession.exe	161
PID 2280 wrote to memory of 1988	2280	ContainerAgentBrowserSession.exe	171
PID 2280 wrote to memory of 1988	2280	ContainerAgentBrowserSession.exe	171
PID 1212 wrote to memory of 1860	1212	cmd.exe	174
PID 1212 wrote to memory of 1860	1212	cmd.exe	174
PID 2564 wrote to memory of 4084	2564	cmd.exe	175
PID 2564 wrote to memory of 4084	2564	cmd.exe	175
PID 1988 wrote to memory of 3000	1988	cmd.exe	176
PID 1988 wrote to memory of 3000	1988	cmd.exe	176
PID 1988 wrote to memory of 996	1988	cmd.exe	177
PID 1988 wrote to memory of 996	1988	cmd.exe	177
PID 1988 wrote to memory of 2216	1988	cmd.exe	179

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\Lcwlqtdj.exe
  "C:\Users\Admin\AppData\Local\Temp\Lcwlqtdj.exe"
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\Wgpdo.exe
  "C:\Users\Admin\AppData\Local\Temp\Wgpdo.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\msWebfontCommonsvc\1Pqb55993gaAnMOQKOP1Zx4Ywr074Tyvs.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\msWebfontCommonsvc\xOY2DcV2ToDeh.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
        
        "C:\msWebfontCommonsvc/ContainerAgentBrowserSession.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jud2qehj\jud2qehj.cmdline"
        6⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8B87.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSCCBD02A02436E4CF18C47825E8A3BDC36.TMP"
        7⤵
        
        PID:3888
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rxwl21hf\rxwl21hf.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BF4.tmp" "c:\Windows\System32\CSC16FD105CA34F4471B2249FD21CD9E4E0.TMP"
        7⤵
        
        PID:5620
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2b5f15c5afe01f70d7f71092\taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5760
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\4K\Wallpaper\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5252
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\actionqueue\fontdrvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5852
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DNDI7OOk6x.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:996
        
        C:\2b5f15c5afe01f70d7f71092\taskhostw.exe
        
        "C:\2b5f15c5afe01f70d7f71092\taskhostw.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\2b5f15c5afe01f70d7f71092\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\2b5f15c5afe01f70d7f71092\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\2b5f15c5afe01f70d7f71092\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\2b5f15c5afe01f70d7f71092\taskhostw.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\2b5f15c5afe01f70d7f71092\taskhostw.exe
  C:\2b5f15c5afe01f70d7f71092\taskhostw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\2b5f15c5afe01f70d7f71092\taskhostw.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5648
- C:\2b5f15c5afe01f70d7f71092\taskhostw.exe
  C:\2b5f15c5afe01f70d7f71092\taskhostw.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\All Users\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\fontdrvhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\All Users\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\fontdrvhost.exe
  "C:\Users\All Users\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\fontdrvhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\All Users\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\fontdrvhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\All Users\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\fontdrvhost.exe
  "C:\Users\All Users\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\fontdrvhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\4K\Wallpaper\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Web\4K\Wallpaper\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\4K\Wallpaper\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Web\4K\Wallpaper\fontdrvhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:460
- C:\Windows\Web\4K\Wallpaper\fontdrvhost.exe
  C:\Windows\Web\4K\Wallpaper\fontdrvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Web\4K\Wallpaper\fontdrvhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\Web\4K\Wallpaper\fontdrvhost.exe
  C:\Windows\Web\4K\Wallpaper\fontdrvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Panther\actionqueue\fontdrvhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\Panther\actionqueue\fontdrvhost.exe
  C:\Windows\Panther\actionqueue\fontdrvhost.exe
  2⤵
  - Executes dropped EXE
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\Panther\actionqueue\fontdrvhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\Panther\actionqueue\fontdrvhost.exe
  C:\Windows\Panther\actionqueue\fontdrvhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\TextInputHost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5448
- C:\Recovery\WindowsRE\TextInputHost.exe
  C:\Recovery\WindowsRE\TextInputHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\TextInputHost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Recovery\WindowsRE\TextInputHost.exe
  C:\Recovery\WindowsRE\TextInputHost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSessionC" /sc MINUTE /mo 12 /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSession" /sc ONLOGON /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerAgentBrowserSessionC" /sc MINUTE /mo 12 /tr "'C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
  C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
  C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ContainerAgentBrowserSession.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\taskhostw.exe.log

Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
acd80d6d7114a61d8c01c77f78c805fb

SHA1
f0b79e5fd09ae019fe95d994a5b32a6a6922172d

SHA256
2d8d88440ac91d756e52b9029c25684ad2522f9dbb9c800f3929633529497818

SHA512
1cc189cbcdd80466b3418694e025e7ad00b8da0b882096a6e1274e0544b103c3bfcc717f4975ae03eda9f1bca94f7280dcc910ca207d04e44ef8db287ee6a266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5a933acb47347f3acfbe61dc611837f1

SHA1
0f971f7257c034fa64d9b6bcea2ea6962c48dfb7

SHA256
98f9484f576da87f1a99c6c495e2cd222e139d6867e8409cadde65ccbdb991dd

SHA512
74094c94c5864fbc99cb293d43ecd147686160c32c323ee0e3577e6d1b28b6a68c921cf3711c73c510eea5b6ce0b24268753dfc38b4f67f9a6a238bb4e8bef83

Download Submit
C:\Users\Admin\AppData\Local\Temp\DNDI7OOk6x.bat

Filesize
217B

MD5
b17d96dbbc87b0b9a64df7cd39e6428b

SHA1
a31c758b34f731e82ae0e97269ad9d1fc44b9b5e

SHA256
fd5cc7cc6f8fa3481f7079b2768756df824fe46dcf2bc7f542871f1cfe6c043d

SHA512
27f8f1121f10ba3f6d300840b6443c16d07956549aee4216b2d80906deaf030c05aac5f936a3353d352082b1eaf174cc997ad8d2bde8bacd17ff0eb7ee65446b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lcwlqtdj.exe

Filesize
568KB

MD5
3547673370be6c843ebbe4ddb8e089b8

SHA1
de077a872cc8a932205e5c5b61984bf6e50f5d17

SHA256
c52244696cfefabb23cfebcae3cc134e2c0fd03a1175755cf867dd3e87a900b4

SHA512
7a87fad7872e6dfabb7aeb91790a7b2eb778ddeecb102406d4465a1c6661c89ee772624d54f7d47169564e935141c1f5ec90f09118dc59ba1f72b462e4d460bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8B87.tmp

Filesize
1KB

MD5
9384f4447ec048b63ad459074da905c5

SHA1
1740af3003db0439c0e4668ef7bf187cc5afc552

SHA256
88dc47deae494a89354fad8aef3f608c6e77ffb1c744d6f3e2ce142223ec2b1f

SHA512
d813f20f993905cceb4fc9bf5fe73b5315cf537db32bd724149e652d4c40b5e4e653ddf787d35909dbdfec9cfa1ced0de7889c2bf3cc93b9f2e475988178a91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8BF4.tmp

Filesize
1KB

MD5
7916d72781acc62144f057cbddfb4556

SHA1
4a27703666e1945ac1a03b4f8abecbdb8eb27099

SHA256
d42518678f5466f5f79341bbd31d355f35afcc6ef4f106be7a07d6affef71c2b

SHA512
1263c376ccfbb348c8aacfd17884080cffce086f7f61a36a2427058ada35b3ced03064404769ddf4129e8d2e8912923ae9ae053db24ad56e54a113f76b8410c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wgpdo.exe

Filesize
2.1MB

MD5
fa7058193e55dcf22576be1d81ee4ec9

SHA1
7ac5c2aeff7da77ea0ea71e9e4244dec68ee7a18

SHA256
27beae1aeb07d9aa24f6f4f13d247c7f69d8c412ed9150ac0e13c36de80d159a

SHA512
fbb538fa4d26bd3c554f9e837b134c119a6acff43b0a8cc0b805bcb9a0acfa54d4b0ca18d745f7f167ba9bc9642d8e14e783c38ad7207d55389d8ea7dd1af74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kt4xvln1.ymk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\msWebfontCommonsvc\1Pqb55993gaAnMOQKOP1Zx4Ywr074Tyvs.vbe

Filesize
209B

MD5
7456528d87fdbbf7380081612a878945

SHA1
91a8b74ee56e559e664e7e41bc9c9d0cd7a1e344

SHA256
274fd47fcfe3c642aaed07e9d94fe524e1680020d5b63e0eff71e7155973a961

SHA512
4fa8dbfb2aa1c1117bcbd3d1de7bcbc4140efa1eddbada9652304d136b71cdb5de633ac8d48d68e58d0bb6317c7132b1e140003a6dd564e8114a6ab0501f7877

Download Submit
C:\msWebfontCommonsvc\ContainerAgentBrowserSession.exe

Filesize
1.8MB

MD5
4b48b143e95e5292b1700bd25ba63c76

SHA1
3b321290b54028f94d2b1736173d18ce16bcc260

SHA256
3b1888daacc09277d0f3daca114f05613f708d260e2950ee5620d77881c584cb

SHA512
f8fb811150f81f9636193506451445b77634b27ad36884bfaa4454887666bbcc7f88ff190e912e3a3f7bf8ed82080280075ad753041d5d9bb50717b22b71bcb0

Download Submit
C:\msWebfontCommonsvc\xOY2DcV2ToDeh.bat

Filesize
105B

MD5
d9b64ed326c6cfceaa29ddbee358a8e2

SHA1
42b494e3ffa836f173e1a2b1e3da8a93ffe39561

SHA256
576041699b52e2a3eddb04819000376696a1ad869711dc5d786473e9b9f3c2de

SHA512
32c74021848f6d9b5dc6d38287fe992299c8e1a12113203e1dbcab5f5d2abe922fa9fdf62e6ba0d6dac8c3d5ea5e66af5deca42fa51f2b0b699e90a89cd82e67

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSCCBD02A02436E4CF18C47825E8A3BDC36.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jud2qehj\jud2qehj.0.cs

Filesize
403B

MD5
ff6062b059f10236046c2e3f73aa1b80

SHA1
938a61259379a9f0f34427a651adedd4baf4a4d2

SHA256
47d51a2ad358aca9adc9f46a63b40751165bf22a04e191387e8a75b1c211e954

SHA512
22c2bcb1502b13d13041742a11b80570b8c0d035ad0465a3f86238fc6a058b623c418b2ac1bd47f525f98e79275214fd3ccfb8f7c6f534079bd2e2a58e8e485c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jud2qehj\jud2qehj.cmdline

Filesize
265B

MD5
82b360c7df80d5d6f4bc038557081d04

SHA1
157824a2a2693b783682827a83c7f7642a8826ec

SHA256
3797f218cd44446db9542a32e8dff9c2f33dc356ab54bf600b90815cade9a727

SHA512
ef48ad2bf7cd053dde9cfc96f6f208041685f6e0231d7729b1c31982bba84f5e9c67b4c9afd054f64d6db2855968b755da14464e93d2198a85c53ab19bb5bc0b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rxwl21hf\rxwl21hf.0.cs

Filesize
373B

MD5
6c359a93ae8ea572c0fda858258a9684

SHA1
c58d0791ce210441e2bddf0b9e54f4fd80c4503e

SHA256
568fba81e6f0b9b5f231900c20780fbb5bbe8213c809ff0822d2ae5e66da0f15

SHA512
51d603f2c35277d749ae87b286d71e4fbb4e727f159753423171255757e4e98c598513fedeee518c94aed6a2b69463c4bc0e2e793552981d172a83a06ba85ad0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rxwl21hf\rxwl21hf.cmdline

Filesize
235B

MD5
7680fc83aa5d7380d2bd8aeae4dac731

SHA1
eb2937686c800507145fa4a7cee6f0716d83293e

SHA256
8877423de482e195d33e239d77c9c10d0be738cd48608cbb5ccd5f1adde925a1

SHA512
c6ae6b2d3c2cf0da4ce0d8e4181aebb92b3c802c073659ff76fca7b262cbc2cb3d029a94997f50f40adfc26cb5709e1b7a1c83cf024b33b0d6b70fb8a605dc05

Download Submit
\??\c:\Windows\System32\CSC16FD105CA34F4471B2249FD21CD9E4E0.TMP

Filesize
1KB

MD5
77206c189a7222ae6a85329169ea0b4a

SHA1
37f25135e1b19c6336412dfb42cabe21d87fa8da

SHA256
ceee768670578bed5eebc2f643714daf32e8c668886b25752cea365958698d7f

SHA512
b35fcdfd984ff8fe90b04841bf861c2eefd26318d3fd848bc6fdc7fef89e66a17b2e0d5fee1ceba82782817544619334758464684d33914515ca95c48c645e30

Download Submit
memory/2224-0-0x00007FFEDE663000-0x00007FFEDE665000-memory.dmp

Filesize
8KB

Download
memory/2224-23-0x00007FFEDE660000-0x00007FFEDF121000-memory.dmp

Filesize
10.8MB

Download
memory/2224-2-0x00007FFEDE660000-0x00007FFEDF121000-memory.dmp

Filesize
10.8MB

Download
memory/2224-1-0x0000000000220000-0x000000000040C000-memory.dmp

Filesize
1.9MB

Download
memory/2280-47-0x000000001AE00000-0x000000001AE18000-memory.dmp

Filesize
96KB

Download
memory/2280-49-0x0000000002280000-0x000000000228C000-memory.dmp

Filesize
48KB

Download
memory/2280-45-0x000000001AE50000-0x000000001AEA0000-memory.dmp

Filesize
320KB

Download
memory/2280-44-0x000000001ADE0000-0x000000001ADFC000-memory.dmp

Filesize
112KB

Download
memory/2280-42-0x0000000002270000-0x000000000227E000-memory.dmp

Filesize
56KB

Download
memory/2280-40-0x00000000000D0000-0x00000000002AA000-memory.dmp

Filesize
1.9MB

Download
memory/2988-26-0x00007FFEDE660000-0x00007FFEDF121000-memory.dmp

Filesize
10.8MB

Download
memory/2988-24-0x00007FFEDE660000-0x00007FFEDF121000-memory.dmp

Filesize
10.8MB

Download
memory/2988-16-0x0000000000070000-0x00000000000F6000-memory.dmp

Filesize
536KB

Download
memory/5252-119-0x00000148A1230000-0x00000148A1252000-memory.dmp

Filesize
136KB

Download