dcrat | 55edcf08f8521a9cddde8570baaac0ab8ef6e640e96c834db0e5c12f5b9c68fe

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
Size

1.6MB
MD5

e9a05151dfc1c4c2e84f16e25d05f6ee
SHA1

4bced15dc17ebf0e95cb34558e093446d394b235
SHA256

f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1
SHA512

6bd1a48e3d6a6a76b115bb6b6dddb95c5a39a890ca285f8d9470a6857d73c761225271ea513b1762641b373aa737b845261e0098e94ea8552ddd04226be804af
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral16/memory/5248-1-0x0000000000790000-0x0000000000932000-memory.dmp	dcrat
behavioral16/files/0x00070000000242bd-26.dat	dcrat
behavioral16/files/0x000a000000016918-97.dat	dcrat
behavioral16/files/0x000d0000000242e1-120.dat	dcrat
behavioral16/files/0x00080000000242c4-140.dat	dcrat
behavioral16/files/0x00090000000242c8-153.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2904	powershell.exe
404	powershell.exe
3796	powershell.exe
4636	powershell.exe
5360	powershell.exe
1004	powershell.exe
6028	powershell.exe
4896	powershell.exe
5384	powershell.exe
5904	powershell.exe
5004	powershell.exe
5176	powershell.exe
2860	powershell.exe
5700	powershell.exe
3196	powershell.exe
2928	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 14 IoCs

pid	Process
4672	RuntimeBroker.exe
4692	RuntimeBroker.exe
5344	RuntimeBroker.exe
2600	RuntimeBroker.exe
2560	RuntimeBroker.exe
4232	RuntimeBroker.exe
5892	RuntimeBroker.exe
4256	RuntimeBroker.exe
3076	RuntimeBroker.exe
3092	RuntimeBroker.exe
4772	RuntimeBroker.exe
1256	RuntimeBroker.exe
6136	RuntimeBroker.exe
4852	RuntimeBroker.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\taskhostw.exe	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX5E26.tmp	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX5EA4.tmp	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCX70C5.tmp	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\taskhostw.exe	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\5b884080fd4f94	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\ea9f0e6c9e2dcd	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Program Files\edge_BITS_4512_1294531004\RCX67C3.tmp	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\RCX70C4.tmp	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Program Files\edge_BITS_4512_1294531004\RCX6831.tmp	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File created	C:\Program Files\edge_BITS_4512_1294531004\9e8d7a4ca61bd9	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\debug\TextInputHost.exe	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File created	C:\Windows\Tasks\smss.exe	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Windows\debug\RCX57E6.tmp	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Windows\debug\RCX57E7.tmp	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Windows\Tasks\RCX6CA9.tmp	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Windows\Tasks\smss.exe	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File created	C:\Windows\debug\TextInputHost.exe	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File created	C:\Windows\debug\22eafd247d37c3	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File created	C:\Windows\Tasks\69ddcba757bf72	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
File opened for modification	C:\Windows\Tasks\RCX6CAA.tmp	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3760	schtasks.exe
368	schtasks.exe
4804	schtasks.exe
4780	schtasks.exe
2716	schtasks.exe
3808	schtasks.exe
4932	schtasks.exe
3468	schtasks.exe
4584	schtasks.exe
4692	schtasks.exe
5072	schtasks.exe
4600	schtasks.exe
5264	schtasks.exe
3916	schtasks.exe
2468	schtasks.exe
4660	schtasks.exe
4436	schtasks.exe
4948	schtasks.exe
3912	schtasks.exe
1792	schtasks.exe
3164	schtasks.exe
3748	schtasks.exe
4732	schtasks.exe
4644	schtasks.exe
3900	schtasks.exe
4872	schtasks.exe
4036	schtasks.exe
2020	schtasks.exe
1548	schtasks.exe
4104	schtasks.exe
4708	schtasks.exe
5892	schtasks.exe
2772	schtasks.exe
4928	schtasks.exe
5972	schtasks.exe
3216	schtasks.exe
2216	schtasks.exe
3708	schtasks.exe
4648	schtasks.exe
688	schtasks.exe
4788	schtasks.exe
5948	schtasks.exe
4848	schtasks.exe
4812	schtasks.exe
1400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
5384	powershell.exe
5384	powershell.exe
3796	powershell.exe
3796	powershell.exe
404	powershell.exe
404	powershell.exe
2904	powershell.exe
2904	powershell.exe
5360	powershell.exe
5360	powershell.exe
1004	powershell.exe
1004	powershell.exe
4896	powershell.exe
4896	powershell.exe
4636	powershell.exe
4636	powershell.exe
5700	powershell.exe
5700	powershell.exe
6028	powershell.exe
6028	powershell.exe
3196	powershell.exe
2860	powershell.exe
3196	powershell.exe
2860	powershell.exe
5904	powershell.exe
5904	powershell.exe
2928	powershell.exe
2928	powershell.exe
5176	powershell.exe
5176	powershell.exe
5004	powershell.exe
5004	powershell.exe
3196	powershell.exe
5004	powershell.exe
5384	powershell.exe
5384	powershell.exe
5904	powershell.exe
3796	powershell.exe
404	powershell.exe
5360	powershell.exe
2928	powershell.exe
2904	powershell.exe
2904	powershell.exe
5700	powershell.exe
5176	powershell.exe
1004	powershell.exe
4636	powershell.exe
4896	powershell.exe
2860	powershell.exe
6028	powershell.exe
4672	RuntimeBroker.exe
4672	RuntimeBroker.exe
4692	RuntimeBroker.exe
5344	RuntimeBroker.exe
5344	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
Token: SeDebugPrivilege	5384	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeDebugPrivilege	5360	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	5904	powershell.exe
Token: SeDebugPrivilege	5700	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	5176	powershell.exe
Token: SeDebugPrivilege	6028	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	4672	RuntimeBroker.exe
Token: SeDebugPrivilege	4692	RuntimeBroker.exe
Token: SeDebugPrivilege	5344	RuntimeBroker.exe
Token: SeDebugPrivilege	2600	RuntimeBroker.exe
Token: SeDebugPrivilege	2560	RuntimeBroker.exe
Token: SeDebugPrivilege	4232	RuntimeBroker.exe
Token: SeDebugPrivilege	5892	RuntimeBroker.exe
Token: SeDebugPrivilege	4256	RuntimeBroker.exe
Token: SeDebugPrivilege	3076	RuntimeBroker.exe
Token: SeDebugPrivilege	3092	RuntimeBroker.exe
Token: SeDebugPrivilege	4772	RuntimeBroker.exe
Token: SeDebugPrivilege	1256	RuntimeBroker.exe
Token: SeDebugPrivilege	6136	RuntimeBroker.exe
Token: SeDebugPrivilege	4852	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5248 wrote to memory of 1004	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	140
PID 5248 wrote to memory of 1004	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	140
PID 5248 wrote to memory of 5360	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	141
PID 5248 wrote to memory of 5360	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	141
PID 5248 wrote to memory of 4896	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	142
PID 5248 wrote to memory of 4896	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	142
PID 5248 wrote to memory of 2904	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	144
PID 5248 wrote to memory of 2904	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	144
PID 5248 wrote to memory of 2860	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	145
PID 5248 wrote to memory of 2860	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	145
PID 5248 wrote to memory of 5176	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	147
PID 5248 wrote to memory of 5176	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	147
PID 5248 wrote to memory of 5004	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	148
PID 5248 wrote to memory of 5004	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	148
PID 5248 wrote to memory of 4636	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	149
PID 5248 wrote to memory of 4636	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	149
PID 5248 wrote to memory of 2928	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	151
PID 5248 wrote to memory of 2928	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	151
PID 5248 wrote to memory of 3196	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	152
PID 5248 wrote to memory of 3196	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	152
PID 5248 wrote to memory of 5904	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	153
PID 5248 wrote to memory of 5904	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	153
PID 5248 wrote to memory of 6028	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	154
PID 5248 wrote to memory of 6028	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	154
PID 5248 wrote to memory of 3796	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	156
PID 5248 wrote to memory of 3796	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	156
PID 5248 wrote to memory of 404	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	157
PID 5248 wrote to memory of 404	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	157
PID 5248 wrote to memory of 5700	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	158
PID 5248 wrote to memory of 5700	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	158
PID 5248 wrote to memory of 5384	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	206
PID 5248 wrote to memory of 5384	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	206
PID 5248 wrote to memory of 4672	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	172
PID 5248 wrote to memory of 4672	5248	f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe	172
PID 4672 wrote to memory of 3172	4672	RuntimeBroker.exe	174
PID 4672 wrote to memory of 3172	4672	RuntimeBroker.exe	174
PID 4672 wrote to memory of 664	4672	RuntimeBroker.exe	175
PID 4672 wrote to memory of 664	4672	RuntimeBroker.exe	175
PID 3172 wrote to memory of 4692	3172	WScript.exe	176
PID 3172 wrote to memory of 4692	3172	WScript.exe	176
PID 4692 wrote to memory of 1104	4692	RuntimeBroker.exe	177
PID 4692 wrote to memory of 1104	4692	RuntimeBroker.exe	177
PID 4692 wrote to memory of 4296	4692	RuntimeBroker.exe	178
PID 4692 wrote to memory of 4296	4692	RuntimeBroker.exe	178
PID 1104 wrote to memory of 5344	1104	WScript.exe	182
PID 1104 wrote to memory of 5344	1104	WScript.exe	182
PID 5344 wrote to memory of 1680	5344	RuntimeBroker.exe	185
PID 5344 wrote to memory of 1680	5344	RuntimeBroker.exe	185
PID 5344 wrote to memory of 4764	5344	RuntimeBroker.exe	186
PID 5344 wrote to memory of 4764	5344	RuntimeBroker.exe	186
PID 1680 wrote to memory of 2600	1680	WScript.exe	191
PID 1680 wrote to memory of 2600	1680	WScript.exe	191
PID 2600 wrote to memory of 5468	2600	RuntimeBroker.exe	192
PID 2600 wrote to memory of 5468	2600	RuntimeBroker.exe	192
PID 2600 wrote to memory of 4956	2600	RuntimeBroker.exe	193
PID 2600 wrote to memory of 4956	2600	RuntimeBroker.exe	193
PID 5468 wrote to memory of 2560	5468	WScript.exe	194
PID 5468 wrote to memory of 2560	5468	WScript.exe	194
PID 2560 wrote to memory of 3256	2560	RuntimeBroker.exe	195
PID 2560 wrote to memory of 3256	2560	RuntimeBroker.exe	195
PID 2560 wrote to memory of 3812	2560	RuntimeBroker.exe	196
PID 2560 wrote to memory of 3812	2560	RuntimeBroker.exe	196
PID 3256 wrote to memory of 4232	3256	WScript.exe	197
PID 3256 wrote to memory of 4232	3256	WScript.exe	197

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe
"C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\TextInputHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\aff403968f1bfcc42131676322798b50\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5384
- C:\f9532e701a889cdd91b8\RuntimeBroker.exe
  "C:\f9532e701a889cdd91b8\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cd6ef14e-444e-41fa-8cdb-2afd3974f32b.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\f9532e701a889cdd91b8\RuntimeBroker.exe
      C:\f9532e701a889cdd91b8\RuntimeBroker.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea2bcf2c-42de-481b-ba68-dab13f48d099.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1104
      - C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e56d159-9ba5-4529-9ace-ef93dadf5bc9.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80af5370-3e97-42f3-ab5a-dbaa729360b7.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5468
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53c3f99b-c2f4-45d5-834b-0df2ee43f0aa.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\433587aa-aee6-45bb-ad29-1430cfdc9e0a.vbs"
        13⤵
        
        PID:4700
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c694ebd2-8d37-4c7a-9a48-439b145cd78a.vbs"
        15⤵
        
        PID:4648
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36986f5d-8e90-431a-9429-a6619807d468.vbs"
        17⤵
        
        PID:4556
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bef0f73b-26fe-46f1-9c8b-3f72259cc06e.vbs"
        19⤵
        
        PID:4008
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98beb925-0032-47d2-b155-33386f613026.vbs"
        21⤵
        
        PID:2228
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd78be60-0762-459c-8067-6abe9fc703bf.vbs"
        23⤵
        
        PID:5332
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65df6e56-8b5f-4698-8d05-383f052bf21f.vbs"
        25⤵
        
        PID:2984
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\032a9240-ac34-46cd-bc5d-ff1b887b9818.vbs"
        27⤵
        
        PID:3044
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        
        C:\f9532e701a889cdd91b8\RuntimeBroker.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5091f144-858a-4a5e-be07-b36e1b9bce95.vbs"
        29⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d535cbdb-4f73-439d-b492-093360f4ff15.vbs"
        29⤵
        
        PID:5224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bac4d3bf-b671-40ab-a702-24a763413a2c.vbs"
        27⤵
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58667d0d-ce51-4231-958b-a865aa403400.vbs"
        25⤵
        
        PID:5364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\508c32be-fdcc-42dc-a83f-ed5df7f59ca2.vbs"
        23⤵
        
        PID:3712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd722bcb-0f00-44c0-92fe-913ebad29efe.vbs"
        21⤵
        
        PID:3268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97e3ff64-33fa-41bd-91ef-bd85edc9ef41.vbs"
        19⤵
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29c2508a-073f-42a4-abc1-0763f39707e3.vbs"
        17⤵
        
        PID:5384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d6ab9ee-574b-48b5-aa07-0b8d07635ed0.vbs"
        15⤵
        
        PID:6088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\720b21ba-8fe6-43f5-a0ca-d64e6120f138.vbs"
        13⤵
        
        PID:5096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc12ef0c-40e0-4104-a995-7709b7f39716.vbs"
        11⤵
        
        PID:3812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8d7eb8d-4ecb-4185-a13e-f60ba11cdc21.vbs"
        9⤵
        
        PID:4956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2bccace8-fe47-4383-8ac9-9e32f6c72b8d.vbs"
        7⤵
        
        PID:4764
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\188bfe50-45f6-491a-90bf-5893506ad102.vbs"
        5⤵
        
        PID:4296
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb798b49-b016-4c9d-9684-1b318289344b.vbs"
    3⤵
    PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Windows\debug\TextInputHost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\debug\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\aff403968f1bfcc42131676322798b50\sihost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\sihost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\f9532e701a889cdd91b8\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\f9532e701a889cdd91b8\dllhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\smss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhostw.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\f9532e701a889cdd91b8\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\fontdrvhost.exe

Filesize
1.6MB

MD5
9f0891eaa75025a4b7c55a09cd953a14

SHA1
6f20df61311e96cea70c11e2582b5983523c00f8

SHA256
5a3e2a16533c60a8e75786910ad64607e3c6fbdd7391841df661417b1a237add

SHA512
220ca988f8bca54bfef4c8ba68463db3c51ce5ab810016e8657e957505d662d5daff595056118aea687e3d12fdd6e4893a356583d454f90fec1119a29c71514b

Download Submit
C:\Program Files\edge_BITS_4512_1294531004\RuntimeBroker.exe

Filesize
1.6MB

MD5
6ba35f00a2b8a2bfa64772e461d8023e

SHA1
5b07a609dd767a361aea2ef4d62dbe64aa413d76

SHA256
e182fbb788753a7f5361139ce1dc339f5e91700f19233f031fa574516e548d1b

SHA512
40612b876ea1c44ca349b738dbbfd7dbc192b02797071836a5635efd61d29c9411dde10063222fa32202baa598bec51699f0ada7dc57fe6cbd66669f9032e2b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9191187d695b2965f2ceb651f0b37ee8

SHA1
b50a4038fb94c8aa7cff8d6941a4329b5b2ae8c7

SHA256
654a46452391ae3310ff9c6a4c820774e950276014fea044c41f007f6c335833

SHA512
90094f44f83470c88c4fcecb239f70e8e791b3b3da628c00676e3c4791766808b4e31c12beef2a7bc7d6a12d05bd8150888461ed1ef7e9eebc8697f6955d63bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1641de9a10da75d35edf03caa25212c1

SHA1
af73f64f8ce476c8e4eb56bb40426552d34c1ca8

SHA256
5fbacccb41dad88018fad178d824e1dc4cdc48e08032d374ac88d37c88ee60c2

SHA512
7123f9d69a0930a5143e442893cb2711bd9fd911f50e00f7b651ff8d448b78541ea0fa5f36452ad30e4c90ebfd1b1cc51e97422d6649089ec6b9f783ee6101e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3357c199be211a745818714039e25935

SHA1
7d50d07ff2e234f3d10a88363796cbd615b1e9a3

SHA256
668bb751b77a8c5c53c7efcb71e3ee9b2902388e0503e6d6ad3647587a0a0a38

SHA512
052751067bede3dba675313a1c0d88c0e76d62bbc903dbd9ba4cf2b8d03530716c021926bbe34242af9516a77e27df080d1cedde04d8cb51c88c1484ea8a1077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47d9df7fab0d0c96afdd2ca49f2b5030

SHA1
92583883bcf376062ddef5db2333f066d8d36612

SHA256
0f244dd39698dace2c650435886b1175ea01131e581d6c13888576c07fa40b02

SHA512
1844ce4f35849b70c246127482040986caa1bbae2d81119c77e9841f2a3280aabae0ad0db52fc29fe48023b4f4c073fe759b1f54e70e1562289d5e349c015200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
80dfd43d9904cb4bdd37f6934f47ccf8

SHA1
72c0981be679ef6a22cbabbdc3e02a7e80a3eafc

SHA256
a6e60a417d8c6649d78716bcfae64c452ca60367f2280f0b41d5febac503edad

SHA512
793f081a3c5f89a88e4472be0ee26f04f47cbba6a8c5af2710fb8d09a224fc7ded64ff68924325cce0b518f330458cdd0bfafbab9f805ddcc68393aa3f179247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7ebbb17f3791dea62cf267d83cf036a4

SHA1
266c27acf64b85afd8380277f767cc54f91ab2b0

SHA256
2345628c466a33c557a0fba468c06436ce7121c56e6260492c5d6ce52d05ba19

SHA512
6e519f44c8d4e9fe752471f19ec9956e3cd6d73f741496d09bb0fb0c8f0048636b6a52204fa475436c0403d022500fd33452e0ad8f18b3ed2245b24b5bd7bb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
566ef902c25833fe5f7f4484509fe364

SHA1
f8ba6651e7e4c64270e95aac690ad758fa3fc7f8

SHA256
28265aaf259c60ae208b025f4c6b317c0799154b5d40d650bf44ef09f4805514

SHA512
b2c696820b775c0705884f606b4ac464d75d8d5e415bee2fb1e68d07ca288c953936d9286f277082fc11fbae24748c6a872f0be540be37190f0383c7b16820a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e56d159-9ba5-4529-9ace-ef93dadf5bc9.vbs

Filesize
717B

MD5
d346c3a705d728e68f84112b5792ece0

SHA1
53ca4f7303368598cee78f792af359dbaa7947e9

SHA256
023256810eae0be2c6440feb9a8a62ed2d648d7a56e2397884cd68397c898e1f

SHA512
fb232677157e3766429aad3803c28810c79b4518138fa90236f09e759fcf60ed9b1514507074d98a30f2f8d54ea96f2f6be6c3fb73e2fdad368844ccd0f40162

Download Submit
C:\Users\Admin\AppData\Local\Temp\36986f5d-8e90-431a-9429-a6619807d468.vbs

Filesize
717B

MD5
89dd8847bfe19725f49262568335f753

SHA1
fa6e2b477ac53675b45e3689d5cba66136fed54a

SHA256
638818972644a5e91cec1dfb860d42060ac49d120467216ae7184ba52fc47a71

SHA512
37ce02cacf939e557aaa669e1c07f1bb358f1f3cae1e837c344e7bc78c1a8ac72d6e8d09bc8eecf3014e8a5adec06af99cd84bc0c6210ef04e90243320da1b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\433587aa-aee6-45bb-ad29-1430cfdc9e0a.vbs

Filesize
717B

MD5
1b1a6db2f0a02c741916661e90fcc277

SHA1
734766500b7dd1f5384ac921a56ab3a7dbeb73cc

SHA256
f50f1c0956d2981b52bce6b37c309fedcec734e8d9ba7c693cc8d0d8f83441c2

SHA512
c3bb06d2c911915ce3db5a9497a08e433cf74443052213767b8e23f72f2b1efd5f361af84027757375c1b94e72e1a5dc5e87e11b61c86818532ccf2996da0e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\53c3f99b-c2f4-45d5-834b-0df2ee43f0aa.vbs

Filesize
717B

MD5
ad5dbd5af5c94203f0ffd5e478cea2e6

SHA1
32d0a8bd1915bd587a31bfdf611d1a2aff10bb63

SHA256
37fc74689621b7bf46612115aef768395d058f8d516ded19aee8fff84cdfae84

SHA512
d1f0974b6a6a572d74e7fb9084e59349fca9b55df548d243f09fa03763c395c8bd90a1f42774ab83226d9de558c786af20c2a17f4c4689f73cf8fd6ff2d9832a

Download Submit
C:\Users\Admin\AppData\Local\Temp\65df6e56-8b5f-4698-8d05-383f052bf21f.vbs

Filesize
717B

MD5
0e0a4d5548c918e819772d197351d2cf

SHA1
385cfa6c040e145f7ebc07c79c5c8a9e5e66f037

SHA256
3e0109510fc4ef282e24fd22e26f07782ca9f65cf63ab10ac9b8bf7cd977b086

SHA512
0f375b5e232db153ed28dbd473dca7bad712eba8131b5da800c06a103a4bd528b3f96fde1ccdd40799d6635825b011cdab8deccbddb674852051ad1511a6e702

Download Submit
C:\Users\Admin\AppData\Local\Temp\80af5370-3e97-42f3-ab5a-dbaa729360b7.vbs

Filesize
717B

MD5
4f9bd8e7691748967c53fa4b09d55c85

SHA1
e4c8e5b0a90798184381dc551a10d0dd16b91fa2

SHA256
77d82b5220af6713b1421ef9e650a3bdf856515f9860a767094d6c414426a0d0

SHA512
c27ff9d4f6c6d36513096f20976de7b8cc034573c21d97aa08086695b713a6ce78f2b89cb3da7fd453545b55660f088d4228e200f9ffb46764a0ba7a3ef6c0cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\98beb925-0032-47d2-b155-33386f613026.vbs

Filesize
717B

MD5
bf80419a1c2d21b5dca21bafbdef2d4b

SHA1
ee4f26a71d33b3194f8b422416b7e86e6468d5a9

SHA256
68f9cf9183a88fbce7382540abfdf24947a197b829ed94085f3f2c0c8ad0bc8f

SHA512
df7bff36e452cc39adcda68b546048d3a75900ceea0b5fbc4bee9aac5546012f20ac74348565ec2f6c034aa602be9180e6e8ec8825d3faf4aa8638dfc537c4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qosnf5nj.j03.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb798b49-b016-4c9d-9684-1b318289344b.vbs

Filesize
493B

MD5
cac99b07d7c7c91a799a5e22c6184051

SHA1
756abed185f12a59be91fd0b44fd166852e87933

SHA256
25ed4aa0b3881547265796cd29fcfd70c0fd6b4f95982cf0159a8b0eb707c5de

SHA512
1858cbe5fe5cd010023cb3a01cc472c262c9d4685381e3e82f43c7a9e606f586ae6dcf4b36dc3d3a4289c76978411ecc7deed92d61f5ac318d3c15cc22f009cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bef0f73b-26fe-46f1-9c8b-3f72259cc06e.vbs

Filesize
717B

MD5
ddfa6d260b910f8a54d12287b0c9a308

SHA1
d38990728915fcdc48b6bdcd4c724f6fc92155f1

SHA256
0489f2da98c43134d3d6d4f0042c4ff7cc4b3a7014e56b8839bc98d133774e0f

SHA512
3fafa8aea3f67b9389c5686abc9ad8184c68a959e105cc2e52e185355f5cba62db7dce2eba3b89a1bf2a9d911b8ea4f7ac5920e780fecf51d71472937482461f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c694ebd2-8d37-4c7a-9a48-439b145cd78a.vbs

Filesize
717B

MD5
227c31c9e80b16635e16d6034d8a7ada

SHA1
bc30235aa1eb95daf15ae5f3624800b81443de96

SHA256
f32632d503890cd56d3f1f4d8b1add2ca86f5b4d60a7c514c8117bd97ba3e503

SHA512
6831e90509d5c57b8b2bb2432d0b71de916cf29194dd060a23f8f51a9805a72580d0205818278ba58b3be206fd2654b4590b590ed08760527c8525b98bd4782f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd6ef14e-444e-41fa-8cdb-2afd3974f32b.vbs

Filesize
717B

MD5
2f7e570abe2320df6b67ca44d010587c

SHA1
f30c32b31962bc391dc9d840abe0a73b1197f264

SHA256
7906b2499e1cbcde85aa023e3c273b5316452d1ff65b8b1e84d168cb570ec1a2

SHA512
d80aca403ee6e9520bbb7308d8a7a8ba8c7d19487df03178ee466491f74a8011bd4370c52096ae1f86aa99060a62016936ad5078cad6719685c038a58b3ce468

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea2bcf2c-42de-481b-ba68-dab13f48d099.vbs

Filesize
717B

MD5
c8c3efea57ab8ab0be72e30a9039280f

SHA1
1b6b3d71bc5590b452b76061034355eefd258692

SHA256
17477695efe3fe5be63b93f269ef0b606e3b878d3bfd4b87d07a5bcabcea284f

SHA512
1c5195b2fb5bd12512d22f3b8e20d7e37a3b7801cd5a6ffaf520f53c7b8bcbec74e05c85f9dfb7894d809dffce72c861458d5ec524acd8e30cc5bb1ce79f1f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd78be60-0762-459c-8067-6abe9fc703bf.vbs

Filesize
717B

MD5
9ced08ff22e42d2faab2f42288d429a9

SHA1
a6fc9681dd84b175bd8e5c7b161a0e94359cf5b4

SHA256
844094974633c19ca22822901e8ae140ce02052d46bf03ad5d3d8fbb61dc87a6

SHA512
853e607e54bd9b9f1758654459c0bb4c80372cf444cb101e21a2df213e9e40acceb37a9506316c3a142eb70930a63f6859aff04d43cbc5760417e0ec7a74f632

Download Submit
C:\aff403968f1bfcc42131676322798b50\sihost.exe

Filesize
1.6MB

MD5
e9a05151dfc1c4c2e84f16e25d05f6ee

SHA1
4bced15dc17ebf0e95cb34558e093446d394b235

SHA256
f34854f659c2a34199c5bd888e03750f7aacfdae48724f2f2c5a28aa4188d2a1

SHA512
6bd1a48e3d6a6a76b115bb6b6dddb95c5a39a890ca285f8d9470a6857d73c761225271ea513b1762641b373aa737b845261e0098e94ea8552ddd04226be804af

Download Submit
C:\f9532e701a889cdd91b8\dllhost.exe

Filesize
1.6MB

MD5
b2109dc6a840d3a88727c40a8bbd66e3

SHA1
1b2673f626dc4a4f486e14ea9a8764ec0702c1d6

SHA256
ff452cc9dd679bf3bd431ead23f8486cea86e2e45365d32e4eb3c28a7f941a96

SHA512
f48b9a12a679a55554fec699f1fb4f5637313983ad2b7fd70f6b25a9a19f9855a4f08b821a3b38e69f6f0c2c72e0e6a9a01923f12019f42b1b8b758ed549244e

Download Submit
C:\f9532e701a889cdd91b8\lsass.exe

Filesize
1.6MB

MD5
dc98db65c10a6539b0f530be578305f8

SHA1
068c4bcd0071e890544052253ef91d9be98a996b

SHA256
1696c3cb9ef5aebfd8875acf64668ebbe8fda28cc98fa00855a0d5fc03779486

SHA512
f5f0a68d394d0d25d1f9293a8e4d9db637398f34327512ae070b9dc44648f3bfa2f54de740a539da98b130a2c12b27c3cfd1a079f7fd5c658b0afe33cbf373c0

Download Submit
memory/5248-10-0x000000001B4E0000-0x000000001B4EC000-memory.dmp

Filesize
48KB

Download
memory/5248-0-0x00007FFFF8623000-0x00007FFFF8625000-memory.dmp

Filesize
8KB

Download
memory/5248-1-0x0000000000790000-0x0000000000932000-memory.dmp

Filesize
1.6MB

Download
memory/5248-227-0x00007FFFF8620000-0x00007FFFF90E1000-memory.dmp

Filesize
10.8MB

Download
memory/5248-203-0x00007FFFF8623000-0x00007FFFF8625000-memory.dmp

Filesize
8KB

Download
memory/5248-3-0x0000000002C50000-0x0000000002C6C000-memory.dmp

Filesize
112KB

Download
memory/5248-4-0x000000001B490000-0x000000001B4E0000-memory.dmp

Filesize
320KB

Download
memory/5248-5-0x0000000002C70000-0x0000000002C80000-memory.dmp

Filesize
64KB

Download
memory/5248-6-0x0000000002C80000-0x0000000002C96000-memory.dmp

Filesize
88KB

Download
memory/5248-7-0x0000000002CA0000-0x0000000002CA8000-memory.dmp

Filesize
32KB

Download
memory/5248-9-0x0000000002CB0000-0x0000000002CB8000-memory.dmp

Filesize
32KB

Download
memory/5248-433-0x00007FFFF8620000-0x00007FFFF90E1000-memory.dmp

Filesize
10.8MB

Download
memory/5248-11-0x000000001B4F0000-0x000000001B4FC000-memory.dmp

Filesize
48KB

Download
memory/5248-12-0x000000001B520000-0x000000001B52A000-memory.dmp

Filesize
40KB

Download
memory/5248-13-0x000000001B530000-0x000000001B53E000-memory.dmp

Filesize
56KB

Download
memory/5248-14-0x000000001BE00000-0x000000001BE08000-memory.dmp

Filesize
32KB

Download
memory/5248-15-0x000000001BE10000-0x000000001BE18000-memory.dmp

Filesize
32KB

Download
memory/5248-17-0x000000001BE20000-0x000000001BE2C000-memory.dmp

Filesize
48KB

Download
memory/5248-16-0x000000001BF20000-0x000000001BF2A000-memory.dmp

Filesize
40KB

Download
memory/5248-8-0x000000001B500000-0x000000001B510000-memory.dmp

Filesize
64KB

Download
memory/5248-2-0x00007FFFF8620000-0x00007FFFF90E1000-memory.dmp

Filesize
10.8MB

Download
memory/5360-306-0x0000022020E40000-0x0000022020E62000-memory.dmp

Filesize
136KB

Download