dcrat | e3695272fa7651aa35324249135e6ea4f10166a20fc896fbe67d9c4e3eaa28f4

Analysis

max time kernel
99s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e79948761051a1e17f02524190df4a72.exe
Size

6.8MB
MD5

e79948761051a1e17f02524190df4a72
SHA1

de5e022a20d3042f86cc32c0094ed8c289d16af1
SHA256

e3695272fa7651aa35324249135e6ea4f10166a20fc896fbe67d9c4e3eaa28f4
SHA512

de9d9cd0caec960af644c26517ec5a726295b4f7847849092de28ecbe04ae97ac4636ce2335974dc0b6c8e1455b0192248e3abf3c8befc4ae809e14f9f7b27dc
SSDEEP

196608:T/HMlS2JxmYcmcg7XGqb6Msq51GPfe7qfGAb:7slSDVoXGe1GrfPb

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4988	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4336	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4384	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4440	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4120	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	4120	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\build.exe	dcrat
behavioral2/memory/4756-13-0x0000000000400000-0x0000000000AD7000-memory.dmp	dcrat
C:\sessionperf\chainproviderbroker.exe	dcrat
behavioral2/memory/4080-27-0x0000000000020000-0x0000000000154000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

build.exeWScript.exechainproviderbroker.exechainproviderbroker.exechainproviderbroker.exee79948761051a1e17f02524190df4a72.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	chainproviderbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	chainproviderbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	chainproviderbroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	e79948761051a1e17f02524190df4a72.exe

Executes dropped EXE 5 IoCs

Processes:

build.exechainproviderbroker.exechainproviderbroker.exechainproviderbroker.exeRuntimeBroker.exe

pid process

3516 build.exe
4080 chainproviderbroker.exe
1012 chainproviderbroker.exe
5028 chainproviderbroker.exe
2476 RuntimeBroker.exe

pid	process
3516	build.exe
4080	chainproviderbroker.exe
1012	chainproviderbroker.exe
5028	chainproviderbroker.exe
2476	RuntimeBroker.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 39 IoCs

Processes:

chainproviderbroker.exechainproviderbroker.exechainproviderbroker.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\lsass.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\e6c9b481da804f	chainproviderbroker.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\RuntimeBroker.exe	chainproviderbroker.exe
File created	C:\Program Files\Windows Media Player\upfc.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\smss.exe	chainproviderbroker.exe
File created	C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe	chainproviderbroker.exe
File created	C:\Program Files\Windows Defender\SppExtComObj.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\69ddcba757bf72	chainproviderbroker.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe	chainproviderbroker.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\5b884080fd4f94	chainproviderbroker.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\6203df4a6bafc7	chainproviderbroker.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\RuntimeBroker.exe	chainproviderbroker.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\9e8d7a4ca61bd9	chainproviderbroker.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\97996fe15ad3e0	chainproviderbroker.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\9e8d7a4ca61bd9	chainproviderbroker.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\ea1d8f6d871115	chainproviderbroker.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\TextInputHost.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\chainproviderbroker.exe	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows Defender\TextInputHost.exe	chainproviderbroker.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\9e8d7a4ca61bd9	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\0a1fd5f707cd16	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\6cb0b6c459d5d3	chainproviderbroker.exe
File created	C:\Program Files\Windows Defender\e1ef82546f0b02	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe	chainproviderbroker.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\cc11b995f2a76d	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows Defender\22eafd247d37c3	chainproviderbroker.exe
File created	C:\Program Files\Java\jre8\lib\winlogon.exe	chainproviderbroker.exe
File created	C:\Program Files\Java\jre8\lib\cc11b995f2a76d	chainproviderbroker.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	chainproviderbroker.exe
File created	C:\Program Files\Windows Media Player\ea1d8f6d871115	chainproviderbroker.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	chainproviderbroker.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	chainproviderbroker.exe
File created	C:\Program Files\Google\Chrome\Application\9e8d7a4ca61bd9	chainproviderbroker.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\OfficeClickToRun.exe	chainproviderbroker.exe

Drops file in Windows directory 12 IoCs

Processes:

chainproviderbroker.exechainproviderbroker.exe

description	ioc	process
File created	C:\Windows\en-US\133006b48fb54b	chainproviderbroker.exe
File created	C:\Windows\PLA\System\f3b6ecef712a24	chainproviderbroker.exe
File created	C:\Windows\Media\Festival\22eafd247d37c3	chainproviderbroker.exe
File created	C:\Windows\Speech_OneCore\winlogon.exe	chainproviderbroker.exe
File created	C:\Windows\ja-JP\5b884080fd4f94	chainproviderbroker.exe
File created	C:\Windows\Speech_OneCore\cc11b995f2a76d	chainproviderbroker.exe
File created	C:\Windows\en-US\msiexec.exe	chainproviderbroker.exe
File created	C:\Windows\PLA\System\spoolsv.exe	chainproviderbroker.exe
File created	C:\Windows\Media\Festival\TextInputHost.exe	chainproviderbroker.exe
File created	C:\Windows\Registration\smss.exe	chainproviderbroker.exe
File created	C:\Windows\Registration\69ddcba757bf72	chainproviderbroker.exe
File created	C:\Windows\ja-JP\fontdrvhost.exe	chainproviderbroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

e79948761051a1e17f02524190df4a72.exebuild.exechainproviderbroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	e79948761051a1e17f02524190df4a72.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	build.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	chainproviderbroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2608	schtasks.exe
2184	schtasks.exe
2120	schtasks.exe
4384	schtasks.exe
4676	schtasks.exe
3676	schtasks.exe
4668	schtasks.exe
800	schtasks.exe
852	schtasks.exe
860	schtasks.exe
4700	schtasks.exe
2036	schtasks.exe
848	schtasks.exe
4308	schtasks.exe
1688	schtasks.exe
3424	schtasks.exe
640	schtasks.exe
2088	schtasks.exe
396	schtasks.exe
3040	schtasks.exe
4620	schtasks.exe
2136	schtasks.exe
2560	schtasks.exe
4408	schtasks.exe
4708	schtasks.exe
2772	schtasks.exe
2664	schtasks.exe
3156	schtasks.exe
4932	schtasks.exe
5036	schtasks.exe
2020	schtasks.exe
5008	schtasks.exe
2368	schtasks.exe
3316	schtasks.exe
956	schtasks.exe
4376	schtasks.exe
544	schtasks.exe
1860	schtasks.exe
2972	schtasks.exe
3020	schtasks.exe
2300	schtasks.exe
2068	schtasks.exe
4888	schtasks.exe
2664	schtasks.exe
5028	schtasks.exe
3416	schtasks.exe
5004	schtasks.exe
1968	schtasks.exe
3544	schtasks.exe
824	schtasks.exe
1592	schtasks.exe
4460	schtasks.exe
4228	schtasks.exe
3992	schtasks.exe
4040	schtasks.exe
4176	schtasks.exe
3304	schtasks.exe
4060	schtasks.exe
4392	schtasks.exe
8	schtasks.exe
4420	schtasks.exe
4308	schtasks.exe
4608	schtasks.exe
3944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

chainproviderbroker.exechainproviderbroker.exechainproviderbroker.exeRuntimeBroker.exe

pid	process
4080	chainproviderbroker.exe
4080	chainproviderbroker.exe
4080	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
1012	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
5028	chainproviderbroker.exe
2476	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

msiexec.exechainproviderbroker.exechainproviderbroker.exechainproviderbroker.exeRuntimeBroker.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2636	msiexec.exe
Token: SeDebugPrivilege	4080	chainproviderbroker.exe
Token: SeDebugPrivilege	1012	chainproviderbroker.exe
Token: SeDebugPrivilege	5028	chainproviderbroker.exe
Token: SeDebugPrivilege	2476	RuntimeBroker.exe
Token: SeSecurityPrivilege	4224	msiexec.exe
Token: SeCreateTokenPrivilege	2636	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2636	msiexec.exe
Token: SeLockMemoryPrivilege	2636	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2636	msiexec.exe
Token: SeMachineAccountPrivilege	2636	msiexec.exe
Token: SeTcbPrivilege	2636	msiexec.exe
Token: SeSecurityPrivilege	2636	msiexec.exe
Token: SeTakeOwnershipPrivilege	2636	msiexec.exe
Token: SeLoadDriverPrivilege	2636	msiexec.exe
Token: SeSystemProfilePrivilege	2636	msiexec.exe
Token: SeSystemtimePrivilege	2636	msiexec.exe
Token: SeProfSingleProcessPrivilege	2636	msiexec.exe
Token: SeIncBasePriorityPrivilege	2636	msiexec.exe
Token: SeCreatePagefilePrivilege	2636	msiexec.exe
Token: SeCreatePermanentPrivilege	2636	msiexec.exe
Token: SeBackupPrivilege	2636	msiexec.exe
Token: SeRestorePrivilege	2636	msiexec.exe
Token: SeShutdownPrivilege	2636	msiexec.exe
Token: SeDebugPrivilege	2636	msiexec.exe
Token: SeAuditPrivilege	2636	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2636	msiexec.exe
Token: SeChangeNotifyPrivilege	2636	msiexec.exe
Token: SeRemoteShutdownPrivilege	2636	msiexec.exe
Token: SeUndockPrivilege	2636	msiexec.exe
Token: SeSyncAgentPrivilege	2636	msiexec.exe
Token: SeEnableDelegationPrivilege	2636	msiexec.exe
Token: SeManageVolumePrivilege	2636	msiexec.exe
Token: SeImpersonatePrivilege	2636	msiexec.exe
Token: SeCreateGlobalPrivilege	2636	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2636 msiexec.exe

pid	process
2636	msiexec.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

e79948761051a1e17f02524190df4a72.exebuild.exeWScript.execmd.exechainproviderbroker.execmd.exechainproviderbroker.exechainproviderbroker.exe

description	pid	process	target process
PID 4756 wrote to memory of 2636	4756	e79948761051a1e17f02524190df4a72.exe	msiexec.exe
PID 4756 wrote to memory of 2636	4756	e79948761051a1e17f02524190df4a72.exe	msiexec.exe
PID 4756 wrote to memory of 2636	4756	e79948761051a1e17f02524190df4a72.exe	msiexec.exe
PID 4756 wrote to memory of 3516	4756	e79948761051a1e17f02524190df4a72.exe	build.exe
PID 4756 wrote to memory of 3516	4756	e79948761051a1e17f02524190df4a72.exe	build.exe
PID 4756 wrote to memory of 3516	4756	e79948761051a1e17f02524190df4a72.exe	build.exe
PID 3516 wrote to memory of 1236	3516	build.exe	WScript.exe
PID 3516 wrote to memory of 1236	3516	build.exe	WScript.exe
PID 3516 wrote to memory of 1236	3516	build.exe	WScript.exe
PID 1236 wrote to memory of 2776	1236	WScript.exe	cmd.exe
PID 1236 wrote to memory of 2776	1236	WScript.exe	cmd.exe
PID 1236 wrote to memory of 2776	1236	WScript.exe	cmd.exe
PID 2776 wrote to memory of 4080	2776	cmd.exe	chainproviderbroker.exe
PID 2776 wrote to memory of 4080	2776	cmd.exe	chainproviderbroker.exe
PID 4080 wrote to memory of 1416	4080	chainproviderbroker.exe	cmd.exe
PID 4080 wrote to memory of 1416	4080	chainproviderbroker.exe	cmd.exe
PID 1416 wrote to memory of 1568	1416	cmd.exe	w32tm.exe
PID 1416 wrote to memory of 1568	1416	cmd.exe	w32tm.exe
PID 1416 wrote to memory of 1012	1416	cmd.exe	chainproviderbroker.exe
PID 1416 wrote to memory of 1012	1416	cmd.exe	chainproviderbroker.exe
PID 1012 wrote to memory of 5028	1012	chainproviderbroker.exe	chainproviderbroker.exe
PID 1012 wrote to memory of 5028	1012	chainproviderbroker.exe	chainproviderbroker.exe
PID 5028 wrote to memory of 2476	5028	chainproviderbroker.exe	RuntimeBroker.exe
PID 5028 wrote to memory of 2476	5028	chainproviderbroker.exe	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e79948761051a1e17f02524190df4a72.exe
"C:\Users\Admin\AppData\Local\Temp\e79948761051a1e17f02524190df4a72.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2636

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\sessionperf\StDKs.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\sessionperf\Bzp9ojfmO6NhLVjwIYSLn.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\sessionperf\chainproviderbroker.exe
"C:\sessionperf\chainproviderbroker.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KZDQZQFNzo.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:1568

C:\sessionperf\chainproviderbroker.exe
"C:\sessionperf\chainproviderbroker.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\sessionperf\chainproviderbroker.exe
"C:\sessionperf\chainproviderbroker.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\sessionperf\RuntimeBroker.exe
"C:\sessionperf\RuntimeBroker.exe"
9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\AccountPictures\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainproviderbrokerc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\chainproviderbroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainproviderbroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\chainproviderbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "chainproviderbrokerc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\chainproviderbroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\sessionperf\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\sessionperf\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\sessionperf\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\msiexec.exe'" /f
1⤵
- Process spawned unexpected child process
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Windows\en-US\msiexec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 5 /tr "'C:\Windows\en-US\msiexec.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre8\lib\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jre8\lib\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre8\lib\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\System\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\PLA\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\PLA\System\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\sessionperf\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\sessionperf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\sessionperf\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default\sysmon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default\sysmon.exe'" /rl HIGHEST /f
1⤵
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhostw.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /f
1⤵
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /f
1⤵
PID:4112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f
1⤵
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /f
1⤵
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\sessionperf\fontdrvhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\sessionperf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\sessionperf\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Windows\Media\Festival\TextInputHost.exe'" /f
1⤵
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Media\Festival\TextInputHost.exe'" /rl HIGHEST /f
1⤵
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Festival\TextInputHost.exe'" /rl HIGHEST /f
1⤵
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\lsass.exe'" /rl HIGHEST /f
1⤵
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\lsass.exe'" /rl HIGHEST /f
1⤵
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Modules\PSReadline\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\sessionperf\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\sessionperf\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\sessionperf\dllhost.exe'" /rl HIGHEST /f
1⤵
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\sessionperf\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\sessionperf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\sessionperf\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:3784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Registration\smss.exe'" /rl HIGHEST /f
1⤵
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\smss.exe'" /rl HIGHEST /f
1⤵
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /f
1⤵
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech_OneCore\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech_OneCore\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
PID:4124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:3300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe'" /f
1⤵
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\sessionperf\OfficeClickToRun.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\sessionperf\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\sessionperf\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\5940a34987c991
Filesize
90B

MD5
c4f59571473a28ec6b7309e396690612

SHA1
d3940c7445ee610d2e95760170c7165e4740e796

SHA256
fa8e736f31cc981dfecf5139a09873eba9670b5f4ea33d3dcefc104cb2329106

SHA512
d1aff25cc2a1de1a4bfa538f6fa7df917fd230c87893adfb7812ec2f5b9da5db0547d8e9efff7ef5338a89e2b4bc62caef5ac942a29037db9babb3c6c24ad570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainproviderbroker.exe.log
Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Temp\KZDQZQFNzo.bat
Filesize
203B

MD5
b9339e880f1257217f3338796aa7c507

SHA1
4e211d41d524df69c718a4a52ac1ce680beeb00c

SHA256
03cce888a6162e747c6ecd710b78fe6283d87f7b60e14d6ba897465ac9f31318

SHA512
6441f5a8114781b87484fcfe949c1c826b842958520993dc94866e4f86ed3dfcb1d190cfc45d2a547c9f13f50ee86830474e9232223847d684f58b7beb54c7a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modrinth App_0.7.1_x64_en-US.msi
Filesize
5.0MB

MD5
5003486a784143bc96c3577172bbb44a

SHA1
9a960998807126041fae5b4fe9488d7ff3c5ca42

SHA256
b1ac36000cee14b9c36aea4cef7f53ed2e7c18c9534b4ff66f07da11e8c07b59

SHA512
3fd871414cffe35ae649dbb02935eddcad75ee094f2d61f2cef48827dfb852ff3b8e4211f913bf65e4619b2a4989a2807d876a920a105735ac3e59362802ee19

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
1.6MB

MD5
3d90f45673132f332a6c78a52dc531f7

SHA1
fd7ed3856c9946c87afdab26148935f2604794e3

SHA256
2ad72b8a6ffcf7a104f5e9c2aab20271394b25af5afd798a0e731e9f5fd293d7

SHA512
0f376f9e4fa4ac28151f24efb5cf1f3ee8bac7da6c6be0cf4a3a89980cf8c7b7930be2f7591af751fcef04102c3bfbe370ac10f46ca2107b4fd9e7ec75b32ac4

Download Submit
C:\sessionperf\Bzp9ojfmO6NhLVjwIYSLn.bat
Filesize
40B

MD5
468d6e383a53e8afb1cfdef13eb2fa32

SHA1
767d71bdb1ec23d24fd902f32507c475acf2460c

SHA256
57305997be6d5e00a4286bc17a4506f87eca5b91fea8d5d3f9807c4d0fab0724

SHA512
8866a9d48004660a3b39cd5e193d3919a55e5aed83cdfa64d52f91fcf5ae89913ba3c6c7ee65ced9e07dc895594273459ea2dbabbdf77f041bffd289f857f88d

Download Submit
C:\sessionperf\StDKs.vbe
Filesize
209B

MD5
cd32e77669dd6e08056e373ff84e2cb7

SHA1
71367f3fa0bcab49aa2194f26bdbd6b6a238037e

SHA256
ffd98e10c26d00fa3512ead5a0a1a35011db7894cff3d4c53e568a28ea5d03aa

SHA512
4227711947cdcb1e3dd8eb1e8e19c91da0ef1fa6356c5b06cb5b4626a636acc54d1f767073d5cca57eb2f732d058b6a12b51b3b4a6fb52097f2a94eef99d5d7e

Download Submit
C:\sessionperf\chainproviderbroker.exe
Filesize
1.2MB

MD5
0ba781a9b64961c8ab3f72067a1deb5a

SHA1
233e7541fa084f0319c8d7f4b8ee5e0fe72757f6

SHA256
b6bd78da32ef81f729dbb620ff22882f6a90ca5128127c944b5e1759b33fcdfc

SHA512
358ecf3e0baac77976def258552d25eb2334032150ae658e29fcde60452c046966cb6dd686bfa97192436ad5e8c3819b3051ae335bf39f286d73b9e6f09f10af

Download Submit
memory/4080-27-0x0000000000020000-0x0000000000154000-memory.dmp

Filesize
1.2MB

Download
memory/4080-30-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/4080-29-0x000000001B300000-0x000000001B350000-memory.dmp

Filesize
320KB

Download
memory/4080-28-0x00000000021F0000-0x000000000220C000-memory.dmp

Filesize
112KB

Download
memory/4080-31-0x000000001ADA0000-0x000000001ADB6000-memory.dmp

Filesize
88KB

Download
memory/4080-32-0x0000000002220000-0x000000000222C000-memory.dmp

Filesize
48KB

Download
memory/4756-13-0x0000000000400000-0x0000000000AD7000-memory.dmp

Filesize
6.8MB

Download