dcrat | 8e52ba8956d643c96cdeb75c43492302cf710a3d2acc852442930dedbe9ea1bb

Analysis

max time kernel
29s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Size

2.5MB
MD5

1e5801255eb014a44c56370d9c7e5019
SHA1

9000eacf24a374e6e8512dce6deaae28454ea422
SHA256

eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a
SHA512

d2ba4e8022ba845a124c676b928358b99365691a3b6c4cdc0b488c184325e0cc29bd43ef54833b5c7c527beceab407d96d4d89050bcb6f19fdbc65f7456f8ddd
SSDEEP

49152:BjLLQdzMIwA7G5ALF/CT2vyYSjEf+QSs5saA2R97oF/cZ8ekY4E7Jy:B2l7G5Auotf+Lg4ElM

Score

10^/10

dcrat execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	4996	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5484	4996	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4996	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4996	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4996	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4996	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	4996	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4996	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	4996	schtasks.exe	89

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4560	powershell.exe
724	powershell.exe
5892	powershell.exe
3800	powershell.exe
1004	powershell.exe
940	powershell.exe
1856	powershell.exe
4416	powershell.exe
3164	powershell.exe
5132	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 3 IoCs

pid	Process
5492	RuntimeBroker.exe
2300	RuntimeBroker.exe
436	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\msi\\unsecapp.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\mswmdm\\unsecapp.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.Services.TargetedContent\\RuntimeBroker.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\34c553de294c1d56d0a800105b\\smss.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Windows\\System32\\unattend\\backgroundTaskHost.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Documents and Settings\\unsecapp.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\2f3e0199fccb3f72e8a39924edc6a781\\dllhost.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\RestartNowPower_80\\RuntimeBroker.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Photo Viewer\\es-ES\\spoolsv.exe\""	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe

Drops file in System32 directory 25 IoCs

description	ioc	Process
File created	C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\RestartNowPower_80\9e8d7a4ca61bd9	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\wbem\mswmdm\29c1c3cc0f7685	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\RestartNowPower_80\RCX904C.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\wbem\msi\unsecapp.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\wbem\mswmdm\unsecapp.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\Windows.Services.TargetedContent\RCX9BFF.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\wbem\msi\unsecapp.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\wbem\msi\29c1c3cc0f7685	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\wbem\msi\RCX9477.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\wbem\mswmdm\RCX990E.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\Windows.Services.TargetedContent\RuntimeBroker.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\unattend\RCXA086.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\unattend\backgroundTaskHost.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\wbem\mswmdm\unsecapp.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\Windows.Services.TargetedContent\RuntimeBroker.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\unattend\backgroundTaskHost.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\unattend\eddb19405b7ce1	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\RestartNowPower_80\RCX904B.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\wbem\msi\RCX9476.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\wbem\mswmdm\RCX997C.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Windows\System32\Windows.Services.TargetedContent\9e8d7a4ca61bd9	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\Windows.Services.TargetedContent\RCX9B81.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Windows\System32\unattend\RCXA087.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\es-ES\spoolsv.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\f3b6ecef712a24	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCX9261.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCX9262.tmp	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\spoolsv.exe	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
768	schtasks.exe
4960	schtasks.exe
5000	schtasks.exe
4976	schtasks.exe
4920	schtasks.exe
3804	schtasks.exe
5484	schtasks.exe
4812	schtasks.exe
2868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
4560	powershell.exe
4560	powershell.exe
1004	powershell.exe
1004	powershell.exe
5132	powershell.exe
5132	powershell.exe
5892	powershell.exe
5892	powershell.exe
4416	powershell.exe
4416	powershell.exe
1856	powershell.exe
1856	powershell.exe
724	powershell.exe
724	powershell.exe
3800	powershell.exe
3800	powershell.exe
3164	powershell.exe
3164	powershell.exe
940	powershell.exe
940	powershell.exe
3164	powershell.exe
5132	powershell.exe
3800	powershell.exe
1004	powershell.exe
4416	powershell.exe
4560	powershell.exe
1856	powershell.exe
5892	powershell.exe
724	powershell.exe
940	powershell.exe
5492	RuntimeBroker.exe
5492	RuntimeBroker.exe
5492	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	5132	powershell.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	5892	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	724	powershell.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	5492	RuntimeBroker.exe
Token: SeDebugPrivilege	2300	RuntimeBroker.exe
Token: SeDebugPrivilege	436	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 4560	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	107
PID 3816 wrote to memory of 4560	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	107
PID 3816 wrote to memory of 5132	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	108
PID 3816 wrote to memory of 5132	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	108
PID 3816 wrote to memory of 3164	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	109
PID 3816 wrote to memory of 3164	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	109
PID 3816 wrote to memory of 3800	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	111
PID 3816 wrote to memory of 3800	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	111
PID 3816 wrote to memory of 4416	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	112
PID 3816 wrote to memory of 4416	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	112
PID 3816 wrote to memory of 5892	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	114
PID 3816 wrote to memory of 5892	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	114
PID 3816 wrote to memory of 1856	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	115
PID 3816 wrote to memory of 1856	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	115
PID 3816 wrote to memory of 940	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	116
PID 3816 wrote to memory of 940	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	116
PID 3816 wrote to memory of 724	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	117
PID 3816 wrote to memory of 724	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	117
PID 3816 wrote to memory of 1004	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	118
PID 3816 wrote to memory of 1004	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	118
PID 3816 wrote to memory of 3656	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	127
PID 3816 wrote to memory of 3656	3816	eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe	127
PID 3656 wrote to memory of 5684	3656	cmd.exe	129
PID 3656 wrote to memory of 5684	3656	cmd.exe	129
PID 3656 wrote to memory of 5492	3656	cmd.exe	135
PID 3656 wrote to memory of 5492	3656	cmd.exe	135
PID 5492 wrote to memory of 32	5492	RuntimeBroker.exe	136
PID 5492 wrote to memory of 32	5492	RuntimeBroker.exe	136
PID 5492 wrote to memory of 1952	5492	RuntimeBroker.exe	137
PID 5492 wrote to memory of 1952	5492	RuntimeBroker.exe	137
PID 32 wrote to memory of 2300	32	WScript.exe	139
PID 32 wrote to memory of 2300	32	WScript.exe	139
PID 2300 wrote to memory of 1820	2300	RuntimeBroker.exe	140
PID 2300 wrote to memory of 1820	2300	RuntimeBroker.exe	140
PID 2300 wrote to memory of 3448	2300	RuntimeBroker.exe	141
PID 2300 wrote to memory of 3448	2300	RuntimeBroker.exe	141
PID 1820 wrote to memory of 436	1820	WScript.exe	143
PID 1820 wrote to memory of 436	1820	WScript.exe	143

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe
"C:\Users\Admin\AppData\Local\Temp\eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\msi\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\2f3e0199fccb3f72e8a39924edc6a781\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\mswmdm\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Services.TargetedContent\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\unattend\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Documents and Settings\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z5EpmLCx1h.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5684
- - C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
    "C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5492
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65068a8e-61c3-4146-bb29-5442a796fd59.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:32
    - - C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6353e921-9122-4ccb-bddd-090ba9c17cf1.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01789b81-c663-450b-a700-67f6acbb1c94.vbs"
        8⤵
        
        PID:3712
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        9⤵
        
        PID:1228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a00202d-4e7d-4143-a0e1-4156d550052c.vbs"
        10⤵
        
        PID:736
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        11⤵
        
        PID:5440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f754da5a-4e46-421f-ace1-ebe332596fc0.vbs"
        12⤵
        
        PID:6108
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        13⤵
        
        PID:5088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\522f6f1d-48f4-4275-b0c6-c57838134bf0.vbs"
        14⤵
        
        PID:940
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        15⤵
        
        PID:3936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88e13910-2e83-4892-897e-1bfb47a010fc.vbs"
        16⤵
        
        PID:5544
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        17⤵
        
        PID:5732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d535b57-bc6f-47e8-b2a3-fd5565494f74.vbs"
        18⤵
        
        PID:5580
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        19⤵
        
        PID:3992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\867c30d9-83f9-47f1-9978-05e5f164a262.vbs"
        20⤵
        
        PID:2836
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        21⤵
        
        PID:3412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38400cb5-4b46-4e53-91e2-9bcb3d22f2a5.vbs"
        22⤵
        
        PID:4364
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        23⤵
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55fe8c58-7157-4c8b-975f-42de96cbc906.vbs"
        24⤵
        
        PID:4780
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        25⤵
        
        PID:2176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\476232fc-27aa-473c-98a8-5eddade8190a.vbs"
        26⤵
        
        PID:2244
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        27⤵
        
        PID:1972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0db306a-31ed-42ce-adfe-a2e5ca4ead8a.vbs"
        28⤵
        
        PID:3492
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        29⤵
        
        PID:4192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81903f91-f744-4245-8874-44dc3b689992.vbs"
        30⤵
        
        PID:5624
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        31⤵
        
        PID:636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6505497f-559b-476a-b003-697f552cad84.vbs"
        32⤵
        
        PID:184
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        
        C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe
        33⤵
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93d43841-30c4-4696-8829-a248aa7ae816.vbs"
        34⤵
        
        PID:4224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dab4cc1-eacf-44df-adce-d8c8b85616e2.vbs"
        34⤵
        
        PID:2624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\436c56ec-11e1-41a9-be78-941823f06b5e.vbs"
        32⤵
        
        PID:4992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5eadf8b-2111-49fa-b8e9-0ef37bbe1b6e.vbs"
        30⤵
        
        PID:5404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d4c1c9f-ba95-4b1e-99d1-aa196bda3f17.vbs"
        28⤵
        
        PID:4852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be234339-dce1-47b0-a14f-dccf7a42d6c6.vbs"
        26⤵
        
        PID:4760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd2312fa-80d7-4636-97b9-c7439d6cbd2c.vbs"
        24⤵
        
        PID:2956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3212ab05-9940-4ee1-940a-b01c48849714.vbs"
        22⤵
        
        PID:4416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29f56609-5dac-4802-bb32-2ae5c0d7ab2d.vbs"
        20⤵
        
        PID:2488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\737861f1-4787-48d8-b4bd-ff8bdc424462.vbs"
        18⤵
        
        PID:4300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f98b13d-7922-4211-9fd4-d9d967bb31c1.vbs"
        16⤵
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f7207c4-078f-4eb9-9161-93d64cd27313.vbs"
        14⤵
        
        PID:3776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b7c71be-518b-41f8-8263-549052fcc06f.vbs"
        12⤵
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be125313-5fb3-493a-a854-fe1e9fca852e.vbs"
        10⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21e2b736-54c3-474f-a897-418616275119.vbs"
        8⤵
        
        PID:1376
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a75b0c8-e858-434b-82cd-9015efe3e8c4.vbs"
        6⤵
        
        PID:3448
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7e6799d3-88b7-4032-a0a0-4c06ffbd45dc.vbs"
      4⤵
      PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\RestartNowPower_80\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\msi\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\2f3e0199fccb3f72e8a39924edc6a781\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\mswmdm\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Services.TargetedContent\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\System32\unattend\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Documents and Settings\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\34c553de294c1d56d0a800105b\smss.exe

Filesize
2.5MB

MD5
cdfc869c0df495759d60d2672bb47648

SHA1
751e92a92ba8a5e1d96ee19c310b74310038bb92

SHA256
9d8233219b873429fde044dd3d29893166641c85b4270b215f97149b3b28a80d

SHA512
2599191c82ab1af0619da5a54984585eccd1359a7dcc99d6615bbe37646affb9cccd9b8e46c5e7bd97351e39432ebbd437b7e799bb048c9eea1c4db874454dad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
9699cf9bb24ebbc9b1035710e92b7bd2

SHA1
73f0f26db57ea306970a76f42c647bbce02a3f23

SHA256
fd35f3609663bec79a5254866d1c47342fbde3f94808acff8c3eaa19b24f67e5

SHA512
3a433f40f25b5a5c09f8de45ebd0b5485b3b54eb0c1c08a1dbae776629710b8d8f5fee21329d146867e49b5d35108bba6eff3995fb7c6246dbe6fe475eadf0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
354ebb8d437ee057dacfef36baced4e9

SHA1
30460dbe64847ebb524d7d1fd5b9bf8a851a7626

SHA256
bcf3ba98af6ee96a3eba9bbc6bdb2ae36b883f5f1e9cdad2974cbbcb9c102237

SHA512
1f2cb272ad33df6e34949ac4d60ec0702316d9e21992be52cd9c6abd846472e7c868a8e96b5922b016e7952e460671e5768d007e28d84940a1b956eef4705b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e452a0569a88103800ef1fdb9d028088

SHA1
b73c91d1a9b444033dd5824543c4b9e9538e379f

SHA256
c0f2157095cd92cebe6ea87b14b366ff5ff71ef681785ac8363b1ca59b0ca242

SHA512
5141bd6ceaaefae93e4663b8235ecb1ff87017c2ed1c5a1cfa249bb5d9b646d6d0493e1f85aebe4ae9bddfd2ff7210ada1217bb32d52a1ac582a2f6d636e08a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77c3c3e6edde95327e5255c97f03f1aa

SHA1
bf90bbebcadd07d730c5793a512ed30c4db1d776

SHA256
a80450170e547a9d4d050e3237edfcc561a6c936d180f6d0867a22a6487afa99

SHA512
8c3fbc3312def0c2ba51036a30ac23d5c50bcdf2a273ee4802fe05c73c0d94cb8b115291e0ed91a23f150ff9f69b2046276cc062a9ba6c7be92bcd975e850077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
acd80d6d7114a61d8c01c77f78c805fb

SHA1
f0b79e5fd09ae019fe95d994a5b32a6a6922172d

SHA256
2d8d88440ac91d756e52b9029c25684ad2522f9dbb9c800f3929633529497818

SHA512
1cc189cbcdd80466b3418694e025e7ad00b8da0b882096a6e1274e0544b103c3bfcc717f4975ae03eda9f1bca94f7280dcc910ca207d04e44ef8db287ee6a266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ada23d35e4a3f1bc35ac8d393cd02675

SHA1
88dd6ddecec82aeafba2b6368078c7c70b88fcac

SHA256
98d17949831dda7243aa8b24a66443eee75d0805996826290fbe1a75bfc79e72

SHA512
0acae33f83787122b779b8b1b41580f4595eb44c74ef0035949e3d90103fd22e15ed4af4238985bd58f8a0378dc8bce4d77549ca4bb661c2c515018be99a79e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\01789b81-c663-450b-a700-67f6acbb1c94.vbs

Filesize
731B

MD5
b647f7fc5ddc10bac65e3b4ba5f82a4b

SHA1
85a431937caf4f7a5dcea327b0128b0294af4bd0

SHA256
bf830ea4af6d3021c72fa7eb971af4342b522bda17a07ebd2dba4282cc9e8c56

SHA512
53b86776ba713eeeab74b6a0a491bf7ca640528f4a638de3f879734794da6afb7795c5bdd8067646849871e5063e567246ddcaf7751ff2b5f88993b251529f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\38400cb5-4b46-4e53-91e2-9bcb3d22f2a5.vbs

Filesize
732B

MD5
674cde52c234d1c5ef2b88c2ee4ec619

SHA1
ee618413c811b88389be40a4f2734231bd1f14fd

SHA256
8ee09159b76fbc130773b822b79207c48f0d2fc38082ce27340560f80e994bf3

SHA512
f704b1caad4a2d7a1a5ae89422efe0ccca1c7d13f4412989ea216a8b59c586e865e5c37ff8bae2f08ca04568659579f28fdf42508a732d06d1761e7b5a43a89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\476232fc-27aa-473c-98a8-5eddade8190a.vbs

Filesize
732B

MD5
996508d9e9e88dc62ed90ad3fd31c9f4

SHA1
2884dbf3948c95fe115d0664b287459da622ae97

SHA256
a922bee02f5513d465ae65c75982b762da690c7230ccda69b0e9d7616660b85a

SHA512
9d7cda00dec2150c101d0e0b61edc34c908011a8333e3823b165f32af4db1f940d6430bc710411af1dcde2d122600dca9d35d2525d6736174f332d012e75d187

Download Submit
C:\Users\Admin\AppData\Local\Temp\522f6f1d-48f4-4275-b0c6-c57838134bf0.vbs

Filesize
732B

MD5
93a3226a5ecba9e0502e34c19331ebf5

SHA1
3ce1dc0f19c20b965d99dfe2e109678cf12fc90d

SHA256
c954f525bef300b0ff927378595631e8343dc068e855be6707d4d8e8f1c0ed36

SHA512
7f0854f6bc27f9d712f53715b65f331c568e41597781128b5b2fd57b2c4b6ea8b608a88878bc82ca2afbf0ecf7760514afa7f453bb401c8b613ea71ba5d55617

Download Submit
C:\Users\Admin\AppData\Local\Temp\55fe8c58-7157-4c8b-975f-42de96cbc906.vbs

Filesize
732B

MD5
1142a9b0dabbc102a04de695d6d23067

SHA1
6230f6bb09b9140ab1a62def95ed294f9e8d4ff1

SHA256
c77bede39eb6660fa17e9e3b0622717f94fa674e7359cfab8cd3021bee11f4d9

SHA512
e008bd24b9571ea36a67d9c7878c56efa032f74293fa5aa031cdce43f16aedd2281a42583317fb62046a0a9d68e927fd97a1db969e56b47bc0da4011957c7b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6353e921-9122-4ccb-bddd-090ba9c17cf1.vbs

Filesize
732B

MD5
30b0d40181c040f84800d8e7cb6c85a0

SHA1
5ab1476059bde10fa5dcbc4d45cec812b84e8b35

SHA256
3dbddd6f9966b853a51b4d55a05dd858215280f84f74ede049f46aab7da3b948

SHA512
d64f4f9c99243a9268bcc70529279e7f07ab3b696bf1b7236fc5b8bbf78e62eaeec36960e25def61bd584cf1e8f911bbf60e461cc1d31622bd60755e7a698701

Download Submit
C:\Users\Admin\AppData\Local\Temp\65068a8e-61c3-4146-bb29-5442a796fd59.vbs

Filesize
732B

MD5
ec58fcea3f60f343ec977d0f77659486

SHA1
b1e33ac4ca990f60cc8e213d0bd0e2d50752430a

SHA256
6d253a2b931c99cf86ffe4965ac722767f50ce9d8b3144b0e3409e3a9273b97f

SHA512
bdea64b851a6933a9290a30ef616fbc14b4e9b1eba023af25fa8c6ce1182bfed0d4b5e97966b01ed71fd6befb5e37c989b1db0354916b9693d6964571e0f4f11

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a00202d-4e7d-4143-a0e1-4156d550052c.vbs

Filesize
732B

MD5
26fa6c9e6928b52d27eab1b2918b89b2

SHA1
86d1e40c49e3f5636db15c21ef214e330712f510

SHA256
caf886753c76f435b3a22ef46bf3212640121a361fdf5b947524afad06b276bc

SHA512
51824c3843db0638d3b569efa1b0e7a02d2044fb80c4a20797d1573481fdb993a8cef86d4bc51df2b68e221802c442bb525224479a7bc5f333040334faad46bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7e6799d3-88b7-4032-a0a0-4c06ffbd45dc.vbs

Filesize
508B

MD5
1624e1e28ddac6d4793175ce20455ee2

SHA1
3e122af2ace2bf0d12ef4d6fd9b2399a6e92d992

SHA256
7ade8afc10038acd78b9e94f4ccff9d481292e8c55ccddf950739ac7c122f8b7

SHA512
e558f2328678951069c8e40cc6a899b4ec582a74c94b89e6f2d7fc322db6cb93fe662e4502a10b5f93501c7a16cd3cc142d2c01ba730b338a602b2e7f2e9e477

Download Submit
C:\Users\Admin\AppData\Local\Temp\867c30d9-83f9-47f1-9978-05e5f164a262.vbs

Filesize
732B

MD5
9df59165bad391fcf2f7ca68311fa938

SHA1
c3f31a25c784f26aec41bddf12a08eed0ec8cda9

SHA256
46e8a9cf9c14353b25b74893b37006c0c9672195739cc86057e2fc4091848e5b

SHA512
9be8de7e33e7ad47b2da0ffbaf6e949ec7cc40feab3740cbbd0b4e4c081f104d32e12443df7b7af222d7583b991cf87e4edc2a888506ecd33553b28697c9ba5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\88e13910-2e83-4892-897e-1bfb47a010fc.vbs

Filesize
732B

MD5
88cc65903249c8fa0d97a063ed80d795

SHA1
f93c26f7ffdded338b9fc9f68c109934811b54d7

SHA256
ac4da781815b2133fc6123bd21ade57f2333fa24d0e632aaa30f43cbc2904d08

SHA512
627b9069f4a8de72179b73a600691c477d88f7bcc2d53487c0aa68d9f23ec9e73e322551b2d6eb2d9017c88752b2775bf8acb76b5769ebce8296bd7eeb2576f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d535b57-bc6f-47e8-b2a3-fd5565494f74.vbs

Filesize
732B

MD5
eb2d1f5742113ad27283863feaa48d6e

SHA1
307f0b9d5578ed911fcedf972b85e926e9921aeb

SHA256
49a7494534c600bc405cefb229bbdf63f13e06b2b2eb2c619a7d0e9835049005

SHA512
3f4474cc058ac70607f1ff3e2a454c7efc6eda6315b3543743cf6f2e4d0226189ac8fd6cc029dcfeaeaa6d4d32c425314bff1dede7ac95b0609e452d368fadcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ukcmdfon.jni.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0db306a-31ed-42ce-adfe-a2e5ca4ead8a.vbs

Filesize
732B

MD5
838617cd4395ca019b345c53f2307275

SHA1
adc6419b8d3f7ba96ec898f8f4cf5bfc12d8a7f4

SHA256
436b8f5836266ad8e1323bc1684c9cab5104371da694170a4086cbcc45c51685

SHA512
631869b51b80ffe69fe2db4da7193f27de49556eada6b66c3578a1e4211cdbacaf93c2b2fed095f13b03ac35d38359651c9887159ad1ad58c1d08e8c96fa1f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\f754da5a-4e46-421f-ace1-ebe332596fc0.vbs

Filesize
732B

MD5
13af9517a8e1e1141794d0697d252567

SHA1
798ec8f66321ab61bc4d427ad74db96a8739881c

SHA256
60811d54ecab5f7ee0f001459d8e0f5bce15cc419440cb891816d80a8c9a4237

SHA512
9192967466d3618ccbf3594f0089ae0f3c38ecc4ed1c00f83f0aa3f16df19eb916afd19c4ce1dc5f1b4aa9864bca6b099ffda29527013aa380365536fa5484ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\z5EpmLCx1h.bat

Filesize
220B

MD5
2847ddbdb378b45362f4a930291ea34d

SHA1
0d6d8c8efd0422813f69f409b615c53cf2f659ed

SHA256
400f999f0881a4b462f48d66f8d906365ed630d688edab16af77190a108a2a19

SHA512
c1eb30fa0ddb7962568cd640ab3291e1d7594422f8f12b3b9d3c355e4b5ed1f22607ad880e8c983d1e408623fa9f5010cf0d1919057e19596c577b9b6f60122d

Download Submit
C:\Windows\System32\Windows.Services.TargetedContent\RuntimeBroker.exe

Filesize
2.5MB

MD5
c0f016f8ac5272ead2c6865ec25995c2

SHA1
576140d315fe2f90ea73def2d81ecd3338014e74

SHA256
e35591e30ab710ea417b74852be83ca48cdfc37c4b6397d84ac8ff28dc08914d

SHA512
396c0303029bae2bdb5a417a583649e6d5b18dd62334182a28d4bf0e609e5bf9d4504dc61b920cffa2ec22546397d147e6796b4c4c88a340b1df477bb64fa58d

Download Submit
C:\Windows\System32\wbem\mswmdm\unsecapp.exe

Filesize
2.5MB

MD5
1e5801255eb014a44c56370d9c7e5019

SHA1
9000eacf24a374e6e8512dce6deaae28454ea422

SHA256
eb7e5b28433b32eeb0e6b15eb621ffd943c75880034c4c690a9a116524ad915a

SHA512
d2ba4e8022ba845a124c676b928358b99365691a3b6c4cdc0b488c184325e0cc29bd43ef54833b5c7c527beceab407d96d4d89050bcb6f19fdbc65f7456f8ddd

Download Submit
C:\Windows\System32\wbem\mswmdm\unsecapp.exe

Filesize
2.5MB

MD5
5575ad211ef3f02a39fb83382d5aca13

SHA1
3f91272d8d598e23b967cbcfb32c460677acae00

SHA256
5fd2c00c34b94b7f79f66ef0fad4663ba45d4391e391be92375bc7054ec229f8

SHA512
438054789f50e3bf90caed113855aea131aa58b3a0a68ed88912e5f061a17c51701950722e36aa2fe088888b2b6569579ee45eb2dfded46eef87be9c2d9c5644

Download Submit
memory/1228-303-0x000000001D2B0000-0x000000001D306000-memory.dmp

Filesize
344KB

Download
memory/1972-403-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/3816-12-0x000000001BAB0000-0x000000001BABA000-memory.dmp

Filesize
40KB

Download
memory/3816-13-0x000000001BAC0000-0x000000001BACA000-memory.dmp

Filesize
40KB

Download
memory/3816-1-0x0000000000430000-0x00000000006B6000-memory.dmp

Filesize
2.5MB

Download
memory/3816-11-0x000000001C400000-0x000000001C928000-memory.dmp

Filesize
5.2MB

Download
memory/3816-2-0x00007FFC91DD0000-0x00007FFC92891000-memory.dmp

Filesize
10.8MB

Download
memory/3816-15-0x000000001BBE0000-0x000000001BBEA000-memory.dmp

Filesize
40KB

Download
memory/3816-16-0x000000001BBF0000-0x000000001BBFC000-memory.dmp

Filesize
48KB

Download
memory/3816-17-0x000000001BC00000-0x000000001BC08000-memory.dmp

Filesize
32KB

Download
memory/3816-18-0x000000001BD10000-0x000000001BD1A000-memory.dmp

Filesize
40KB

Download
memory/3816-14-0x000000001BAD0000-0x000000001BADC000-memory.dmp

Filesize
48KB

Download
memory/3816-0-0x00007FFC91DD3000-0x00007FFC91DD5000-memory.dmp

Filesize
8KB

Download
memory/3816-188-0x00007FFC91DD0000-0x00007FFC92891000-memory.dmp

Filesize
10.8MB

Download
memory/3816-4-0x00000000029F0000-0x0000000002A0C000-memory.dmp

Filesize
112KB

Download
memory/3816-5-0x000000001BA40000-0x000000001BA90000-memory.dmp

Filesize
320KB

Download
memory/3816-6-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/3816-7-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/3816-10-0x000000001B2E0000-0x000000001B2F2000-memory.dmp

Filesize
72KB

Download
memory/3816-9-0x000000001B2C0000-0x000000001B2C8000-memory.dmp

Filesize
32KB

Download
memory/3816-8-0x000000001B270000-0x000000001B2C6000-memory.dmp

Filesize
344KB

Download
memory/3816-3-0x00000000029E0000-0x00000000029EC000-memory.dmp

Filesize
48KB

Download
memory/4560-164-0x000001E458D60000-0x000001E458D82000-memory.dmp

Filesize
136KB

Download
memory/5492-268-0x000000001DA10000-0x000000001DA22000-memory.dmp

Filesize
72KB

Download