dcrat | d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087

Analysis

max time kernel
119s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
Size

1.7MB
MD5

7094bec5c74b11ca66951e7013264883
SHA1

1e784f9036b8186f79f774e8c5994a40a6e0ce1d
SHA256

d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087
SHA512

c1f2abed94ee88516a362eda3cd7404eefc816136ae1174efa665e16a0cf89913e51a3ab0dc40fe671bf7c360b65e1eed7a16c9787622b8ca039ef3763530bfe
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvG:OTHUxUoh1IF9gl2h

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	368	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3604	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3376	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	3376	schtasks.exe	82

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/1432-1-0x0000000000110000-0x00000000002D0000-memory.dmp	dcrat
behavioral2/files/0x0007000000023ca7-30.dat	dcrat
behavioral2/files/0x0008000000023ca3-116.dat	dcrat
behavioral2/files/0x0009000000023ca7-127.dat	dcrat
behavioral2/files/0x0008000000023cc0-209.dat	dcrat
behavioral2/files/0x0008000000023ccc-242.dat	dcrat
behavioral2/files/0x000a000000023cab-416.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1400	powershell.exe
2428	powershell.exe
4144	powershell.exe
2076	powershell.exe
4880	powershell.exe
2912	powershell.exe
928	powershell.exe
1736	powershell.exe
2316	powershell.exe
3184	powershell.exe
4936	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 8 IoCs

pid	Process
3880	RuntimeBroker.exe
988	RuntimeBroker.exe
3932	RuntimeBroker.exe
4068	RuntimeBroker.exe
1676	RuntimeBroker.exe
1804	RuntimeBroker.exe
3524	RuntimeBroker.exe
2096	RuntimeBroker.exe

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files\Mozilla Firefox\fonts\9e8d7a4ca61bd9	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\Registry.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXBB20.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXC23B.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\sihost.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ee2ad38f3d4382	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\RCXAF3F.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Crashpad\reports\RuntimeBroker.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXBDA4.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\sihost.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files\Windows Security\BrowserCore\en-US\66fc9ff0ee96c2	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCXCB7A.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\TextInputHost.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\5940a34987c991	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Microsoft\55b276f4edf653	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files\Windows Defender\es-ES\22eafd247d37c3	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RCXB154.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\RCXC23C.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\RCXCB7B.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\RuntimeBroker.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files\Crashpad\reports\9e8d7a4ca61bd9	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Idle.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\Registry.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC675.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXC8F8.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCXC976.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\dllhost.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files\Crashpad\reports\RuntimeBroker.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\e1ef82546f0b02	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\RCXAF40.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\dllhost.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Idle.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXC676.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\6ccacd8608530f	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files\Windows Defender\es-ES\TextInputHost.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXB5EC.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXB66A.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Crashpad\reports\RCXBB21.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\7a0fd90576e088	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Microsoft\RCXB155.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXBDA3.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXBFB8.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\RCXBFB9.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\lsass.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\6203df4a6bafc7	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RCXD0BE.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\RCXD13C.tmp	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File opened for modification	C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\lsass.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
File created	C:\Windows\OCR\it-it\RuntimeBroker.exe	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3980	schtasks.exe
1060	schtasks.exe
1936	schtasks.exe
5008	schtasks.exe
3604	schtasks.exe
3932	schtasks.exe
3440	schtasks.exe
2076	schtasks.exe
1384	schtasks.exe
1376	schtasks.exe
964	schtasks.exe
2488	schtasks.exe
3168	schtasks.exe
3356	schtasks.exe
4856	schtasks.exe
3416	schtasks.exe
432	schtasks.exe
1400	schtasks.exe
368	schtasks.exe
4604	schtasks.exe
2028	schtasks.exe
3740	schtasks.exe
2652	schtasks.exe
1244	schtasks.exe
928	schtasks.exe
4144	schtasks.exe
4080	schtasks.exe
1920	schtasks.exe
4748	schtasks.exe
2068	schtasks.exe
1640	schtasks.exe
2100	schtasks.exe
4640	schtasks.exe
3460	schtasks.exe
3572	schtasks.exe
3132	schtasks.exe
2524	schtasks.exe
4152	schtasks.exe
1496	schtasks.exe
3616	schtasks.exe
1888	schtasks.exe
3400	schtasks.exe
2428	schtasks.exe
4980	schtasks.exe
3088	schtasks.exe
2928	schtasks.exe
3924	schtasks.exe
3336	schtasks.exe
2212	schtasks.exe
4428	schtasks.exe
4868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	4144	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	3880	RuntimeBroker.exe
Token: SeDebugPrivilege	988	RuntimeBroker.exe
Token: SeDebugPrivilege	3932	RuntimeBroker.exe
Token: SeDebugPrivilege	4068	RuntimeBroker.exe
Token: SeDebugPrivilege	1676	RuntimeBroker.exe
Token: SeDebugPrivilege	1804	RuntimeBroker.exe
Token: SeDebugPrivilege	3524	RuntimeBroker.exe
Token: SeDebugPrivilege	2096	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1400	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	139
PID 1432 wrote to memory of 1400	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	139
PID 1432 wrote to memory of 2912	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	140
PID 1432 wrote to memory of 2912	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	140
PID 1432 wrote to memory of 928	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	141
PID 1432 wrote to memory of 928	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	141
PID 1432 wrote to memory of 1736	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	142
PID 1432 wrote to memory of 1736	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	142
PID 1432 wrote to memory of 2316	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	143
PID 1432 wrote to memory of 2316	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	143
PID 1432 wrote to memory of 2428	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	144
PID 1432 wrote to memory of 2428	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	144
PID 1432 wrote to memory of 4880	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	145
PID 1432 wrote to memory of 4880	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	145
PID 1432 wrote to memory of 2076	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	146
PID 1432 wrote to memory of 2076	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	146
PID 1432 wrote to memory of 4144	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	148
PID 1432 wrote to memory of 4144	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	148
PID 1432 wrote to memory of 4936	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	149
PID 1432 wrote to memory of 4936	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	149
PID 1432 wrote to memory of 3184	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	150
PID 1432 wrote to memory of 3184	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	150
PID 1432 wrote to memory of 3880	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	162
PID 1432 wrote to memory of 3880	1432	d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe	162
PID 3880 wrote to memory of 4152	3880	RuntimeBroker.exe	165
PID 3880 wrote to memory of 4152	3880	RuntimeBroker.exe	165
PID 3880 wrote to memory of 3444	3880	RuntimeBroker.exe	166
PID 3880 wrote to memory of 3444	3880	RuntimeBroker.exe	166
PID 4152 wrote to memory of 988	4152	WScript.exe	167
PID 4152 wrote to memory of 988	4152	WScript.exe	167
PID 988 wrote to memory of 1116	988	RuntimeBroker.exe	169
PID 988 wrote to memory of 1116	988	RuntimeBroker.exe	169
PID 988 wrote to memory of 3856	988	RuntimeBroker.exe	170
PID 988 wrote to memory of 3856	988	RuntimeBroker.exe	170
PID 1116 wrote to memory of 3932	1116	WScript.exe	172
PID 1116 wrote to memory of 3932	1116	WScript.exe	172
PID 3932 wrote to memory of 2248	3932	RuntimeBroker.exe	173
PID 3932 wrote to memory of 2248	3932	RuntimeBroker.exe	173
PID 3932 wrote to memory of 2144	3932	RuntimeBroker.exe	174
PID 3932 wrote to memory of 2144	3932	RuntimeBroker.exe	174
PID 2248 wrote to memory of 4068	2248	WScript.exe	175
PID 2248 wrote to memory of 4068	2248	WScript.exe	175
PID 4068 wrote to memory of 432	4068	RuntimeBroker.exe	176
PID 4068 wrote to memory of 432	4068	RuntimeBroker.exe	176
PID 4068 wrote to memory of 3184	4068	RuntimeBroker.exe	177
PID 4068 wrote to memory of 3184	4068	RuntimeBroker.exe	177
PID 432 wrote to memory of 1676	432	WScript.exe	178
PID 432 wrote to memory of 1676	432	WScript.exe	178
PID 1676 wrote to memory of 3912	1676	RuntimeBroker.exe	179
PID 1676 wrote to memory of 3912	1676	RuntimeBroker.exe	179
PID 1676 wrote to memory of 5076	1676	RuntimeBroker.exe	180
PID 1676 wrote to memory of 5076	1676	RuntimeBroker.exe	180
PID 3912 wrote to memory of 1804	3912	WScript.exe	181
PID 3912 wrote to memory of 1804	3912	WScript.exe	181
PID 1804 wrote to memory of 4404	1804	RuntimeBroker.exe	182
PID 1804 wrote to memory of 4404	1804	RuntimeBroker.exe	182
PID 1804 wrote to memory of 2432	1804	RuntimeBroker.exe	183
PID 1804 wrote to memory of 2432	1804	RuntimeBroker.exe	183
PID 4404 wrote to memory of 3524	4404	WScript.exe	184
PID 4404 wrote to memory of 3524	4404	WScript.exe	184
PID 3524 wrote to memory of 3976	3524	RuntimeBroker.exe	185
PID 3524 wrote to memory of 3976	3524	RuntimeBroker.exe	185
PID 3524 wrote to memory of 4012	3524	RuntimeBroker.exe	186
PID 3524 wrote to memory of 4012	3524	RuntimeBroker.exe	186

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe
"C:\Users\Admin\AppData\Local\Temp\d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Program Files\Crashpad\reports\RuntimeBroker.exe
  "C:\Program Files\Crashpad\reports\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4ffaca2-8cc2-4003-8ae1-2d53aa72067f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Program Files\Crashpad\reports\RuntimeBroker.exe
      "C:\Program Files\Crashpad\reports\RuntimeBroker.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:988
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\198642c1-c60a-41f0-9e63-4a9d4bdca9ab.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1116
      - C:\Program Files\Crashpad\reports\RuntimeBroker.exe
        
        "C:\Program Files\Crashpad\reports\RuntimeBroker.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74fec557-aaf1-458c-b3cc-484a763bf033.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Program Files\Crashpad\reports\RuntimeBroker.exe
        
        "C:\Program Files\Crashpad\reports\RuntimeBroker.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a2afcbf-99e4-4d26-acc4-774f593a388e.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Program Files\Crashpad\reports\RuntimeBroker.exe
        
        "C:\Program Files\Crashpad\reports\RuntimeBroker.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e05f20ef-84c3-4cb2-98ca-5ebce04c7aa6.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Program Files\Crashpad\reports\RuntimeBroker.exe
        
        "C:\Program Files\Crashpad\reports\RuntimeBroker.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb0da5d3-2af8-4654-b2d8-b01a9c13df00.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Program Files\Crashpad\reports\RuntimeBroker.exe
        
        "C:\Program Files\Crashpad\reports\RuntimeBroker.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd29d5e0-8a2a-4535-a0b8-12b85c0a8cd9.vbs"
        15⤵
        
        PID:3976
        
        C:\Program Files\Crashpad\reports\RuntimeBroker.exe
        
        "C:\Program Files\Crashpad\reports\RuntimeBroker.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58c2e33e-bf31-46d1-907c-68892517cca5.vbs"
        17⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a29eedfe-422f-4db9-bdd3-6dfd372eba81.vbs"
        17⤵
        
        PID:4956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\325873d3-7115-4333-bb87-eb614851ee5a.vbs"
        15⤵
        
        PID:4012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8861d656-9019-4fc0-8d2d-bcde51cd5ea6.vbs"
        13⤵
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b8fe027-50c0-4632-bcbd-e015eaddb59d.vbs"
        11⤵
        
        PID:5076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\096505c5-2f11-48ba-b8ea-8a49377672d0.vbs"
        9⤵
        
        PID:3184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\47054aeb-55b2-44bc-b5f7-f6fc2a80af82.vbs"
        7⤵
        
        PID:2144
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc08e09d-a811-4791-bb53-d46ddb5bfa07.vbs"
        5⤵
        
        PID:3856
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\109fa097-f7af-4f00-adc2-862b5debf541.vbs"
    3⤵
    PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Comms\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Comms\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Comms\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Crashpad\reports\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Crashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\reports\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Security\BrowserCore\en-US\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\es-ES\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Idle.exe

Filesize
1.7MB

MD5
0a41e17d421dd994be1fb23d3701eaea

SHA1
02237f2aff96faf7ad072ab0e77e71c4b940909e

SHA256
17bd43a021b5642cb40391afbbd001e7643f05843b2ca95e959d2feffe990260

SHA512
631f17cb4258e52c9853110c010b18135fe6faf08c108bcffea4a528e6711f7279e117cc595fdc97eca097038d1b3c48504e9a2f9b026f93e42f55fe5abbba98

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe

Filesize
1.7MB

MD5
7094bec5c74b11ca66951e7013264883

SHA1
1e784f9036b8186f79f774e8c5994a40a6e0ce1d

SHA256
d653ac9835f0dcf56b64fffebd433a1b1f647af0c1333eca8d2a7285ba113087

SHA512
c1f2abed94ee88516a362eda3cd7404eefc816136ae1174efa665e16a0cf89913e51a3ab0dc40fe671bf7c360b65e1eed7a16c9787622b8ca039ef3763530bfe

Download Submit
C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\explorer.exe

Filesize
1.7MB

MD5
a28f0a69fc71ce9466e98b9c2636204d

SHA1
52cea06b91b0a7c52b8ad99587415a4bf4cf61d9

SHA256
164765483084710b185e78f05e40a1cb4a99d2a5c361712db1515c12d203eaa2

SHA512
6be707ae804b257885d7d39005c71432ade0a815c1a363e9aeead5589126e7fe08b307942acebc32c3881074d4d41ecb019fff17948bca8053f1ee3e6807ce93

Download Submit
C:\Program Files\Crashpad\reports\RuntimeBroker.exe

Filesize
1.7MB

MD5
784f5cdc78ca7bf50ad113eb9d580290

SHA1
b93e873ee52b7e462c2de9d12c229e9c4e35a9be

SHA256
0e2bcce745c301b7de0b31f5f955385dff373af7a6363b7ff7719e327542253d

SHA512
e6d13471a5c2269a9b9ba1e5f4f87662c63cfe87e53631615a45a3e8459f37c285eae13e29d3fe67f6589020cd461267714e27e6d93e7218fca6d1c1012ab7d9

Download Submit
C:\Recovery\WindowsRE\sysmon.exe

Filesize
1.7MB

MD5
9636422ebfd4a0c3840f69a227d5217c

SHA1
c6f79e0a702416b8869618483f405cdd62c888e2

SHA256
8bdfcaa7269df4a5bd598f12427ce6f4d4224ded5626a36391721a8bdc48b845

SHA512
60ccca12b07b1c1e3ae80c19bbc130840723f84447fa5c1f4e52b92a5805d4dfdf82cb03ca1a1b0179d39a3e8f714417c48b595f4509481c9a1ee1c709d270c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\109fa097-f7af-4f00-adc2-862b5debf541.vbs

Filesize
503B

MD5
4de65026f517842ff522ca0d122cb339

SHA1
21e24fd11258b2a85c917502d7b45a2cb4f23690

SHA256
0d410721a14aa869e1c73a61a472c015bc8f6362bfa240a713ecefdffd56e486

SHA512
eb874a5a204bb6f0715de3aa72c93374506ff356df0b9bbef997991c9b36d21aa1361be0ba78661a3f35183ed17602a1d2e1c0735e82f491571dd44a427bba15

Download Submit
C:\Users\Admin\AppData\Local\Temp\198642c1-c60a-41f0-9e63-4a9d4bdca9ab.vbs

Filesize
726B

MD5
26c3eb87c781ad071e53ead12f7eda0a

SHA1
b3e051c8c88b2eeb11fcff80798859737ac10cca

SHA256
c3a1bd3bfd6826a595e31ed34e9d67fd1f17ed8ec08d77fc65626779808e3cca

SHA512
47074a60cf97f8e6e7a535420c253f5970686d09af7a276b47bc213bfd18996d0d92ba0f6d0ea88ff6ada04bee98bb12b2a82b947467f064642a0bd764a85dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\58c2e33e-bf31-46d1-907c-68892517cca5.vbs

Filesize
727B

MD5
5ac910a6dabe007ed9366e8890e0ab20

SHA1
dceaeae0e98c3f58859ca38b6785ebcc560ff020

SHA256
deea34e6c7435a26ba85677500094c84e4b28a28df77ffad2fdc9a3e4280e9e8

SHA512
a67b2d0b57f62a238b9326b2f527df7236b0f58abc370388dc66883c055bbf32933799471e9421983e8770cf2d236b91a8e32eadfed88fead7bedfe6bd1d86be

Download Submit
C:\Users\Admin\AppData\Local\Temp\74fec557-aaf1-458c-b3cc-484a763bf033.vbs

Filesize
727B

MD5
6be69ce55f08217b3770070d6f1c31d3

SHA1
b4aa0f394694d31dbfc3c40c03fed06fec6137ba

SHA256
26fb133c15c0d48af7460e12d3eba4fbc8a636ec2c2fce1e5072629c586042ee

SHA512
1598b17eec66303cd0a273d9c8c0c02fce1741448cd9b663ed895b95dd54bb5baa96efe913321dbcca794c031395530c27715b49715013757cd638d61b7ae65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a2afcbf-99e4-4d26-acc4-774f593a388e.vbs

Filesize
727B

MD5
5d0a51d69a74aab446fd543961a0862b

SHA1
4150eb7ba19a3ca0fe71eb973c22abceb80c1141

SHA256
4fc65b1fd22eaff0bf3e6165e335e309b05acfc6c67d596855a2fa6f0972f8ed

SHA512
fa89665a5a994a2f6d7b0ae848cebf256f8201e29196bcbca0ec46d298d701aeed0fc94db00e11223ce3383a6374d17d25e485c72738dfb4148d5cb48f29512c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qzlm0mhk.emw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd29d5e0-8a2a-4535-a0b8-12b85c0a8cd9.vbs

Filesize
727B

MD5
42581ab6d754b980ca9a52cbef56cab3

SHA1
88326e746db6eb7ecba9ca3399577bda17c45d2c

SHA256
d88a8a416b7e01b3478a7f1d4e9970d58f001ff320220ae87acb734f0d3018f7

SHA512
4a4d2bcf47b67bee27ee4089ad67f4724f3210cbf17dc3ba473ac2dcb674388c24da8b3d3456212ca3575cfbdcfe6ca11597c0dbf5fa698072d571a7e2199b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4ffaca2-8cc2-4003-8ae1-2d53aa72067f.vbs

Filesize
727B

MD5
4b435618074c831cc8a27fb5684e990d

SHA1
e2ebc631f088e6f28c8ca0170e0d4472ff502201

SHA256
b0192f697f5841d7e6ad128867a37ba15741ac3c3fa47f59e2d4aedc2427d5df

SHA512
241b25e99d6a10bdb09cba715a9b7ebb8298c129e880deb9d562851d1afe4555cc08e2a05da409a7b7fcd35c5fd105364630b5cfcb2a97c37b8b4b3590c8f4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\e05f20ef-84c3-4cb2-98ca-5ebce04c7aa6.vbs

Filesize
727B

MD5
29652760d8fb9e600cbfbb481b5e792d

SHA1
719182cc106ac16877cb143244741607923c4e40

SHA256
6d71ff9e9a089c61a25c8cfbc6257ccd135b8539503fe74a24703afe4bbd0d92

SHA512
25567599f747635494b04566b85f5b52d5f9cb07add16f47f097c0759403fc7c7ac86dada05767e6f655aea41517ca19828f1f933bc745eb9248b8d5023b7130

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb0da5d3-2af8-4654-b2d8-b01a9c13df00.vbs

Filesize
727B

MD5
c98bd0ddb6cc52b612861c8b813df474

SHA1
2fb1ee9e005cb98beb2b3ec5fbd008547fbea88d

SHA256
3068b798ba4151cb8aeecd8a67e9e967dff911f6fb018c2762cbf88c92da511a

SHA512
7c03fd55aa01aa0927dad500dce9ea56981a83e35fa7ccc72fc06ef156fc871f352e048402b9b39f2dabf3b01bdf118f9cf52fb6b0ba35fd4559e1b0401a0a70

Download Submit
C:\Windows\SystemApps\Windows.CBSPreview_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\lsass.exe

Filesize
1.7MB

MD5
0c795513a4f995454445ffcde0774801

SHA1
07f1e0ce627f56e1fafc6f3869d9e4e24c9b3bbc

SHA256
8b5d3077e275c5d2c205873312c7b602129e99c6942b9c6ad99a5fc65fb530d0

SHA512
764a88eba2bfec1967299d2d9d3547711c82e79bb373dbf87480e1e47eac4a61b2f8e9583ec2889a81b2c84d7e5f29c5c48ed6ce17249e5617e677c87830b607

Download Submit
memory/1432-14-0x000000001B5E0000-0x000000001B5EC000-memory.dmp

Filesize
48KB

Download
memory/1432-18-0x000000001B810000-0x000000001B81C000-memory.dmp

Filesize
48KB

Download
memory/1432-153-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/1432-212-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/1432-23-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/1432-1-0x0000000000110000-0x00000000002D0000-memory.dmp

Filesize
1.8MB

Download
memory/1432-20-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/1432-19-0x000000001B820000-0x000000001B82C000-memory.dmp

Filesize
48KB

Download
memory/1432-419-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/1432-2-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/1432-15-0x000000001B840000-0x000000001B84A000-memory.dmp

Filesize
40KB

Download
memory/1432-16-0x000000001B6F0000-0x000000001B6FE000-memory.dmp

Filesize
56KB

Download
memory/1432-17-0x000000001B800000-0x000000001B808000-memory.dmp

Filesize
32KB

Download
memory/1432-177-0x00007FF989860000-0x00007FF98A321000-memory.dmp

Filesize
10.8MB

Download
memory/1432-0-0x00007FF989863000-0x00007FF989865000-memory.dmp

Filesize
8KB

Download
memory/1432-13-0x000000001BB10000-0x000000001C038000-memory.dmp

Filesize
5.2MB

Download
memory/1432-12-0x000000001AF50000-0x000000001AF62000-memory.dmp

Filesize
72KB

Download
memory/1432-10-0x000000001AF40000-0x000000001AF48000-memory.dmp

Filesize
32KB

Download
memory/1432-9-0x000000001AF30000-0x000000001AF3C000-memory.dmp

Filesize
48KB

Download
memory/1432-3-0x00000000023E0000-0x00000000023FC000-memory.dmp

Filesize
112KB

Download
memory/1432-8-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/1432-7-0x000000001AF10000-0x000000001AF26000-memory.dmp

Filesize
88KB

Download
memory/1432-5-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/1432-6-0x0000000002400000-0x0000000002410000-memory.dmp

Filesize
64KB

Download
memory/1432-4-0x000000001AF60000-0x000000001AFB0000-memory.dmp

Filesize
320KB

Download
memory/3880-454-0x000000001D780000-0x000000001D882000-memory.dmp

Filesize
1.0MB

Download
memory/3880-420-0x000000001C9E0000-0x000000001C9F2000-memory.dmp

Filesize
72KB

Download
memory/4144-317-0x0000012B34880000-0x0000012B348A2000-memory.dmp

Filesize
136KB

Download