dcrat | 4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Size

1.7MB
MD5

17ec06d456ef3bb342d301f1a0e7f5ae
SHA1

da6432e5a3cc4f5c52420e0e4adbbb6c22249071
SHA256

4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261
SHA512

bc434febf5ac6600e40134ea72feeef048b895167701bef85c447776a423d533a120bc1feee1173cdeb8b0a13f8d2bddb2d8200b7ec005f3b8aaad430300de28
SSDEEP

49152:D+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:uTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	3440	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3440	schtasks.exe	82

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4212-1-0x0000000000990000-0x0000000000B50000-memory.dmp	dcrat
behavioral2/files/0x0007000000023c96-30.dat	dcrat
behavioral2/files/0x0008000000023c9f-61.dat	dcrat
behavioral2/files/0x0009000000023c89-72.dat	dcrat
behavioral2/files/0x000a000000023c8e-95.dat	dcrat
behavioral2/memory/4104-255-0x0000000000930000-0x0000000000AF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4484	powershell.exe
3064	powershell.exe
2400	powershell.exe
4452	powershell.exe
4160	powershell.exe
448	powershell.exe
1500	powershell.exe
4408	powershell.exe
3760	powershell.exe
3684	powershell.exe
2880	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 8 IoCs

pid	Process
4104	RuntimeBroker.exe
4020	RuntimeBroker.exe
2668	RuntimeBroker.exe
1108	RuntimeBroker.exe
752	RuntimeBroker.exe
3924	RuntimeBroker.exe
5060	RuntimeBroker.exe
1528	RuntimeBroker.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\es-ES\9e8d7a4ca61bd9	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Microsoft.NET\taskhostw.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Microsoft.NET\ea9f0e6c9e2dcd	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files (x86)\Google\Update\Offline\e1ef82546f0b02	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\RCXDAD1.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\RCXE4DC.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\taskhostw.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\RCXE55A.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXE9E1.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCXE9E2.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\RCXDAD2.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXDDC2.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXDCE7.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Program Files\Windows Media Player\fr-FR\9e8d7a4ca61bd9	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Panther\UnattendGC\dwm.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File created	C:\Windows\Panther\UnattendGC\6cb0b6c459d5d3	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCXDFC7.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\Panther\UnattendGC\RCXE0C2.tmp	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
File opened for modification	C:\Windows\Panther\UnattendGC\dwm.exe	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2952	schtasks.exe
3436	schtasks.exe
2692	schtasks.exe
2344	schtasks.exe
4960	schtasks.exe
1840	schtasks.exe
3224	schtasks.exe
4984	schtasks.exe
4868	schtasks.exe
3000	schtasks.exe
1120	schtasks.exe
552	schtasks.exe
4856	schtasks.exe
460	schtasks.exe
1056	schtasks.exe
1304	schtasks.exe
808	schtasks.exe
2332	schtasks.exe
2960	schtasks.exe
1292	schtasks.exe
4880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
1500	powershell.exe
1500	powershell.exe
3684	powershell.exe
3684	powershell.exe
2880	powershell.exe
2880	powershell.exe
4452	powershell.exe
4452	powershell.exe
4408	powershell.exe
4408	powershell.exe
448	powershell.exe
448	powershell.exe
2400	powershell.exe
2400	powershell.exe
3760	powershell.exe
3760	powershell.exe
4484	powershell.exe
4484	powershell.exe
3064	powershell.exe
3064	powershell.exe
4160	powershell.exe
4160	powershell.exe
4484	powershell.exe
1500	powershell.exe
3684	powershell.exe
4408	powershell.exe
4452	powershell.exe
3760	powershell.exe
448	powershell.exe
2400	powershell.exe
2880	powershell.exe
3064	powershell.exe
4160	powershell.exe
4104	RuntimeBroker.exe
4104	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	3760	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	4104	RuntimeBroker.exe
Token: SeDebugPrivilege	4020	RuntimeBroker.exe
Token: SeDebugPrivilege	2668	RuntimeBroker.exe
Token: SeDebugPrivilege	1108	RuntimeBroker.exe
Token: SeDebugPrivilege	752	RuntimeBroker.exe
Token: SeDebugPrivilege	3924	RuntimeBroker.exe
Token: SeDebugPrivilege	5060	RuntimeBroker.exe
Token: SeDebugPrivilege	1528	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4212 wrote to memory of 2880	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	104
PID 4212 wrote to memory of 2880	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	104
PID 4212 wrote to memory of 4160	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	105
PID 4212 wrote to memory of 4160	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	105
PID 4212 wrote to memory of 448	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	106
PID 4212 wrote to memory of 448	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	106
PID 4212 wrote to memory of 1500	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	107
PID 4212 wrote to memory of 1500	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	107
PID 4212 wrote to memory of 4408	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	108
PID 4212 wrote to memory of 4408	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	108
PID 4212 wrote to memory of 4452	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	109
PID 4212 wrote to memory of 4452	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	109
PID 4212 wrote to memory of 3760	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	110
PID 4212 wrote to memory of 3760	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	110
PID 4212 wrote to memory of 4484	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	111
PID 4212 wrote to memory of 4484	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	111
PID 4212 wrote to memory of 3064	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	112
PID 4212 wrote to memory of 3064	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	112
PID 4212 wrote to memory of 2400	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	113
PID 4212 wrote to memory of 2400	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	113
PID 4212 wrote to memory of 3684	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	114
PID 4212 wrote to memory of 3684	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	114
PID 4212 wrote to memory of 2680	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	125
PID 4212 wrote to memory of 2680	4212	4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe	125
PID 2680 wrote to memory of 4496	2680	cmd.exe	128
PID 2680 wrote to memory of 4496	2680	cmd.exe	128
PID 2680 wrote to memory of 4104	2680	cmd.exe	132
PID 2680 wrote to memory of 4104	2680	cmd.exe	132
PID 4104 wrote to memory of 4512	4104	RuntimeBroker.exe	133
PID 4104 wrote to memory of 4512	4104	RuntimeBroker.exe	133
PID 4104 wrote to memory of 3276	4104	RuntimeBroker.exe	134
PID 4104 wrote to memory of 3276	4104	RuntimeBroker.exe	134
PID 4512 wrote to memory of 4020	4512	WScript.exe	140
PID 4512 wrote to memory of 4020	4512	WScript.exe	140
PID 4020 wrote to memory of 4316	4020	RuntimeBroker.exe	141
PID 4020 wrote to memory of 4316	4020	RuntimeBroker.exe	141
PID 4020 wrote to memory of 4556	4020	RuntimeBroker.exe	142
PID 4020 wrote to memory of 4556	4020	RuntimeBroker.exe	142
PID 4316 wrote to memory of 2668	4316	WScript.exe	143
PID 4316 wrote to memory of 2668	4316	WScript.exe	143
PID 2668 wrote to memory of 3760	2668	RuntimeBroker.exe	144
PID 2668 wrote to memory of 3760	2668	RuntimeBroker.exe	144
PID 2668 wrote to memory of 3064	2668	RuntimeBroker.exe	145
PID 2668 wrote to memory of 3064	2668	RuntimeBroker.exe	145
PID 3760 wrote to memory of 1108	3760	WScript.exe	146
PID 3760 wrote to memory of 1108	3760	WScript.exe	146
PID 1108 wrote to memory of 1368	1108	RuntimeBroker.exe	147
PID 1108 wrote to memory of 1368	1108	RuntimeBroker.exe	147
PID 1108 wrote to memory of 4492	1108	RuntimeBroker.exe	148
PID 1108 wrote to memory of 4492	1108	RuntimeBroker.exe	148
PID 1368 wrote to memory of 752	1368	WScript.exe	149
PID 1368 wrote to memory of 752	1368	WScript.exe	149
PID 752 wrote to memory of 1324	752	RuntimeBroker.exe	150
PID 752 wrote to memory of 1324	752	RuntimeBroker.exe	150
PID 752 wrote to memory of 1604	752	RuntimeBroker.exe	151
PID 752 wrote to memory of 1604	752	RuntimeBroker.exe	151
PID 3924 wrote to memory of 1500	3924	RuntimeBroker.exe	153
PID 3924 wrote to memory of 1500	3924	RuntimeBroker.exe	153
PID 3924 wrote to memory of 3600	3924	RuntimeBroker.exe	154
PID 3924 wrote to memory of 3600	3924	RuntimeBroker.exe	154
PID 1500 wrote to memory of 5060	1500	WScript.exe	155
PID 1500 wrote to memory of 5060	1500	WScript.exe	155
PID 5060 wrote to memory of 2512	5060	RuntimeBroker.exe	156
PID 5060 wrote to memory of 2512	5060	RuntimeBroker.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe
"C:\Users\Admin\AppData\Local\Temp\4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MjENmN7Yxv.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4496
- - C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe
    "C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c35d208-e421-4a97-8149-e4dd89e67af9.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea175b7d-cd37-4426-a8d9-d7d69d8a7900.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1414e254-e60e-4e90-95c4-a0852f6854a9.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9c573c8-ce83-4bfb-8371-1edc1a773a14.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7dd659dd-b0eb-41ca-918b-3d399e630e8b.vbs"
        12⤵
        
        PID:1324
        
        C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6d7aa36-2b4e-4db6-813a-bb808a0c8c5a.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\826d0f06-5e52-4211-95cf-2a966892aa79.vbs"
        16⤵
        
        PID:2512
        
        C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe
        
        "C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b67e1730-f0ef-4ed1-a3db-5bef523e7cfd.vbs"
        18⤵
        
        PID:3436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6768583a-f5d2-4101-8173-9fab48fe42da.vbs"
        18⤵
        
        PID:508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c754ec6-b89c-41b5-953e-8cdd1dcee028.vbs"
        16⤵
        
        PID:1344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84ac8197-8d97-4069-b356-73a044a16b1b.vbs"
        14⤵
        
        PID:3600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86d2e170-f68b-492c-81a4-3553cb77f5a9.vbs"
        12⤵
        
        PID:1604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfb840b8-13f7-45c2-8d75-7598f343dc6c.vbs"
        10⤵
        
        PID:4492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1994777a-8779-419b-aac0-4ef9ec0481e3.vbs"
        8⤵
        
        PID:3064
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59cfd4ce-42ca-4d93-9aa5-c1f86ec69698.vbs"
        6⤵
        
        PID:4556
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f6d304f-c7ed-43bf-b16b-971c3332931d.vbs"
      4⤵
      PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Panther\UnattendGC\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\UnattendGC\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\My Videos\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\fr-FR\RuntimeBroker.exe

Filesize
1.7MB

MD5
812c98c64a54f6465760e523f2129d31

SHA1
5fb4cd6d5deb3a2be6b27f1910fd0412ef7fc741

SHA256
3313e58182c62df09340182c5458e110abd287ff2896ffda9bf618510fa2950f

SHA512
77884354e0796a919dc0255620fc24268667ff50f22af459f9fbb022884dec88087055c66f3697bd3f2ab7edbcf09ea42c7f908b7cedb88d18b67e4d3ea20bd3

Download Submit
C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe

Filesize
1.7MB

MD5
17ec06d456ef3bb342d301f1a0e7f5ae

SHA1
da6432e5a3cc4f5c52420e0e4adbbb6c22249071

SHA256
4da9f52fc7e59722b82fc6c95f5335025e95173bb31f9d4e84f6c36e42468261

SHA512
bc434febf5ac6600e40134ea72feeef048b895167701bef85c447776a423d533a120bc1feee1173cdeb8b0a13f8d2bddb2d8200b7ec005f3b8aaad430300de28

Download Submit
C:\Program Files\Windows NT\Accessories\es-ES\RuntimeBroker.exe

Filesize
1.7MB

MD5
e0844e430e84efba025432dfea4f1a3d

SHA1
0541104dccd1b964ba6fc5e9190049aec12855ee

SHA256
bd5496bab4ebe1317f6f6f4311b3ada24dac66183abc5ccfde260ac308d0f146

SHA512
f22eb288ec362a9a587b22be4587898a8cb9c4c3bc82c5633cdba7a358eaf67e219357bc778b1bd47d5d06c0758187298e5cbceafff5c9c7c142ceb4c67b55ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1414e254-e60e-4e90-95c4-a0852f6854a9.vbs

Filesize
739B

MD5
0131754b724b0986411bdc985cdcaf38

SHA1
9ac19a98c016d903c4f34e1b2ecfb5f87c0d143e

SHA256
9cb4992b7f94acb548e1379e398d5bddb116fa515d0da09cfc12f88af04d2af2

SHA512
a5ca9b7897447b2bda454ac50059aa6b736265d0b0a1562250c2d02c5e6644457fb0bcf3aa2402f105ef63b1d46cd946675c344391d642a0eaabb0fc660e9fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c35d208-e421-4a97-8149-e4dd89e67af9.vbs

Filesize
739B

MD5
610133cd15d674b8cb825d1411d7c3df

SHA1
bdbad060675335c2ba26a5091868198acb1c086a

SHA256
3b562f74af10836c3c04f136e33f531ed11f6c232f2d5efc55318451bffc9515

SHA512
c3662db77414eb2025cf12a37603afb9a4d864aa39d42bb56a668af7c6c58c391d49365d7057879636f7372230ced3cb81b5473dd6b236b6d3127d80c27e8e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\7f6d304f-c7ed-43bf-b16b-971c3332931d.vbs

Filesize
515B

MD5
b5bdf94dbe85bd4bb3a5de886e81ac1f

SHA1
2d24f4bfe9d14b76314625622ff24543d1f8eee2

SHA256
23dc18a78aae865f9931fc14c20fd48a874fd526cce49ce4fb45167afbbd94bd

SHA512
bcc86ad3a5a3e563d839700522baa5813cb2f83847fb3b9e72183742ec3992faa518f5e1c2262b65e15c3de3310ed475a5acbac31c7c2dd370cccf837f2feb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\826d0f06-5e52-4211-95cf-2a966892aa79.vbs

Filesize
739B

MD5
a3d53b02b44c3e7223ff57299536da7a

SHA1
7947813ec7de67fc515d1bf323615cca26f3f5af

SHA256
052bb75b80c5861ad00a29879948a774fe15e17d3c404c75f21367cc032890c3

SHA512
ccae1a79afb9378c2dabd1aab4d381cdd9e97b7ea8f4a0baea8f8b4be4033308da551d3e9269613de65dbd5dcf500a53acd7960a3b39c2ab708f3db30e0269e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MjENmN7Yxv.bat

Filesize
228B

MD5
d2a6c6a9dbceec3552e04514c2aa73e6

SHA1
450a8456524561f3f4230813abb698e373e8d782

SHA256
de6c34effaa92c91662ca5b2cb10198419c3452e8b2c53889f1f6198adab4f1b

SHA512
c6dce2e22bcedcd748b30149f93307b89bb63131fce2ee7ba646f008e7eac89621c43697397d6056792d70bfbcf1f28d35d763743ffb48a6bbce30a2887f7712

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_esbdnui1.no3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b67e1730-f0ef-4ed1-a3db-5bef523e7cfd.vbs

Filesize
739B

MD5
d5cb5d19e6eff10373cd046565e20e85

SHA1
143f728a562b6fb6724e5d9e4697c93186a6d430

SHA256
8bb4ef2b1e93cddbe93991310615d8b32ff03f2786f1bf4e7bb9b23654c8fa76

SHA512
9a6ab7fef4fa183ec6f0202b08b9232536b8e184c7c8438b2b724ef8cd1fc9a8dae119fae5aaca679b4f728fcc6b6c8fe5738f6701dde158bc060f7ee3a37ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6d7aa36-2b4e-4db6-813a-bb808a0c8c5a.vbs

Filesize
739B

MD5
8255befc87363f084253b28d8c9df4a8

SHA1
43d3232c94633ec8ea8b0648ef336e13c4019a85

SHA256
44f6fbd4bd2fb9d85bf6d08b91e2da391f75af1a433202b26667b6f3d74ef33d

SHA512
18dba335fe8b79b0f3adba2c7a8c3b7df4ed7aa8443e9d2020d6fce5263fdd14cfd4c38632e021a75c5696edee8ea9de1c68799629fa5c094758d84117e1311a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9c573c8-ce83-4bfb-8371-1edc1a773a14.vbs

Filesize
739B

MD5
c001367693a7c4881eebe5e15c351bf8

SHA1
7d515db28ec1e949a8bdcb7f545d2ac65572f34c

SHA256
fafa03ae723c7f4c893cbdb964dbb4957e2f4359bd88dd1599408e31c98dff71

SHA512
dfc874b9556d2b1fe22dec8f89dca1641a1a700f9e6f2546cfa95160ad4604a8d18dea0f620358506fbd4e1b5fb67250633465a4b51ab72da8e3aa9cd3c3471a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea175b7d-cd37-4426-a8d9-d7d69d8a7900.vbs

Filesize
739B

MD5
f14230db1ae163953974cd24b5b67d75

SHA1
2266df821f5083784b419d61e1fd76c1ed383aab

SHA256
8b596661c7aaf46a5916e1f3ea5f2cb183a49fce6419ce996226e0dfa8de28d7

SHA512
6adeba8744aefdea815cf3324bb130ee75badbf59a297f6fc485812c996205ee20d0f41aa1b279be420dbd8c03befaec9db2bd7f545f237dc3aace7983217520

Download Submit
C:\Windows\Panther\UnattendGC\dwm.exe

Filesize
1.7MB

MD5
3bee9913c861b354e0cdbb2bca691376

SHA1
3ec310bb1720ff12561a8610b29d8bd1ba7bd6be

SHA256
d75d956292480e6ecd5594099742fd22d4b88af1b52b69d67744c431e1b0f554

SHA512
5243dbfe0f15a1752d9f9b57d53900e3f50da776afec673b8dd449d38577164b1a39fe4684d0ce084882967eae214b66a504c66e493a31eddcfcceec34889fa3

Download Submit
memory/1500-137-0x0000024F94E70000-0x0000024F94E92000-memory.dmp

Filesize
136KB

Download
memory/4020-269-0x000000001C7F0000-0x000000001C802000-memory.dmp

Filesize
72KB

Download
memory/4104-256-0x000000001D240000-0x000000001D252000-memory.dmp

Filesize
72KB

Download
memory/4104-255-0x0000000000930000-0x0000000000AF0000-memory.dmp

Filesize
1.8MB

Download
memory/4212-19-0x000000001B7B0000-0x000000001B7BC000-memory.dmp

Filesize
48KB

Download
memory/4212-23-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download
memory/4212-120-0x00007FFB411C3000-0x00007FFB411C5000-memory.dmp

Filesize
8KB

Download
memory/4212-127-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download
memory/4212-8-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/4212-7-0x0000000002CA0000-0x0000000002CB6000-memory.dmp

Filesize
88KB

Download
memory/4212-22-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download
memory/4212-6-0x0000000002C90000-0x0000000002CA0000-memory.dmp

Filesize
64KB

Download
memory/4212-3-0x0000000002C50000-0x0000000002C6C000-memory.dmp

Filesize
112KB

Download
memory/4212-2-0x00007FFB411C0000-0x00007FFB41C81000-memory.dmp

Filesize
10.8MB

Download
memory/4212-0-0x00007FFB411C3000-0x00007FFB411C5000-memory.dmp

Filesize
8KB

Download
memory/4212-5-0x0000000002C70000-0x0000000002C78000-memory.dmp

Filesize
32KB

Download
memory/4212-15-0x0000000002E40000-0x0000000002E4A000-memory.dmp

Filesize
40KB

Download
memory/4212-4-0x000000001B750000-0x000000001B7A0000-memory.dmp

Filesize
320KB

Download
memory/4212-16-0x0000000002E50000-0x0000000002E5E000-memory.dmp

Filesize
56KB

Download
memory/4212-1-0x0000000000990000-0x0000000000B50000-memory.dmp

Filesize
1.8MB

Download
memory/4212-17-0x0000000002E60000-0x0000000002E68000-memory.dmp

Filesize
32KB

Download
memory/4212-18-0x000000001B7A0000-0x000000001B7AC000-memory.dmp

Filesize
48KB

Download
memory/4212-14-0x0000000002E30000-0x0000000002E3C000-memory.dmp

Filesize
48KB

Download
memory/4212-13-0x000000001C480000-0x000000001C9A8000-memory.dmp

Filesize
5.2MB

Download
memory/4212-10-0x0000000002DF0000-0x0000000002DF8000-memory.dmp

Filesize
32KB

Download
memory/4212-12-0x0000000002E00000-0x0000000002E12000-memory.dmp

Filesize
72KB

Download
memory/4212-9-0x0000000002DE0000-0x0000000002DEC000-memory.dmp

Filesize
48KB

Download