dcrat | 9d69a62619e5bbe6246ab771b5c839903e0e986438cc26e1bd9a6706c1a9c4ca

Analysis

max time kernel
129s
max time network
152s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
30/03/2025, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OOBebroker.exe
Size

2.2MB
MD5

c6e4d3fbc193ee034b6ce5b9d2c887b8
SHA1

e2e3037e1b8c20978968b566092729ef823fc64b
SHA256

9d69a62619e5bbe6246ab771b5c839903e0e986438cc26e1bd9a6706c1a9c4ca
SHA512

e7995c6eccecaba8e95abd24eb699a280d57481adb837f8c838157a4eb9b883a0f27fb68ab664c0effdd3a1ab4351193a1ec52f41784caf0b5bc2ef970680b8e
SSDEEP

24576:2TbBv5rUyXVpQ9RcjwzxTSkYsr7zUWgwdha8Tu0C61swPWM1KkNvgA5X9pBHN/ZY:IBJWh9+kjgwdhw16/WM1pNgCX9zVhJ4X

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\1e8fec9deebbf8546c9e7989ba3ccb\\Registry.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\legal\\jdk\\sppsvc.exe\""	serverhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\1e8fec9deebbf8546c9e7989ba3ccb\\Registry.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\legal\\jdk\\sppsvc.exe\", \"C:\\a9cb80bd726921f748e2\\explorer.exe\""	serverhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\1e8fec9deebbf8546c9e7989ba3ccb\\Registry.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\legal\\jdk\\sppsvc.exe\", \"C:\\a9cb80bd726921f748e2\\explorer.exe\", \"C:\\chaincontainerReviewdrivercrt\\WmiPrvSE.exe\""	serverhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\1e8fec9deebbf8546c9e7989ba3ccb\\Registry.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\legal\\jdk\\sppsvc.exe\", \"C:\\a9cb80bd726921f748e2\\explorer.exe\", \"C:\\chaincontainerReviewdrivercrt\\WmiPrvSE.exe\", \"C:\\chaincontainerReviewdrivercrt\\serverhost.exe\""	serverhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	serverhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\1e8fec9deebbf8546c9e7989ba3ccb\\Registry.exe\""	serverhost.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5488	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5784	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3836	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2768	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6096	2768	schtasks.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3692	powershell.exe
652	powershell.exe
4428	powershell.exe
5616	powershell.exe
2304	powershell.exe
1240	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	OOBebroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\Control Panel\International\Geo\Nation	serverhost.exe

Executes dropped EXE 14 IoCs

pid	Process
5352	serverhost.exe
3356	RuntimeBroker.exe
4376	RuntimeBroker.exe
4128	Registry.exe
3384	Registry.exe
2692	sppsvc.exe
4528	sppsvc.exe
4692	explorer.exe
2432	explorer.exe
2760	WmiPrvSE.exe
4832	WmiPrvSE.exe
4448	serverhost.exe
5044	serverhost.exe
1352	serverhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Java\\jdk-1.8\\legal\\jdk\\sppsvc.exe\""	serverhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Java\\jdk-1.8\\legal\\jdk\\sppsvc.exe\""	serverhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\a9cb80bd726921f748e2\\explorer.exe\""	serverhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\chaincontainerReviewdrivercrt\\WmiPrvSE.exe\""	serverhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\chaincontainerReviewdrivercrt\\WmiPrvSE.exe\""	serverhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	serverhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\a9cb80bd726921f748e2\\explorer.exe\""	serverhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\serverhost = "\"C:\\chaincontainerReviewdrivercrt\\serverhost.exe\""	serverhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\serverhost = "\"C:\\chaincontainerReviewdrivercrt\\serverhost.exe\""	serverhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	serverhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\1e8fec9deebbf8546c9e7989ba3ccb\\Registry.exe\""	serverhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\1e8fec9deebbf8546c9e7989ba3ccb\\Registry.exe\""	serverhost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC3D028FA1A383438FBFF2C577A14840F7.TMP	csc.exe
File created	\??\c:\Windows\System32\svldus.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\sppsvc.exe	serverhost.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\0a1fd5f707cd16	serverhost.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC9FEEB1583A1C4E698BFE023C57C6443.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System\Speech\csrss.exe	serverhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OOBebroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2508	PING.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000_Classes\Local Settings	serverhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1709934376-1871646940-4254144759-1000_Classes\Local Settings	OOBebroker.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2508	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5488	schtasks.exe
3736	schtasks.exe
4432	schtasks.exe
400	schtasks.exe
5060	schtasks.exe
4892	schtasks.exe
3400	schtasks.exe
4132	schtasks.exe
3888	schtasks.exe
6096	schtasks.exe
5084	schtasks.exe
4708	schtasks.exe
2620	schtasks.exe
3836	schtasks.exe
2512	schtasks.exe
1260	schtasks.exe
4524	schtasks.exe
5784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe
5352	serverhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5352	serverhost.exe
Token: SeDebugPrivilege	3356	RuntimeBroker.exe
Token: SeDebugPrivilege	4376	RuntimeBroker.exe
Token: SeDebugPrivilege	4128	Registry.exe
Token: SeDebugPrivilege	3384	Registry.exe
Token: SeDebugPrivilege	4528	sppsvc.exe
Token: SeDebugPrivilege	2692	sppsvc.exe
Token: SeDebugPrivilege	2432	explorer.exe
Token: SeDebugPrivilege	4692	explorer.exe
Token: SeDebugPrivilege	2760	WmiPrvSE.exe
Token: SeDebugPrivilege	4832	WmiPrvSE.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	5616	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	4448	serverhost.exe
Token: SeDebugPrivilege	5044	serverhost.exe
Token: SeIncreaseQuotaPrivilege	2304	powershell.exe
Token: SeSecurityPrivilege	2304	powershell.exe
Token: SeTakeOwnershipPrivilege	2304	powershell.exe
Token: SeLoadDriverPrivilege	2304	powershell.exe
Token: SeSystemProfilePrivilege	2304	powershell.exe
Token: SeSystemtimePrivilege	2304	powershell.exe
Token: SeProfSingleProcessPrivilege	2304	powershell.exe
Token: SeIncBasePriorityPrivilege	2304	powershell.exe
Token: SeCreatePagefilePrivilege	2304	powershell.exe
Token: SeBackupPrivilege	2304	powershell.exe
Token: SeRestorePrivilege	2304	powershell.exe
Token: SeShutdownPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeSystemEnvironmentPrivilege	2304	powershell.exe
Token: SeRemoteShutdownPrivilege	2304	powershell.exe
Token: SeUndockPrivilege	2304	powershell.exe
Token: SeManageVolumePrivilege	2304	powershell.exe
Token: 33	2304	powershell.exe
Token: 34	2304	powershell.exe
Token: 35	2304	powershell.exe
Token: 36	2304	powershell.exe
Token: SeIncreaseQuotaPrivilege	3692	powershell.exe
Token: SeSecurityPrivilege	3692	powershell.exe
Token: SeTakeOwnershipPrivilege	3692	powershell.exe
Token: SeLoadDriverPrivilege	3692	powershell.exe
Token: SeSystemProfilePrivilege	3692	powershell.exe
Token: SeSystemtimePrivilege	3692	powershell.exe
Token: SeProfSingleProcessPrivilege	3692	powershell.exe
Token: SeIncBasePriorityPrivilege	3692	powershell.exe
Token: SeCreatePagefilePrivilege	3692	powershell.exe
Token: SeBackupPrivilege	3692	powershell.exe
Token: SeRestorePrivilege	3692	powershell.exe
Token: SeShutdownPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeSystemEnvironmentPrivilege	3692	powershell.exe
Token: SeRemoteShutdownPrivilege	3692	powershell.exe
Token: SeUndockPrivilege	3692	powershell.exe
Token: SeManageVolumePrivilege	3692	powershell.exe
Token: 33	3692	powershell.exe
Token: 34	3692	powershell.exe
Token: 35	3692	powershell.exe
Token: 36	3692	powershell.exe
Token: SeIncreaseQuotaPrivilege	4428	powershell.exe
Token: SeSecurityPrivilege	4428	powershell.exe
Token: SeTakeOwnershipPrivilege	4428	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 5268	1324	OOBebroker.exe	83
PID 1324 wrote to memory of 5268	1324	OOBebroker.exe	83
PID 1324 wrote to memory of 5268	1324	OOBebroker.exe	83
PID 5268 wrote to memory of 2240	5268	WScript.exe	89
PID 5268 wrote to memory of 2240	5268	WScript.exe	89
PID 5268 wrote to memory of 2240	5268	WScript.exe	89
PID 2240 wrote to memory of 5352	2240	cmd.exe	91
PID 2240 wrote to memory of 5352	2240	cmd.exe	91
PID 5352 wrote to memory of 5484	5352	serverhost.exe	95
PID 5352 wrote to memory of 5484	5352	serverhost.exe	95
PID 5484 wrote to memory of 2752	5484	csc.exe	97
PID 5484 wrote to memory of 2752	5484	csc.exe	97
PID 5352 wrote to memory of 4684	5352	serverhost.exe	98
PID 5352 wrote to memory of 4684	5352	serverhost.exe	98
PID 4684 wrote to memory of 5296	4684	csc.exe	100
PID 4684 wrote to memory of 5296	4684	csc.exe	100
PID 4072 wrote to memory of 3356	4072	cmd.exe	107
PID 4072 wrote to memory of 3356	4072	cmd.exe	107
PID 1120 wrote to memory of 4376	1120	cmd.exe	113
PID 1120 wrote to memory of 4376	1120	cmd.exe	113
PID 3868 wrote to memory of 4128	3868	cmd.exe	116
PID 3868 wrote to memory of 4128	3868	cmd.exe	116
PID 3036 wrote to memory of 3384	3036	cmd.exe	122
PID 3036 wrote to memory of 3384	3036	cmd.exe	122
PID 3780 wrote to memory of 2692	3780	cmd.exe	126
PID 3780 wrote to memory of 2692	3780	cmd.exe	126
PID 2472 wrote to memory of 4528	2472	cmd.exe	132
PID 2472 wrote to memory of 4528	2472	cmd.exe	132
PID 764 wrote to memory of 4692	764	cmd.exe	139
PID 764 wrote to memory of 4692	764	cmd.exe	139
PID 3924 wrote to memory of 2432	3924	cmd.exe	140
PID 3924 wrote to memory of 2432	3924	cmd.exe	140
PID 5352 wrote to memory of 3692	5352	serverhost.exe	145
PID 5352 wrote to memory of 3692	5352	serverhost.exe	145
PID 5352 wrote to memory of 1240	5352	serverhost.exe	146
PID 5352 wrote to memory of 1240	5352	serverhost.exe	146
PID 5352 wrote to memory of 2304	5352	serverhost.exe	147
PID 5352 wrote to memory of 2304	5352	serverhost.exe	147
PID 5352 wrote to memory of 5616	5352	serverhost.exe	148
PID 5352 wrote to memory of 5616	5352	serverhost.exe	148
PID 5352 wrote to memory of 4428	5352	serverhost.exe	149
PID 5352 wrote to memory of 4428	5352	serverhost.exe	149
PID 5352 wrote to memory of 652	5352	serverhost.exe	150
PID 5352 wrote to memory of 652	5352	serverhost.exe	150
PID 6100 wrote to memory of 2760	6100	cmd.exe	161
PID 6100 wrote to memory of 2760	6100	cmd.exe	161
PID 2092 wrote to memory of 4832	2092	cmd.exe	162
PID 2092 wrote to memory of 4832	2092	cmd.exe	162
PID 5352 wrote to memory of 4804	5352	serverhost.exe	163
PID 5352 wrote to memory of 4804	5352	serverhost.exe	163
PID 3688 wrote to memory of 4448	3688	cmd.exe	165
PID 3688 wrote to memory of 4448	3688	cmd.exe	165
PID 5640 wrote to memory of 5044	5640	cmd.exe	166
PID 5640 wrote to memory of 5044	5640	cmd.exe	166
PID 4804 wrote to memory of 5004	4804	cmd.exe	167
PID 4804 wrote to memory of 5004	4804	cmd.exe	167
PID 4804 wrote to memory of 2508	4804	cmd.exe	169
PID 4804 wrote to memory of 2508	4804	cmd.exe	169
PID 4804 wrote to memory of 1352	4804	cmd.exe	171
PID 4804 wrote to memory of 1352	4804	cmd.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\OOBebroker.exe
"C:\Users\Admin\AppData\Local\Temp\OOBebroker.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chaincontainerReviewdrivercrt\t6M6Q0AnN1GUrwT72lyVELiWYnYMpKI9bCZN9yIDN7gc.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\chaincontainerReviewdrivercrt\LH7yOlV2f3Ve78PmysR2vEMZx2R.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\chaincontainerReviewdrivercrt\serverhost.exe
      "C:\chaincontainerReviewdrivercrt/serverhost.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5352
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\whnwworz\whnwworz.cmdline"
        5⤵
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:5484
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B6C.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC9FEEB1583A1C4E698BFE023C57C6443.TMP"
        6⤵
        
        PID:2752
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fg4s0utf\fg4s0utf.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4684
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6BD9.tmp" "c:\Windows\System32\CSC3D028FA1A383438FBFF2C577A14840F7.TMP"
        6⤵
        
        PID:5296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\1e8fec9deebbf8546c9e7989ba3ccb\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\legal\jdk\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\a9cb80bd726921f748e2\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\chaincontainerReviewdrivercrt\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\chaincontainerReviewdrivercrt\serverhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QIWQtD8pAS.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4804
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5004
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2508
      - C:\chaincontainerReviewdrivercrt\serverhost.exe
        
        "C:\chaincontainerReviewdrivercrt\serverhost.exe"
        6⤵
        Executes dropped EXE
        
        PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\RuntimeBroker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Recovery\WindowsRE\RuntimeBroker.exe
  C:\Recovery\WindowsRE\RuntimeBroker.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Recovery\WindowsRE\RuntimeBroker.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Recovery\WindowsRE\RuntimeBroker.exe
  C:\Recovery\WindowsRE\RuntimeBroker.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\1e8fec9deebbf8546c9e7989ba3ccb\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\1e8fec9deebbf8546c9e7989ba3ccb\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\1e8fec9deebbf8546c9e7989ba3ccb\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\1e8fec9deebbf8546c9e7989ba3ccb\Registry.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3868
- C:\1e8fec9deebbf8546c9e7989ba3ccb\Registry.exe
  C:\1e8fec9deebbf8546c9e7989ba3ccb\Registry.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\1e8fec9deebbf8546c9e7989ba3ccb\Registry.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3036
- C:\1e8fec9deebbf8546c9e7989ba3ccb\Registry.exe
  C:\1e8fec9deebbf8546c9e7989ba3ccb\Registry.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk-1.8\legal\jdk\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\legal\jdk\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\legal\jdk\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Java\jdk-1.8\legal\jdk\sppsvc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Program Files\Java\jdk-1.8\legal\jdk\sppsvc.exe
  "C:\Program Files\Java\jdk-1.8\legal\jdk\sppsvc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files\Java\jdk-1.8\legal\jdk\sppsvc.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Program Files\Java\jdk-1.8\legal\jdk\sppsvc.exe
  "C:\Program Files\Java\jdk-1.8\legal\jdk\sppsvc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\a9cb80bd726921f748e2\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\a9cb80bd726921f748e2\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\a9cb80bd726921f748e2\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\a9cb80bd726921f748e2\explorer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3924
- C:\a9cb80bd726921f748e2\explorer.exe
  C:\a9cb80bd726921f748e2\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\a9cb80bd726921f748e2\explorer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:764
- C:\a9cb80bd726921f748e2\explorer.exe
  C:\a9cb80bd726921f748e2\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\chaincontainerReviewdrivercrt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\chaincontainerReviewdrivercrt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\chaincontainerReviewdrivercrt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\chaincontainerReviewdrivercrt\WmiPrvSE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\chaincontainerReviewdrivercrt\WmiPrvSE.exe
  C:\chaincontainerReviewdrivercrt\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\chaincontainerReviewdrivercrt\WmiPrvSE.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:6100
- C:\chaincontainerReviewdrivercrt\WmiPrvSE.exe
  C:\chaincontainerReviewdrivercrt\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverhosts" /sc MINUTE /mo 8 /tr "'C:\chaincontainerReviewdrivercrt\serverhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverhost" /sc ONLOGON /tr "'C:\chaincontainerReviewdrivercrt\serverhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "serverhosts" /sc MINUTE /mo 12 /tr "'C:\chaincontainerReviewdrivercrt\serverhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\chaincontainerReviewdrivercrt\serverhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5640
- C:\chaincontainerReviewdrivercrt\serverhost.exe
  C:\chaincontainerReviewdrivercrt\serverhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\chaincontainerReviewdrivercrt\serverhost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3688
- C:\chaincontainerReviewdrivercrt\serverhost.exe
  C:\chaincontainerReviewdrivercrt\serverhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
847B

MD5
37544b654facecb83555afec67d08b33

SHA1
4dc0f5db034801784b01befef5c1d3304145e1dc

SHA256
ec084a6c6ecd7d31f1927b0cd926ec03ce346a469f24e5a860e05f2241bd7bf4

SHA512
4af827ead52c8769672f58a69fca18484aeba1e59b7ec0527e200f8e3d893bcbc1063ea820260fc0b922985ee3b26c3a6f79b4044fb34f1b58f2e3379971b5f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\serverhost.exe.log

Filesize
1KB

MD5
3472240ba9018b36cebbb3fa4d9ecde2

SHA1
fa7d94af70df8bd1719c25cc1485c093354e3cb6

SHA256
4ff5eaa183765d37205065b36b4212117fe7cc93216a5cdc88649d8943b4f449

SHA512
4ac5bedcf0e686dd86e82ca4dc02f6ec0b5a3a5dd06056856dee7ef230f3abbf37e8237a08f3d9d31e24bf9c8a21eca04a824846a2f5bd50d6defd470a53db3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
da62ffd2b13276d5193fdf0b09250bef

SHA1
18a4b4366170f63cdd835cdbc3df7310f119b865

SHA256
f95fdbaf703cb38772b58400049718cbf3d8fc10b435e46ca006a5720e63c852

SHA512
e3dd3b64807b3b348d1bda99dd42cfbbaa0328df7f6c936ecbd9d0ef2efc52794ce7f42bdb2cb4e1b261bcffc2a60de9e84fe2d65753feaa2c655fa79e58b643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c6476026a8a884d857437c4c08ec03b

SHA1
aae618218eebefd36558029c8a36157a824010b6

SHA256
8d79d593903eb26beded98a09523180b07b01ba4011b57269fca7dcd158ecd33

SHA512
fa8073126cfb1f0a09f50b827c71a1f477ff3f22673fbcc907165e5e0b0ed9e9d4d25be564d0f8216636b2616f8367696d19187819b8025529c59bbbbca2c19d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
160B

MD5
a53f7e462926a717a52d18c9251ae9ac

SHA1
9841c96d276501b4699de582ebdfe9f45f08d235

SHA256
6c0bf6ea5fedca7a968c2e8e62cc74601b897f962499403bab2740784815061e

SHA512
e44dff344a3743fa881be08db1ce7c47cf76c11b7f228b4f65469982b80a8383be9fb9cb39ab1f4c3128d4294b6040fbd76827e43d07da739d061bc8b2d9fa30

Download Submit
C:\Users\Admin\AppData\Local\Temp\QIWQtD8pAS.bat

Filesize
175B

MD5
e56ecd641719c83914fc2d575c330e4d

SHA1
2f58cb5a1feb30bc4dcec3e0e1aecaa3cd254c35

SHA256
d299c2e042b7b8140b7426484c9a26978b5b5247d52365da98a55a53cef7819c

SHA512
f0afe3c21735587b12f1d2fbee3468128a3e0f87ab03c0d6f0f3c9001debb76a99420c2f874e4869a4b78b978ecec3b96358c37f73f7fd8149a5863fbefdafec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6B6C.tmp

Filesize
1KB

MD5
d4569f352fbd7508f2b7e72696592eff

SHA1
c9a9f25bbc4b7e0ca79972a9152a0ab8bf085821

SHA256
977f7e15e3268ad0e206db719827045cbe9caf98037308e7c871c13edb53efe6

SHA512
7489be9599bee15129a99e6357e5320fd50c0c3ab61ebdf7aff9819ae0e14548b110fe06fd5dfc0c727d25dfd139566baa431aaa0c378a563674c6a71b4a46b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6BD9.tmp

Filesize
1KB

MD5
9739e0b166b6111837695db330cb402c

SHA1
1a05bf2bc3940d936fde6b6bd9a8f78facfe6b06

SHA256
8b212150138e447fd495e65a7f5679e6b44e5fef0c5c3d004048b39db96acd84

SHA512
7d61880c0789e0d69d2f8cb104240d365bad2f84bdbf783a6e4c12637bc15cb358898abd1aaa9905dce96ffafceea61a59c4d5c2d3ac10abf79848908ca8a53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_exnt2ovp.sew.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\chaincontainerReviewdrivercrt\LH7yOlV2f3Ve78PmysR2vEMZx2R.bat

Filesize
94B

MD5
28b861e3dde5195dade9e5f43caa2642

SHA1
bf47bcd6b46519a9efb3bdc4d73812dee2838deb

SHA256
7a72bec229ed3018e9a848ebd40d7c908a05a76f531d1825de59ff19aea6768a

SHA512
1ffaff23a20d9892919e869dbd6b320dd040b21ce4c34628ba05b58892efe473f80f2c5f59af96a7adfcf2d9a0ea9ad3e1dfa07b0d40cb3497b293497c5d833d

Download Submit
C:\chaincontainerReviewdrivercrt\serverhost.exe

Filesize
1.9MB

MD5
362f534e2fbbce022c987e05b444f346

SHA1
1ef45c558f72d781b122ca77e2637576c9900a4e

SHA256
719d0f0e58a2f3c1000d470cd72d307a7398451a8f95a81545ccfcea911228dc

SHA512
fe33b8e721a4e40dcc44fdb878ea384b8e8d72702638c979d3ec86300bdabf3740cc869a0ce598b8ff2a8d98f911eb355374f705bccedec1068f4549f966a5e2

Download Submit
C:\chaincontainerReviewdrivercrt\t6M6Q0AnN1GUrwT72lyVELiWYnYMpKI9bCZN9yIDN7gc.vbe

Filesize
234B

MD5
7f6c02291e2873907c31dc4bfa759d2f

SHA1
62517d053e28f9dad5abf4bdfd8cc3d83d81b9d6

SHA256
e872122329bdc330483008769d1b0053a1a24c44c3f08c642c01916bec26159e

SHA512
4fc8dcf49656303d011b95da807d1ae99020e83c8858e3842ffffad6743c8c8aa40d4362d5ea49b7433d9193b0a216cf7f4dc80f8edcbfa8647687a16a05ca97

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC9FEEB1583A1C4E698BFE023C57C6443.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fg4s0utf\fg4s0utf.0.cs

Filesize
371B

MD5
7cf61a29aeac505f89ae6315cc865e68

SHA1
697db0e421e09ac6b2af1cbc54295a89ae379865

SHA256
b243107157d98989b11ec5323495b6fe4b0dc94d14a6f7b2de5f3e6e5e413501

SHA512
f390b2a41e509de211d51da15a52901ff33a101df4ac4528e20b88ee62877a86f04ee2cdf69d405098870cd6fc82274987d0c6720b32b487d3ca0737815992df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fg4s0utf\fg4s0utf.cmdline

Filesize
235B

MD5
55a9b4f8cb49ebbb743ce0407ee56be0

SHA1
57608ae3cfdfc4405e1a90816d6436bcbd88c23f

SHA256
513b7bfd1eec79cd014daad56a2ccb0691394088bc7adeac29c7136c083b56fd

SHA512
f5b4503e333a09d682f018d1d4078cbd8e4656bd6e04d73bef3fb4f0e006a10f12d042c850fe0109fc56900cb17c8f60d384cccf07632e2e5de8eedfa5add218

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\whnwworz\whnwworz.0.cs

Filesize
401B

MD5
4e970ca6cc608d5b6fd808a9bfff8cf4

SHA1
21146f19c461277458601e5dcca99a724c1747b8

SHA256
720ae7f25231a77d1186fcfd73d0b7e87f33e2c226577069dacf099f9da443cd

SHA512
ee4388bcc798f2e053018b69534bd8489cbc18a223c39114a1da73d60d8258368f31b5e5c173d0ba1b5c8e2322e6c433a480074e79538daf2e5610367d047c0e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\whnwworz\whnwworz.cmdline

Filesize
265B

MD5
d800d14ec186d034d1552b0e83e2ebf3

SHA1
d82be7baaf4262d64709586157a2cf119a3d5420

SHA256
cdfbae07db972bf718156f3143b59f7a407c68d271ba47679f286eb52b36332b

SHA512
28a69fad51d93738a2a04ce7ee23d2e4bb6601d3a6fd8d2c186a846e10cb3df92b190cfc2f5dc3b146f42360f8b4c7b425749208655d2089f4b076994479a0a1

Download Submit
\??\c:\Windows\System32\CSC3D028FA1A383438FBFF2C577A14840F7.TMP

Filesize
1KB

MD5
d3918b1024de2c298e82b6832ff10caa

SHA1
185db94e32b0d439844ecb8ca43642a310dccf9e

SHA256
5a488ebcc353e95f69f4570cf44759c93969a3c06e1dcf11cfe70b728d794ec1

SHA512
5e4c610c91b68807f6a770b4a4ea018547e568dd66e19eecb213d76343a41340270bbacf61aba600290835a22bd4c041df19e4e566842f1aa23b9eb0e3a35f97

Download Submit
memory/1240-85-0x0000022950C80000-0x0000022950CA2000-memory.dmp

Filesize
136KB

Download
memory/5352-23-0x000000001BBA0000-0x000000001BBB8000-memory.dmp

Filesize
96KB

Download
memory/5352-21-0x000000001BBF0000-0x000000001BC40000-memory.dmp

Filesize
320KB

Download
memory/5352-20-0x000000001BB80000-0x000000001BB9C000-memory.dmp

Filesize
112KB

Download
memory/5352-18-0x000000001BA30000-0x000000001BA3E000-memory.dmp

Filesize
56KB

Download
memory/5352-16-0x0000000000C60000-0x0000000000E42000-memory.dmp

Filesize
1.9MB

Download
memory/5352-15-0x00007FFC74393000-0x00007FFC74395000-memory.dmp

Filesize
8KB

Download
memory/5352-27-0x000000001BA50000-0x000000001BA5C000-memory.dmp

Filesize
48KB

Download
memory/5352-25-0x000000001BA40000-0x000000001BA4C000-memory.dmp

Filesize
48KB

Download