dcrat | 6681cb73deb0effc4f44f704c6bddb07e98c1f8da4c8478cca7ddd49abdb0c3f

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Size

1.6MB
MD5

8b03d1f60bdf0b6465c0623109e7269e
SHA1

33fb1f09f53ca182e1112ed973fce8fa97e4398f
SHA256

1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf
SHA512

8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5240	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5420	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3940	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4128	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4164	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5284	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2680	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4580	2680	schtasks.exe	87

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral18/memory/2180-1-0x0000000000CB0000-0x0000000000E52000-memory.dmp	dcrat
behavioral18/files/0x000700000002432f-26.dat	dcrat
behavioral18/files/0x000b000000024353-97.dat	dcrat
behavioral18/files/0x0008000000024334-131.dat	dcrat
behavioral18/files/0x0009000000024355-142.dat	dcrat
behavioral18/files/0x0008000000024346-197.dat	dcrat
behavioral18/files/0x0009000000024346-208.dat	dcrat
behavioral18/files/0x000900000002434b-222.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5812	powershell.exe
1716	powershell.exe
5176	powershell.exe
1128	powershell.exe
5060	powershell.exe
4936	powershell.exe
4592	powershell.exe
2884	powershell.exe
4412	powershell.exe
5292	powershell.exe
1164	powershell.exe
3352	powershell.exe
5780	powershell.exe
2864	powershell.exe
5928	powershell.exe
5660	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 12 IoCs

pid	Process
3572	RuntimeBroker.exe
3244	RuntimeBroker.exe
4756	RuntimeBroker.exe
1152	RuntimeBroker.exe
4964	RuntimeBroker.exe
3060	RuntimeBroker.exe
5700	RuntimeBroker.exe
6056	RuntimeBroker.exe
5228	RuntimeBroker.exe
2928	RuntimeBroker.exe
1112	RuntimeBroker.exe
4656	RuntimeBroker.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\sk-SK\RCXA564.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Windows\System32\sk-SK\RCXA565.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Windows\System32\sk-SK\55b276f4edf653	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\services.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\edge_BITS_4680_1850129863\f11cf609cd2375	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\edge_BITS_4732_595216890\dllhost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX9EC6.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\services.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\RCXA855.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\RCXB36A.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\c5b4cb5e9653cc	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\edge_BITS_4732_595216890\5940a34987c991	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\edge_BITS_4732_595216890\services.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\edge_BITS_4732_595216890\c5b4cb5e9653cc	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\RCXA7E7.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\services.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\edge_BITS_4680_1850129863\RCX9CB1.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\edge_BITS_4680_1850129863\RCX9CB2.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCX9EC7.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\dllhost.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Program Files\edge_BITS_4732_595216890\RCXB36B.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Engines\Lexicon\9e8d7a4ca61bd9	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Windows\Speech\Engines\Lexicon\RCXAEE2.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Windows\Speech\Engines\Lexicon\RCXAEE3.tmp	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File opened for modification	C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
File created	C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
220	schtasks.exe
3220	schtasks.exe
4904	schtasks.exe
4684	schtasks.exe
516	schtasks.exe
5284	schtasks.exe
5240	schtasks.exe
4128	schtasks.exe
4164	schtasks.exe
2972	schtasks.exe
4764	schtasks.exe
4884	schtasks.exe
5000	schtasks.exe
5068	schtasks.exe
4624	schtasks.exe
4476	schtasks.exe
2816	schtasks.exe
4912	schtasks.exe
4964	schtasks.exe
3536	schtasks.exe
4304	schtasks.exe
4580	schtasks.exe
4216	schtasks.exe
4864	schtasks.exe
4780	schtasks.exe
1052	schtasks.exe
4976	schtasks.exe
4804	schtasks.exe
5420	schtasks.exe
4524	schtasks.exe
1380	schtasks.exe
2164	schtasks.exe
1320	schtasks.exe
4508	schtasks.exe
3940	schtasks.exe
4344	schtasks.exe
404	schtasks.exe
316	schtasks.exe
4212	schtasks.exe
1620	schtasks.exe
716	schtasks.exe
4040	schtasks.exe
4796	schtasks.exe
4852	schtasks.exe
4504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
5060	powershell.exe
5060	powershell.exe
4936	powershell.exe
4936	powershell.exe
1716	powershell.exe
1716	powershell.exe
4412	powershell.exe
4412	powershell.exe
5660	powershell.exe
5660	powershell.exe
5812	powershell.exe
5812	powershell.exe
5292	powershell.exe
5292	powershell.exe
5176	powershell.exe
5176	powershell.exe
3352	powershell.exe
3352	powershell.exe
2864	powershell.exe
2864	powershell.exe
4592	powershell.exe
4592	powershell.exe
1164	powershell.exe
1164	powershell.exe
1128	powershell.exe
1128	powershell.exe
5928	powershell.exe
5928	powershell.exe
5780	powershell.exe
5780	powershell.exe
2884	powershell.exe
2884	powershell.exe
5780	powershell.exe
5060	powershell.exe
5060	powershell.exe
4412	powershell.exe
4936	powershell.exe
4936	powershell.exe
1716	powershell.exe
1716	powershell.exe
3352	powershell.exe
5292	powershell.exe
4592	powershell.exe
5812	powershell.exe
5176	powershell.exe
5660	powershell.exe
5660	powershell.exe
1128	powershell.exe
2864	powershell.exe
1164	powershell.exe
5928	powershell.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	5660	powershell.exe
Token: SeDebugPrivilege	5812	powershell.exe
Token: SeDebugPrivilege	5292	powershell.exe
Token: SeDebugPrivilege	5928	powershell.exe
Token: SeDebugPrivilege	5176	powershell.exe
Token: SeDebugPrivilege	5780	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	3572	RuntimeBroker.exe
Token: SeDebugPrivilege	3244	RuntimeBroker.exe
Token: SeDebugPrivilege	4756	RuntimeBroker.exe
Token: SeDebugPrivilege	1152	RuntimeBroker.exe
Token: SeDebugPrivilege	4964	RuntimeBroker.exe
Token: SeDebugPrivilege	3060	RuntimeBroker.exe
Token: SeDebugPrivilege	5700	RuntimeBroker.exe
Token: SeDebugPrivilege	6056	RuntimeBroker.exe
Token: SeDebugPrivilege	5228	RuntimeBroker.exe
Token: SeDebugPrivilege	2928	RuntimeBroker.exe
Token: SeDebugPrivilege	1112	RuntimeBroker.exe
Token: SeDebugPrivilege	4656	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 5060	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	139
PID 2180 wrote to memory of 5060	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	139
PID 2180 wrote to memory of 4412	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	140
PID 2180 wrote to memory of 4412	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	140
PID 2180 wrote to memory of 2864	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	141
PID 2180 wrote to memory of 2864	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	141
PID 2180 wrote to memory of 1128	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	143
PID 2180 wrote to memory of 1128	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	143
PID 2180 wrote to memory of 5780	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	144
PID 2180 wrote to memory of 5780	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	144
PID 2180 wrote to memory of 2884	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	145
PID 2180 wrote to memory of 2884	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	145
PID 2180 wrote to memory of 5660	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	147
PID 2180 wrote to memory of 5660	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	147
PID 2180 wrote to memory of 5176	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	148
PID 2180 wrote to memory of 5176	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	148
PID 2180 wrote to memory of 3352	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	150
PID 2180 wrote to memory of 3352	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	150
PID 2180 wrote to memory of 1716	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	151
PID 2180 wrote to memory of 1716	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	151
PID 2180 wrote to memory of 4936	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	152
PID 2180 wrote to memory of 4936	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	152
PID 2180 wrote to memory of 5812	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	153
PID 2180 wrote to memory of 5812	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	153
PID 2180 wrote to memory of 1164	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	154
PID 2180 wrote to memory of 1164	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	154
PID 2180 wrote to memory of 5928	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	155
PID 2180 wrote to memory of 5928	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	155
PID 2180 wrote to memory of 4592	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	156
PID 2180 wrote to memory of 4592	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	156
PID 2180 wrote to memory of 5292	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	157
PID 2180 wrote to memory of 5292	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	157
PID 2180 wrote to memory of 2332	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	171
PID 2180 wrote to memory of 2332	2180	1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe	171
PID 2332 wrote to memory of 3560	2332	cmd.exe	173
PID 2332 wrote to memory of 3560	2332	cmd.exe	173
PID 2332 wrote to memory of 3572	2332	cmd.exe	175
PID 2332 wrote to memory of 3572	2332	cmd.exe	175
PID 3572 wrote to memory of 4560	3572	RuntimeBroker.exe	176
PID 3572 wrote to memory of 4560	3572	RuntimeBroker.exe	176
PID 3572 wrote to memory of 996	3572	RuntimeBroker.exe	177
PID 3572 wrote to memory of 996	3572	RuntimeBroker.exe	177
PID 4560 wrote to memory of 3244	4560	WScript.exe	182
PID 4560 wrote to memory of 3244	4560	WScript.exe	182
PID 3244 wrote to memory of 2360	3244	RuntimeBroker.exe	183
PID 3244 wrote to memory of 2360	3244	RuntimeBroker.exe	183
PID 3244 wrote to memory of 548	3244	RuntimeBroker.exe	184
PID 3244 wrote to memory of 548	3244	RuntimeBroker.exe	184
PID 2360 wrote to memory of 4756	2360	WScript.exe	185
PID 2360 wrote to memory of 4756	2360	WScript.exe	185
PID 4756 wrote to memory of 3352	4756	RuntimeBroker.exe	186
PID 4756 wrote to memory of 3352	4756	RuntimeBroker.exe	186
PID 4756 wrote to memory of 2648	4756	RuntimeBroker.exe	187
PID 4756 wrote to memory of 2648	4756	RuntimeBroker.exe	187
PID 3352 wrote to memory of 1152	3352	WScript.exe	189
PID 3352 wrote to memory of 1152	3352	WScript.exe	189
PID 1152 wrote to memory of 5584	1152	RuntimeBroker.exe	190
PID 1152 wrote to memory of 5584	1152	RuntimeBroker.exe	190
PID 1152 wrote to memory of 2812	1152	RuntimeBroker.exe	191
PID 1152 wrote to memory of 2812	1152	RuntimeBroker.exe	191
PID 5584 wrote to memory of 4964	5584	WScript.exe	193
PID 5584 wrote to memory of 4964	5584	WScript.exe	193
PID 4964 wrote to memory of 5804	4964	RuntimeBroker.exe	194
PID 4964 wrote to memory of 5804	4964	RuntimeBroker.exe	194

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe
"C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4732_595216890\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d25f591a00514bc9ba8441\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XeGdH0U8sJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3560
- - C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
    "C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0c5fc13-d501-4833-9b9b-2f080c1c8aaa.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3244
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\239e4973-5b62-442b-9de7-006ed6a8a33a.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86e9093d-cfd8-4f3c-89b1-c4cc91329d80.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ba6a0cf-f68f-41a4-9e7a-e7243952869a.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5584
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ec648c8-1a84-4dd5-ad79-9f0512d16478.vbs"
        12⤵
        
        PID:5804
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4c3d2b5-daef-4164-abe0-b84a7d8560d3.vbs"
        14⤵
        
        PID:1924
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\821b7e38-7e51-4bcc-a17e-12564ee68448.vbs"
        16⤵
        
        PID:1040
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aba768da-aa2e-42b0-ba71-4d52689d6e04.vbs"
        18⤵
        
        PID:312
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\358be680-2edf-4b05-9c24-bcc49573f997.vbs"
        20⤵
        
        PID:5620
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6333a880-14b3-4f87-8e0c-51f77801efe1.vbs"
        22⤵
        
        PID:380
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf4002af-6d93-4c21-97ce-fba11d964f3b.vbs"
        24⤵
        
        PID:3672
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        
        C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\023f77f7-844f-45b0-905c-a371be847a67.vbs"
        24⤵
        
        PID:5584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9df513f0-9eab-4cfb-928d-280ba06f91cb.vbs"
        22⤵
        
        PID:3804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d6ae010-d3de-4322-b7bf-6677de9dfa0a.vbs"
        20⤵
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a40fb0b-9503-440c-b053-ed4004efd2ff.vbs"
        18⤵
        
        PID:4272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cf45963-e3ec-464e-b072-bde9404bf4cd.vbs"
        16⤵
        
        PID:1948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02724ef0-5704-4728-b259-f0ec34b3f4cb.vbs"
        14⤵
        
        PID:3344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51408b74-5209-4e9d-b34f-994d528be8c5.vbs"
        12⤵
        
        PID:4280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c72cc37-3e9c-428a-9a57-6cf126c94b89.vbs"
        10⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a0d340d-5da3-465a-b7c6-c63eca7fb974.vbs"
        8⤵
        
        PID:2648
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29977282-8079-4515-abe5-95d953d4d2e7.vbs"
        6⤵
        
        PID:548
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a79a36d-291c-4c41-a4e1-ce73bfd5be23.vbs"
      4⤵
      PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 5 /tr "'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf1" /sc MINUTE /mo 8 /tr "'C:\Program Files\edge_BITS_4680_1850129863\1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\d25f591a00514bc9ba8441\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\System32\sk-SK\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4732_595216890\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\7e20f84d5244aba7145631d4073af8\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\Engines\Lexicon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\Sun\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4732_595216890\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4732_595216890\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4732_595216890\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\d25f591a00514bc9ba8441\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\7e20f84d5244aba7145631d4073af8\RuntimeBroker.exe

Filesize
1.6MB

MD5
3832310c7b6ed8e78cfa29000e158fb3

SHA1
acf5c18fd29dd3337a8baeabd92f4471e5435505

SHA256
06663ed3c24b80c705519ff8dea59148160984c07239df59811e63e4b92163da

SHA512
efa34c62a903db38628d62e9054a6a540e94fb719db6dd52aaae9d7b90db8792047da0b8810b57c88afd5ade4b4d18828b70a12064c0157272de0a0d49b9582c

Download Submit
C:\Program Files\edge_BITS_4732_595216890\dllhost.exe

Filesize
1.6MB

MD5
c56e5784a7e11766cbc57430d7685115

SHA1
ab802a3d90f6728b38d255870b9feff0e55e5ae3

SHA256
869890cc0d29ee7b63b8f2826ecd4febc9046d1b783e80512e710c5798a66224

SHA512
773a9c7cc073759044b7a29a630ea3f9d78576dfd908c04bae1f464d4db9fbda61542275b3c7bbb8c144574a91cd2bf0de897ebbd1675c60ba5714cfe8238949

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.6MB

MD5
db8f82f3d8973d32dd8701ac6e2954b5

SHA1
851e8fcd38ea62a46f44c4fa33bebca5b59be664

SHA256
c2ffcb38c5f667900d6a178bba5058d8cc888c5efa7aeadd1c8ce9de2ebaa95e

SHA512
83d2278f3b987293cab71bb5d24acd7b4ff203377a48a82c5d1fce7234f5e4c2bb785887978f3657433dd2cfe93bf44a41a212e021ae32bff9e9c94198f8ec52

Download Submit
C:\Recovery\WindowsRE\csrss.exe

Filesize
1.6MB

MD5
2bcea9d2c346ba84574b8331bce37087

SHA1
b4c7612844243e564066fd26f04df4e5a0a480b1

SHA256
7d7f907400a3c287206073b99b545e96081232768136c9f711c58bea6b33d44c

SHA512
cb70e056815353aaef96d21beb4da2c3c100d57f2ba5c4271365b3e985e7fb590698e6e8b3976d60eae41d8fc5bf2ea2c9f5e4d34d851f540891feb79ca68a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a5d93882341ce023d4569907c3bb0def

SHA1
db0998ab671abb543a7ac78596c0b95743a9a2c8

SHA256
c3ea7d8d4ac21adbe8c93e10729367b0b7c3477e7758596609c8e25e45baaa78

SHA512
7bf5716c96d93da7d37bbedb9623c9ae2860ac7b1a0e9310cbee0962556705f8876aebdabb9820f1f1ed37e504e002f24507a23db302d0e180bb45092520cc7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1f3a4f1a0ec7141a2b9d52de694b5b94

SHA1
818521ae654b04c97a8510dd452046a18eab00a0

SHA256
a7eb5ae5bbcd9b72aa81795071ba0dc8485e6f2f942f816cb192b3db33acbac3

SHA512
d00ea8136fa8ced7733d712af781270f7046ac07c48ccdd5ab22d5a29775b98e5f3aac6b6b58f0bf103d6af1ab7b4fa43aee873f91750fd34668c0fbb2082ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f3d606f9a5f1201bfc1f01c54e842c4

SHA1
f1917e50b557b135953ecbe63e1fc1e675b541f1

SHA256
dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a

SHA512
d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
566ef902c25833fe5f7f4484509fe364

SHA1
f8ba6651e7e4c64270e95aac690ad758fa3fc7f8

SHA256
28265aaf259c60ae208b025f4c6b317c0799154b5d40d650bf44ef09f4805514

SHA512
b2c696820b775c0705884f606b4ac464d75d8d5e415bee2fb1e68d07ca288c953936d9286f277082fc11fbae24748c6a872f0be540be37190f0383c7b16820a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
091f20bbaff3637ace005fce1590be7b

SHA1
00d1ef232fc560231ff81adc227a8f2918235a29

SHA256
bd50b50b5e08067840cf1e6bb16f3ed0242649d826544899056db26876dec9fe

SHA512
ebc04d7de6bcbd6505c60432c6455bde985ac422cbda875ef5c1dd6ef44155ec0d43a882dd793e692d3723a257e3d12c48ac8c0dad7c21a99d446d4b3b257890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8e7675df15697eee65b731b90f33a5f

SHA1
8fe1308e032c5cb61b8ea50672fd650889cecdcd

SHA256
656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932

SHA512
fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ceb796de20c8360e1e53623d78696e8a

SHA1
52e20d1bb718b5e04290816c3c740d8f89265bcb

SHA256
cdf217f7e76215d14186a36614f8d2bd6f911869af5c12d98827ec42734ce321

SHA512
2d9f010240f49f4ea4537ece426edeccf8f6b1f2013bfb5e5e8412bc54993043e101f205ed5ca93f26d77de3cce1ab7620b7f97792df06d6c803695f9baaf869

Download Submit
C:\Users\Admin\AppData\Local\Temp\239e4973-5b62-442b-9de7-006ed6a8a33a.vbs

Filesize
727B

MD5
a1811be40e8ec17443497f144ecdf2c6

SHA1
729ed8edbe42d15d598d394181b848157c7031a0

SHA256
39229f21fb68c998531270104d905cf456bb74b97bd6045de7df102345de25c1

SHA512
c0e327dee8ec4a11c8c94cbadab52b110867ee62a15003f3adc4fa50182b27660e6cffddbce703d688ed5536ee1ec078334598c05a1f7011799d61eba2604147

Download Submit
C:\Users\Admin\AppData\Local\Temp\358be680-2edf-4b05-9c24-bcc49573f997.vbs

Filesize
727B

MD5
a4a31e821e12cecde8acfeec7e8a7a97

SHA1
cf52a699f95fc8e2a5b99da174f096f3e5e6778b

SHA256
2977946777895e90ba48a573358899eeea59b88a3f7196053c5ba1013e05404a

SHA512
3885e7e0d828d8ba4f9b96595a1e4d1bbd624ab8008870d31678fc0412f61ebb1ed9657eee35056623b3bb1bd65626bddb88700a8ed800f6e53d143812d090e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ba6a0cf-f68f-41a4-9e7a-e7243952869a.vbs

Filesize
727B

MD5
ba2b74eb21d71fc714c5db526384bd2b

SHA1
c15c61e3392989940572cd4cfed075480e04bcd5

SHA256
208ea1e7031e389f37d956ed08da1ac3892ed4b2c72bbec594ae9cc8aee3c073

SHA512
18f4cc2e4d3ba7ab18bc78f177f1a7cf747d81238c822f273c8778d037cfcd0c8ad0550f9827e434fbc5897d5dc6a8637c3bb0c06387599cee22a2e1fff86775

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ec648c8-1a84-4dd5-ad79-9f0512d16478.vbs

Filesize
727B

MD5
388a7990fcb69ce25e1dc4ea7d2b3ed0

SHA1
0eb5120858f8a55f8229c7aa60d051fbdceefdde

SHA256
24c84a11b9f08da8311f69e17175d22ba59048614796a19e115a7d530cd23bdb

SHA512
f3d217032edf77e17a1ceedd007f5d7edb324739d584f415733fa3ad37bac0481ea1a4b004d9c6173bc7c3a1d73d068ab552afb02e4a904685bfa9b852c2e646

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a79a36d-291c-4c41-a4e1-ce73bfd5be23.vbs

Filesize
503B

MD5
22d515b4a64ce57c1c1c31a9b64e113a

SHA1
8b383c0ee29c26de3b9783ef85f48e06c92427a6

SHA256
59e60ca1f17345edc462be9e4429bf29563f87730fc2fa37f22d3725c0e4f17c

SHA512
5d51c57e787ec356a3dd4647595e500b74637b0f56388b898dffa81ee8c9d7e5f988df037c3cd62ff3d5f474d3a5bd2c24e51143fdfb138b191260fbe73692d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6333a880-14b3-4f87-8e0c-51f77801efe1.vbs

Filesize
727B

MD5
0eed7707b6934c5b19f065ab098b2ea7

SHA1
f9fb519b395d2184bf979206ca38cae5a45ef73d

SHA256
e2c219ed32e0a3aa7780d434f23cff2ca0cd7c2b54f02cb3b26b078a476c7701

SHA512
5b4525a2afc317432263709fbfc7267e441ef4cd441ea8a659acb4e225b78b80c04f3ac31cc12ff4be28eb6c5f9c1608f33c05ed6692813cf0bf98033038ac85

Download Submit
C:\Users\Admin\AppData\Local\Temp\821b7e38-7e51-4bcc-a17e-12564ee68448.vbs

Filesize
727B

MD5
218a452d57745303612c32c51065f137

SHA1
a25e3bdd6e65417d0d188957bf46e825661d30e1

SHA256
345b8d81188a1e6b257ab72c16563d026ae2b388a334b2098f2d915151d967b7

SHA512
9c1ce6da80eae453db35d7942b1b2a243a9d5a1dfe06dfc700b9db138d5b21692859d450875dac9f9b5217cb891e6a8efc49d522a986dd73346baffd1b124861

Download Submit
C:\Users\Admin\AppData\Local\Temp\86e9093d-cfd8-4f3c-89b1-c4cc91329d80.vbs

Filesize
727B

MD5
3b5c4d0fb412836761cf85d0a31fc9c3

SHA1
b6c452f3e8922e390ed1089b2963d9ed57dc6134

SHA256
7d49609c68c3b3071f6ade1f4735464a18aece8bca9da0531067c38f32df8b14

SHA512
8d2c9f7468c083015a973e9cc1d4a394d52e76418875617b4e77d03bfdb06bdc38cf23e6d544cdb69767782a9b8add1fe7c1dc6a7d61160d6dcd628a554ed709

Download Submit
C:\Users\Admin\AppData\Local\Temp\XeGdH0U8sJ.bat

Filesize
216B

MD5
3ab5ba471170ab2e56e14119abedb58e

SHA1
f575ec5fae41649ebf8207c080817c9a3074a3bc

SHA256
bbd58dd35b621657afbf9e758c9b0f3b6744f1d39866086c3e625a8aaaa12e9a

SHA512
f0c12d2586b37660d04d97eb4a58814ac68779e922107ef4782e81f42e55f4adfef2547fbdc56b0fca7717d2952276db4026c96c494b8c3161708c44bdbdc25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2wcp2y1.ewv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4c3d2b5-daef-4164-abe0-b84a7d8560d3.vbs

Filesize
727B

MD5
e8779d2ec891514a7300384857fc15a6

SHA1
fa4eaf918686d669f600f30d982dbb4bc744253f

SHA256
217f80116979cbca906d775772faf19dd6aa0271131a2ffeb704f67e8ae91b06

SHA512
66a8239b529c86d5a8f4822af6746fdfd9cbaa53574a4498ae69a0e758c32e8752afc398d940a9e1f0b987a8d0162584fbc06d19a31fa511cdfa7c95027cbb2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aba768da-aa2e-42b0-ba71-4d52689d6e04.vbs

Filesize
727B

MD5
18499dad257230cc7a24c8008c3ea79c

SHA1
cd4a56ee3f8d847a2426191ea97956c351611477

SHA256
81a97f61c3cb4cef2091a36dd15cc72d4dd95f21cfdecdeb3629b4ae486f299f

SHA512
5b1a850f7dff222c5468d134ce470899ccff9bcdfd3c5a37cb3c323a188bb31fe695e87c38003ccd9529141c0375ed94f11858d3a31408e04c87ca61177c4b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf4002af-6d93-4c21-97ce-fba11d964f3b.vbs

Filesize
727B

MD5
135190d89c524caa61af63b624751b4c

SHA1
7bdbca909bee9b5320d818c4a03ecb5f3c51a69f

SHA256
ec7707d0ca57de6a43215a224c5ef4b9606196952b1dfb5877b335f57ad87d1f

SHA512
3a3aa29a284e9f6128c5ec29671d5940b834978017d35347b2d7f982a9ec517ecf01681224101f2265539b0d37748df7fb289a48b6e6c5df3f901a1aac129f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0c5fc13-d501-4833-9b9b-2f080c1c8aaa.vbs

Filesize
727B

MD5
dbfcce4076e8ff82286fe0d4ec14e327

SHA1
51ff3b3e7553284fc14f6f4eb52eae48bfe01223

SHA256
7474a8bc8be3589e71ef8f54095860c2d32f41caa8746a295b74ba50fb7cd60e

SHA512
65e3c682ea3e7bcf7133576566e1a52a0a715bbb40d3bb26936b26983077401cbfa8a6cfee1c7e122704cf1e054716910c1865b44a6a789c9565122ac3a8ae1e

Download Submit
C:\Users\Public\Pictures\Idle.exe

Filesize
1.6MB

MD5
8b03d1f60bdf0b6465c0623109e7269e

SHA1
33fb1f09f53ca182e1112ed973fce8fa97e4398f

SHA256
1b06c73e9c03f55f8fe3c26f374a889e7095d080c3448d4d040db1ebf46f6aaf

SHA512
8c79bf16fdce864799bb6893565aa06f35737f91897537f08129bfe842ad46f39f4081dcc59760df59e416af3ec848fd2dec179d42900defad7d94b4678f2de0

Download Submit
C:\d25f591a00514bc9ba8441\RuntimeBroker.exe

Filesize
1.6MB

MD5
b4a7ffa597431472f1196f0d244fdfa1

SHA1
9787d0f1dffca7a2d3d3a04b7b3f9cc055190039

SHA256
12a93931e6670cd16b26b8aaaf6b9c99a181ed1781cbb8af9e309bfd8a1f6d92

SHA512
3ddec53995b68b6d4f071bea31ca3403006929a5b8169f89819a9b2ecbbf30a6bd659f4d38302c2a0bd26d9c1be33ecbb1201245e57571a6a7cf75e148ed35e4

Download Submit
C:\d25f591a00514bc9ba8441\sihost.exe

Filesize
1.6MB

MD5
53cff85048d32a94637e8115a6f122d0

SHA1
80abea3fa189da68c1639ea0f1ba58adf87b6b94

SHA256
6fae27b1af247f9bf0ddfad3125bc5913540c26b39061e57113f506a3893e28c

SHA512
31951295ad8c360232c2201bd3654f8cfc6160ea485311a47d34b796c44e24b26b448da7f89cf890aec6e0b39567408d2097e5cac2b472626efc5c48092bb09f

Download Submit
memory/2180-9-0x0000000002FD0000-0x0000000002FD8000-memory.dmp

Filesize
32KB

Download
memory/2180-10-0x0000000002FE0000-0x0000000002FEC000-memory.dmp

Filesize
48KB

Download
memory/2180-0-0x00007FFFDCC23000-0x00007FFFDCC25000-memory.dmp

Filesize
8KB

Download
memory/2180-213-0x00007FFFDCC20000-0x00007FFFDD6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-201-0x00007FFFDCC23000-0x00007FFFDCC25000-memory.dmp

Filesize
8KB

Download
memory/2180-3-0x0000000002F50000-0x0000000002F6C000-memory.dmp

Filesize
112KB

Download
memory/2180-4-0x000000001BAF0000-0x000000001BB40000-memory.dmp

Filesize
320KB

Download
memory/2180-5-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/2180-6-0x0000000002F90000-0x0000000002FA6000-memory.dmp

Filesize
88KB

Download
memory/2180-12-0x0000000003000000-0x000000000300A000-memory.dmp

Filesize
40KB

Download
memory/2180-1-0x0000000000CB0000-0x0000000000E52000-memory.dmp

Filesize
1.6MB

Download
memory/2180-259-0x00007FFFDCC20000-0x00007FFFDD6E1000-memory.dmp

Filesize
10.8MB

Download
memory/2180-8-0x0000000002FC0000-0x0000000002FD0000-memory.dmp

Filesize
64KB

Download
memory/2180-13-0x000000001BB40000-0x000000001BB4E000-memory.dmp

Filesize
56KB

Download
memory/2180-14-0x000000001BB60000-0x000000001BB68000-memory.dmp

Filesize
32KB

Download
memory/2180-15-0x000000001BB70000-0x000000001BB78000-memory.dmp

Filesize
32KB

Download
memory/2180-16-0x000000001BB80000-0x000000001BB8A000-memory.dmp

Filesize
40KB

Download
memory/2180-17-0x000000001BB90000-0x000000001BB9C000-memory.dmp

Filesize
48KB

Download
memory/2180-11-0x0000000002FF0000-0x0000000002FFC000-memory.dmp

Filesize
48KB

Download
memory/2180-7-0x0000000002FB0000-0x0000000002FB8000-memory.dmp

Filesize
32KB

Download
memory/2180-2-0x00007FFFDCC20000-0x00007FFFDD6E1000-memory.dmp

Filesize
10.8MB

Download
memory/4936-240-0x0000024969310000-0x0000024969332000-memory.dmp

Filesize
136KB

Download