dcrat | f4111d30be32600233ad61440ff2f9a6484f3ba6c04fae4b522fc09ab0de3831

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49986bd925df8b3a09e58c4999927830.exe
Size

1.6MB
MD5

49986bd925df8b3a09e58c4999927830
SHA1

40750b7b784db39850b805c151dfe76c9a6fdf30
SHA256

8d08430b6955cd7396f0e929bc2e098bab79adf22ff486fac8e07c369ebd9837
SHA512

4fb7adb39f1cfba3151cf099b14582e79ad3100c8de878a169bc2028f2bad9082b79ed94f1a8d0d7a441a00799f48c9a22e04eea0b7258930cda4569955b269a
SSDEEP

24576:Msm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:MD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3700	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4284	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6016	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5692	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3344	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6076	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5664	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3264	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5704	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3928	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5892	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5216	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5144	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	4916	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4916	schtasks.exe	88

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral32/memory/4200-1-0x00000000001A0000-0x0000000000342000-memory.dmp	dcrat
behavioral32/files/0x0004000000022bb7-26.dat	dcrat
behavioral32/files/0x000c000000024325-112.dat	dcrat
behavioral32/files/0x0008000000022bb7-134.dat	dcrat
behavioral32/files/0x000b000000024313-216.dat	dcrat
behavioral32/files/0x000a00000002432b-229.dat	dcrat
behavioral32/files/0x000900000002431b-238.dat	dcrat
behavioral32/memory/1496-454-0x0000000000010000-0x00000000001B2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
808	powershell.exe
3500	powershell.exe
4648	powershell.exe
5644	powershell.exe
4724	powershell.exe
4624	powershell.exe
5700	powershell.exe
4812	powershell.exe
4544	powershell.exe
5872	powershell.exe
4772	powershell.exe
2160	powershell.exe
6124	powershell.exe
5952	powershell.exe
4800	powershell.exe
1556	powershell.exe
4552	powershell.exe
4348	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	49986bd925df8b3a09e58c4999927830.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 13 IoCs

pid	Process
1496	RuntimeBroker.exe
2372	RuntimeBroker.exe
4964	RuntimeBroker.exe
1752	RuntimeBroker.exe
2320	RuntimeBroker.exe
3848	RuntimeBroker.exe
5564	RuntimeBroker.exe
996	RuntimeBroker.exe
1544	RuntimeBroker.exe
2800	RuntimeBroker.exe
4652	RuntimeBroker.exe
532	RuntimeBroker.exe
4252	RuntimeBroker.exe

Drops file in Program Files directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXC39D.tmp	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\Internet Explorer\en-US\eddb19405b7ce1	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\69ddcba757bf72	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\ModifiableWindowsApps\Idle.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\MSBuild\Microsoft\27d1bcfc3c54e0	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\backgroundTaskHost.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RCXC41B.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCXC61F.tmp	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\Microsoft Office 15\e1ef82546f0b02	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\MSBuild\Microsoft\System.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\RCXC69D.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXA54F.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCXBF16.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Microsoft Office 15\SppExtComObj.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\RCXA53F.tmp	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\Microsoft Office 15\SppExtComObj.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\smss.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\5b884080fd4f94	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXAC78.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCXB879.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RCXB87A.tmp	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\smss.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\Internet Explorer\en-US\backgroundTaskHost.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\System.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXAC79.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCXBF94.tmp	49986bd925df8b3a09e58c4999927830.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\886983d96e3d3e	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\DigitalLocker\RCXA0A7.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\ServiceProfiles\csrss.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Windows\DigitalLocker\eddb19405b7ce1	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Windows\PolicyDefinitions\it-IT\OfficeClickToRun.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\ServiceProfiles\RCXB5F7.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\RCXBD02.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\OfficeClickToRun.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Windows\DigitalLocker\backgroundTaskHost.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Windows\PolicyDefinitions\it-IT\e6c9b481da804f	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\DigitalLocker\RCXA0E6.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\PolicyDefinitions\it-IT\RCXBD01.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\ServiceProfiles\RCXB5F6.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\DigitalLocker\backgroundTaskHost.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Windows\ServiceProfiles\csrss.exe	49986bd925df8b3a09e58c4999927830.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	49986bd925df8b3a09e58c4999927830.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3264	schtasks.exe
5076	schtasks.exe
5032	schtasks.exe
4284	schtasks.exe
1156	schtasks.exe
5704	schtasks.exe
1608	schtasks.exe
1088	schtasks.exe
2552	schtasks.exe
1788	schtasks.exe
100	schtasks.exe
5216	schtasks.exe
5432	schtasks.exe
1456	schtasks.exe
1444	schtasks.exe
552	schtasks.exe
1632	schtasks.exe
6016	schtasks.exe
756	schtasks.exe
4628	schtasks.exe
1376	schtasks.exe
3188	schtasks.exe
2164	schtasks.exe
5692	schtasks.exe
3928	schtasks.exe
1972	schtasks.exe
4016	schtasks.exe
5892	schtasks.exe
3460	schtasks.exe
664	schtasks.exe
2600	schtasks.exe
5092	schtasks.exe
1984	schtasks.exe
6076	schtasks.exe
3952	schtasks.exe
2792	schtasks.exe
5144	schtasks.exe
532	schtasks.exe
3700	schtasks.exe
5084	schtasks.exe
1096	schtasks.exe
3344	schtasks.exe
5664	schtasks.exe
1936	schtasks.exe
2244	schtasks.exe
2348	schtasks.exe
4364	schtasks.exe
1820	schtasks.exe
3044	schtasks.exe
3312	schtasks.exe
1824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4200	49986bd925df8b3a09e58c4999927830.exe
4200	49986bd925df8b3a09e58c4999927830.exe
4200	49986bd925df8b3a09e58c4999927830.exe
4200	49986bd925df8b3a09e58c4999927830.exe
4200	49986bd925df8b3a09e58c4999927830.exe
4200	49986bd925df8b3a09e58c4999927830.exe
4200	49986bd925df8b3a09e58c4999927830.exe
1556	powershell.exe
1556	powershell.exe
4724	powershell.exe
4724	powershell.exe
5952	powershell.exe
5952	powershell.exe
5872	powershell.exe
5872	powershell.exe
2160	powershell.exe
2160	powershell.exe
4624	powershell.exe
4624	powershell.exe
808	powershell.exe
808	powershell.exe
4552	powershell.exe
4552	powershell.exe
6124	powershell.exe
4648	powershell.exe
6124	powershell.exe
4648	powershell.exe
4772	powershell.exe
4772	powershell.exe
4812	powershell.exe
4812	powershell.exe
5644	powershell.exe
5644	powershell.exe
4544	powershell.exe
4544	powershell.exe
4800	powershell.exe
4800	powershell.exe
4348	powershell.exe
4348	powershell.exe
5700	powershell.exe
5700	powershell.exe
3500	powershell.exe
3500	powershell.exe
3500	powershell.exe
5952	powershell.exe
5952	powershell.exe
1556	powershell.exe
1556	powershell.exe
4724	powershell.exe
4724	powershell.exe
2160	powershell.exe
5872	powershell.exe
5872	powershell.exe
5700	powershell.exe
4800	powershell.exe
808	powershell.exe
808	powershell.exe
4552	powershell.exe
4648	powershell.exe
4624	powershell.exe
4624	powershell.exe
5644	powershell.exe
4348	powershell.exe
6124	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	4200	49986bd925df8b3a09e58c4999927830.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	5952	powershell.exe
Token: SeDebugPrivilege	5872	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	6124	powershell.exe
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeDebugPrivilege	5644	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	5700	powershell.exe
Token: SeDebugPrivilege	4800	powershell.exe
Token: SeDebugPrivilege	1496	RuntimeBroker.exe
Token: SeDebugPrivilege	2372	RuntimeBroker.exe
Token: SeDebugPrivilege	4964	RuntimeBroker.exe
Token: SeDebugPrivilege	1752	RuntimeBroker.exe
Token: SeDebugPrivilege	2320	RuntimeBroker.exe
Token: SeDebugPrivilege	3848	RuntimeBroker.exe
Token: SeDebugPrivilege	5564	RuntimeBroker.exe
Token: SeDebugPrivilege	996	RuntimeBroker.exe
Token: SeDebugPrivilege	1544	RuntimeBroker.exe
Token: SeDebugPrivilege	2800	RuntimeBroker.exe
Token: SeDebugPrivilege	4652	RuntimeBroker.exe
Token: SeDebugPrivilege	532	RuntimeBroker.exe
Token: SeDebugPrivilege	4252	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 1556	4200	49986bd925df8b3a09e58c4999927830.exe	145
PID 4200 wrote to memory of 1556	4200	49986bd925df8b3a09e58c4999927830.exe	145
PID 4200 wrote to memory of 4544	4200	49986bd925df8b3a09e58c4999927830.exe	146
PID 4200 wrote to memory of 4544	4200	49986bd925df8b3a09e58c4999927830.exe	146
PID 4200 wrote to memory of 4552	4200	49986bd925df8b3a09e58c4999927830.exe	147
PID 4200 wrote to memory of 4552	4200	49986bd925df8b3a09e58c4999927830.exe	147
PID 4200 wrote to memory of 4648	4200	49986bd925df8b3a09e58c4999927830.exe	148
PID 4200 wrote to memory of 4648	4200	49986bd925df8b3a09e58c4999927830.exe	148
PID 4200 wrote to memory of 5644	4200	49986bd925df8b3a09e58c4999927830.exe	149
PID 4200 wrote to memory of 5644	4200	49986bd925df8b3a09e58c4999927830.exe	149
PID 4200 wrote to memory of 2160	4200	49986bd925df8b3a09e58c4999927830.exe	150
PID 4200 wrote to memory of 2160	4200	49986bd925df8b3a09e58c4999927830.exe	150
PID 4200 wrote to memory of 6124	4200	49986bd925df8b3a09e58c4999927830.exe	151
PID 4200 wrote to memory of 6124	4200	49986bd925df8b3a09e58c4999927830.exe	151
PID 4200 wrote to memory of 5872	4200	49986bd925df8b3a09e58c4999927830.exe	152
PID 4200 wrote to memory of 5872	4200	49986bd925df8b3a09e58c4999927830.exe	152
PID 4200 wrote to memory of 4348	4200	49986bd925df8b3a09e58c4999927830.exe	153
PID 4200 wrote to memory of 4348	4200	49986bd925df8b3a09e58c4999927830.exe	153
PID 4200 wrote to memory of 4724	4200	49986bd925df8b3a09e58c4999927830.exe	154
PID 4200 wrote to memory of 4724	4200	49986bd925df8b3a09e58c4999927830.exe	154
PID 4200 wrote to memory of 4624	4200	49986bd925df8b3a09e58c4999927830.exe	155
PID 4200 wrote to memory of 4624	4200	49986bd925df8b3a09e58c4999927830.exe	155
PID 4200 wrote to memory of 5700	4200	49986bd925df8b3a09e58c4999927830.exe	156
PID 4200 wrote to memory of 5700	4200	49986bd925df8b3a09e58c4999927830.exe	156
PID 4200 wrote to memory of 5952	4200	49986bd925df8b3a09e58c4999927830.exe	157
PID 4200 wrote to memory of 5952	4200	49986bd925df8b3a09e58c4999927830.exe	157
PID 4200 wrote to memory of 3500	4200	49986bd925df8b3a09e58c4999927830.exe	158
PID 4200 wrote to memory of 3500	4200	49986bd925df8b3a09e58c4999927830.exe	158
PID 4200 wrote to memory of 4812	4200	49986bd925df8b3a09e58c4999927830.exe	159
PID 4200 wrote to memory of 4812	4200	49986bd925df8b3a09e58c4999927830.exe	159
PID 4200 wrote to memory of 808	4200	49986bd925df8b3a09e58c4999927830.exe	160
PID 4200 wrote to memory of 808	4200	49986bd925df8b3a09e58c4999927830.exe	160
PID 4200 wrote to memory of 4800	4200	49986bd925df8b3a09e58c4999927830.exe	161
PID 4200 wrote to memory of 4800	4200	49986bd925df8b3a09e58c4999927830.exe	161
PID 4200 wrote to memory of 4772	4200	49986bd925df8b3a09e58c4999927830.exe	162
PID 4200 wrote to memory of 4772	4200	49986bd925df8b3a09e58c4999927830.exe	162
PID 4200 wrote to memory of 4020	4200	49986bd925df8b3a09e58c4999927830.exe	181
PID 4200 wrote to memory of 4020	4200	49986bd925df8b3a09e58c4999927830.exe	181
PID 4020 wrote to memory of 1484	4020	cmd.exe	183
PID 4020 wrote to memory of 1484	4020	cmd.exe	183
PID 4020 wrote to memory of 1496	4020	cmd.exe	185
PID 4020 wrote to memory of 1496	4020	cmd.exe	185
PID 1496 wrote to memory of 2600	1496	RuntimeBroker.exe	186
PID 1496 wrote to memory of 2600	1496	RuntimeBroker.exe	186
PID 1496 wrote to memory of 112	1496	RuntimeBroker.exe	187
PID 1496 wrote to memory of 112	1496	RuntimeBroker.exe	187
PID 2600 wrote to memory of 2372	2600	WScript.exe	194
PID 2600 wrote to memory of 2372	2600	WScript.exe	194
PID 2372 wrote to memory of 5404	2372	RuntimeBroker.exe	197
PID 2372 wrote to memory of 5404	2372	RuntimeBroker.exe	197
PID 2372 wrote to memory of 1692	2372	RuntimeBroker.exe	198
PID 2372 wrote to memory of 1692	2372	RuntimeBroker.exe	198
PID 5404 wrote to memory of 4964	5404	WScript.exe	199
PID 5404 wrote to memory of 4964	5404	WScript.exe	199
PID 4964 wrote to memory of 4528	4964	RuntimeBroker.exe	200
PID 4964 wrote to memory of 4528	4964	RuntimeBroker.exe	200
PID 4964 wrote to memory of 4272	4964	RuntimeBroker.exe	201
PID 4964 wrote to memory of 4272	4964	RuntimeBroker.exe	201
PID 4528 wrote to memory of 1752	4528	WScript.exe	202
PID 4528 wrote to memory of 1752	4528	WScript.exe	202
PID 1752 wrote to memory of 5036	1752	RuntimeBroker.exe	203
PID 1752 wrote to memory of 5036	1752	RuntimeBroker.exe	203
PID 1752 wrote to memory of 5076	1752	RuntimeBroker.exe	204
PID 1752 wrote to memory of 5076	1752	RuntimeBroker.exe	204

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\49986bd925df8b3a09e58c4999927830.exe
"C:\Users\Admin\AppData\Local\Temp\49986bd925df8b3a09e58c4999927830.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\49986bd925df8b3a09e58c4999927830.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Pictures\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\it-IT\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gfg6Yq8j47.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1484
- - C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
    "C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96bdfe26-7510-4270-9c1b-ac619f0c94c6.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bfb0898e-cd97-45ae-8106-9940601d240f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5404
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\10e0f645-f683-43c6-8b81-d1087c2342b7.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7c1a959-2f96-4f8f-82a5-9e75b8c22725.vbs"
        10⤵
        
        PID:5036
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\852f211a-6973-44ad-9aca-92dc36451c3b.vbs"
        12⤵
        
        PID:3668
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca59b035-f07f-462e-93eb-e705500a8161.vbs"
        14⤵
        
        PID:3500
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\84e6114c-ed00-40fa-abd2-5b74dd2bd30e.vbs"
        16⤵
        
        PID:4048
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fe76f51-2aa3-4d65-a8fd-a90d9302ba0c.vbs"
        18⤵
        
        PID:3904
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97168a8e-5d7f-4872-9e2f-7569b0194163.vbs"
        20⤵
        
        PID:648
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4d16495-e1cb-4d1d-a882-f06298c95b9e.vbs"
        22⤵
        
        PID:3996
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9859b0f0-643b-4bbc-a8f1-c6cb87a22342.vbs"
        24⤵
        
        PID:4340
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0cd4f26-e571-4308-9216-5ba9ddd532ed.vbs"
        26⤵
        
        PID:2508
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        
        C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4dc618d-89ba-44df-98a3-a456ff7516fc.vbs"
        28⤵
        
        PID:4832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\190145a5-a4e2-4757-8a4e-58ce436658a9.vbs"
        28⤵
        
        PID:516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ad97a025-2a8d-4af4-bec2-5ae5e5bc1722.vbs"
        26⤵
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ebd1759-e64b-4774-a8c3-6552ce3f659a.vbs"
        24⤵
        
        PID:4076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16d2f3f5-19cb-4800-ac21-5b39e85afc9e.vbs"
        22⤵
        
        PID:5280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98f4b6a1-67f0-4b8c-a690-66a547991053.vbs"
        20⤵
        
        PID:4664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b5963e8-b49d-4bc2-b7c6-5e594e92fdf3.vbs"
        18⤵
        
        PID:3792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2955acda-6489-42af-806f-aed48c59a9a1.vbs"
        16⤵
        
        PID:3584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f402eed-7d93-46cd-9961-507cc5f9a6df.vbs"
        14⤵
        
        PID:5056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5113d978-0f04-4a9d-85a4-7a9834b75b28.vbs"
        12⤵
        
        PID:5896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94b074e4-0a03-4569-8e04-7123f8d6f81a.vbs"
        10⤵
        
        PID:5076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e86aa2c-c9f9-4c8a-85ce-21dd591dc1f1.vbs"
        8⤵
        
        PID:4272
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc08b205-085b-45d1-ba9b-164ddc0f048a.vbs"
        6⤵
        
        PID:1692
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff380dcd-587e-4a54-8c66-d5da37116719.vbs"
      4⤵
      PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Windows\DigitalLocker\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\My Pictures\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Pictures\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\en-US\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\it-IT\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\it-IT\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\4d7dcf6448637544ea7e961be1ad\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe

Filesize
1.6MB

MD5
49986bd925df8b3a09e58c4999927830

SHA1
40750b7b784db39850b805c151dfe76c9a6fdf30

SHA256
8d08430b6955cd7396f0e929bc2e098bab79adf22ff486fac8e07c369ebd9837

SHA512
4fb7adb39f1cfba3151cf099b14582e79ad3100c8de878a169bc2028f2bad9082b79ed94f1a8d0d7a441a00799f48c9a22e04eea0b7258930cda4569955b269a

Download Submit
C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe

Filesize
1.6MB

MD5
d8726ed2ed0091f3a15e9ca17865fed5

SHA1
f41bb068cbcb6557b2d73c5d6af788086cba191b

SHA256
18913c67bc332f0cf52f29dbb95fcb72a6c775f7390abfc1a0fb473ca0ff7840

SHA512
102731bfc953d7d9e7c847bab4dc963c18db51b794c153de5bb266841dc4facf2f9f16556df18d295b5570ae88a3cc684b7c6a38a19fa2cda3d1303f01235234

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\fontdrvhost.exe

Filesize
1.6MB

MD5
3484278fa58f0b48fb50f96257f777f4

SHA1
19aa175ab51280a0caa30843f9d5257c412f6e44

SHA256
cc92cb99b9fb88f6de0b6d9d8b2f9a7f569322745a09b0de85ff7085b687a166

SHA512
417f397490b8a80c0406a2416d4e8b1881f89796be2d69b0b7acffbcb938b1c38c94c9e75f440c1ef3dce32e6a0940392278bf50bea857ba9e476ae27f1587ce

Download Submit
C:\Program Files\MSBuild\Microsoft\System.exe

Filesize
1.6MB

MD5
2c7dd6eb74afe8c88c1e85ac2456b0e0

SHA1
70a45bc1b2e22c6849a53805d9a2205e908c423f

SHA256
7d5a04e9a15f5ac508c5ef18df65da9921fa8cdbb555e944d9331a0d746516d1

SHA512
7205e4486a7b515e3c6945fe79a264a645c84add061633342b646d10da5146f00fbb1d19e313cfb6003056debe2980b1503824a04b738b54a4d933a685a244e1

Download Submit
C:\Program Files\Microsoft Office 15\SppExtComObj.exe

Filesize
1.6MB

MD5
3eeef9c7e901ccf2f8602aac544d4c2d

SHA1
26031b3b64f20c9add8d192fe9a67f0ddd71259a

SHA256
21c21467d62effc5823966bdf86e078f7a904147fde0c77061d65a5b24eeb388

SHA512
4178480e8c084ae3c1d9e23e21dabd06efe2b0a0b28e0416e6097407f97fdd0559cb2eabf4e4f217cfa0cf1522e6849f799daa7144617997909517d6fe144cee

Download Submit
C:\Recovery\WindowsRE\SppExtComObj.exe

Filesize
1.6MB

MD5
62d22b1685438abf3cdeda11d6e0ea8b

SHA1
c8170f65dfa0e103da00b5c082aacc03874827f7

SHA256
fbe3c70e3d932743d27fecea8afd6a4af6641dd41844676dde44dd91b08a65fc

SHA512
d9bbfd132b49ba156292cc5173aecff9e8ab948f9bc79008474b41444fe00eea2cbab3e89434b26e896a73c7d5668c416b90ac274efa0000d2e3d6753d112a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c667bc406c30dedf08683212c4a204b5

SHA1
4d713119a8483f32461a45e8291a2b8dc1fc4e7d

SHA256
0789d8328acb13062de330425e072019c1d81bea70923d5ef5428f9604d969cf

SHA512
1f6b49f11baf3b4289677d8b27537e016896fc878d14af3d8c132d6800a591a632b31203edd570f3f8b90e7c0047a4f4ecd938c10520832d2df55ba35a53bd48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7cfa57226f15f18e8c29720a8a6efc8b

SHA1
fef3b41b9715cd37a0bb9ab323fc9aa62158d55b

SHA256
53d11cfbf4bbedac6a4963cbe63d8f500f1cfd159e1b9c24149c855d3be188eb

SHA512
d6ea186fa684b2ca04eb5d9292a5d60b4d22f03205eb0bbe51c8715e1312e2179bc6da60c7763cb7663cd967fc761b9bd8d9949b009e2e6cba51883a167d1820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaf0080989fabad865a080216418fbf2

SHA1
935075309ff07f95b5c2ff643661fef989526e15

SHA256
86e6ca8dc0b47aadbc45bbb2a31b758ec729e69998ababdb1a4350924621de9c

SHA512
21721722c94447b4f0d20f03856ea1171c774eb59a8fd239809480ead6c5b7c5a3e43d1e79dfd1bd1dbdadb65269595e9376b3053c1bd6a54bac91e04536e676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4552709998d20ebebb7d79b1e2caba85

SHA1
a136173b2c02a5c678afbfb05d859dcf7fce5e73

SHA256
e96edbb0c4584421178d50c77bb16d7fe8b3839c357c170268dc13c00e8bb435

SHA512
53f623fa2780ceead709084e842a38f01ae921223e2bff2a97e45ad4a792c73e7370e97da4d323a5b857bf446e3295b6422ffa2dbaf68d34a65ebf6751d7d83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e13dda798b6a932ecefdffc584ae0857

SHA1
de7a4f2fabf430793223f4fd0db46fdb83ae0c31

SHA256
d58337a6307c85e093f39a0d2297b97839e10820963cbf00d2bdeb927e9da8de

SHA512
61c0faa1d89a6b3a9a3b9801ca4536278d11ebe86ced6fa432e209efc9600b10d7e826d952988d91850401a6e91179c772c936a0599daf7944d6ab79ca210967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5224a8af64b17b8a36247f8bda22bc94

SHA1
841edc986867d9813534b217790e76b017c48617

SHA256
464cb1185c4ac036587a0583565205a60a9d67c6130ac6bf3e666d197a79aa55

SHA512
041d2827788aa8b7f3320b013380d74cc12a444adcf587ef8dfcbb52353548abf1746f34e33f0bfb6117ed488e85d9f8e0bfffbf79011546199ee371e192fdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\10e0f645-f683-43c6-8b81-d1087c2342b7.vbs

Filesize
725B

MD5
53bcd7faaf497e53a0710c2bdd121794

SHA1
e00dd69f7c7740fae54324ee6b57cb90a4e781ca

SHA256
c3e8f55140777bdf29b4f46c582399a82a071206692e6929a4dfa212180cd2a1

SHA512
df6dbf91c3764c3a2e6e0b34f20daf922232cd5a2f6fcec1ef28cea1b19edc8c3704f04bbab05b351565a8a17f9fa920b4dcf037da9c681a230a9b5b1b6f523c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fe76f51-2aa3-4d65-a8fd-a90d9302ba0c.vbs

Filesize
724B

MD5
1cc3e7d97815cc59b9229200defc2f68

SHA1
cc9bf7b57e825cd0abfbb460e3c5ac67e4fc18d5

SHA256
bc534ddd058958430dd057f4748d5fb3cc169d1aa2b3efd928ffa0bbe0f3b43d

SHA512
5664c075708c0ea17a177e1129c70de25a07be02d7705e79e4b50da1627f347ceef78de5c4b2033dcadfccd7e96d786a86a084b52d3e5004311b1c26880f6a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\84e6114c-ed00-40fa-abd2-5b74dd2bd30e.vbs

Filesize
725B

MD5
7166d15486cd0a77c60d7d6fa099ec77

SHA1
7b873e3d9d6d178085069d78db00fc95951291e3

SHA256
b5006de4c1bb6c0aec8b9098b1b587ea005c6fb261aec816954286e459558a33

SHA512
638e7bddf66adf99be6278ba55e58dcfb0e3a160692d0497041e07a178502a526d2b52929c407fc5476bd6cfd9c03e8472a8962d8af7b12520098da20b759107

Download Submit
C:\Users\Admin\AppData\Local\Temp\852f211a-6973-44ad-9aca-92dc36451c3b.vbs

Filesize
725B

MD5
ff1f9281ea9c6bba645380e5c5d3c2b1

SHA1
08c8d51d9658596195ec2ec548a6df7a0004b77d

SHA256
b34e5a479d5514a4ef83c65152d3996894fea302c7ce85b4e80758862e329f60

SHA512
a3054a43b9397d0f0e5a121d1c68cd1e53bf51e29a58c81449fdaf772cb1c2df17e7b45ddafe632f8ceaa947ef4230a2be881448d737f28db8f11ce56c9611b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\96bdfe26-7510-4270-9c1b-ac619f0c94c6.vbs

Filesize
725B

MD5
9247f1ec4fcc409e59e68285b273fb1e

SHA1
8c589d0cd3a363d4b4a8dac4751219b2a78d2597

SHA256
7270c41f08420b112bd3f02a34003bb14decc3cc6c1fe651570964dcad3da99c

SHA512
08eafdf559a7668858bab745a92dc2e1d3e1e3e532bdd20564f091308a6fdb739d428b3f2cd6b31deb1e3620785450faecd41502802314d3d0995e8c8ad86260

Download Submit
C:\Users\Admin\AppData\Local\Temp\97168a8e-5d7f-4872-9e2f-7569b0194163.vbs

Filesize
725B

MD5
b409a50f8bcc1e06efd06fcf97a8bb92

SHA1
a83a20fcaa4173880ed48a3ced7b435f100fd512

SHA256
89a0f1390de314366be37ce107f2cfd7668e8abeff56e521baa175e6142bf4d9

SHA512
daea613193f3f99445c991cadf5fd89bbf23c9da72884e054c33c56ef0b3efa8c95fc767a1a1f8a0cc55994bbbecf87ced2a53bee714ce1c8c58d7f87f8d2101

Download Submit
C:\Users\Admin\AppData\Local\Temp\9859b0f0-643b-4bbc-a8f1-c6cb87a22342.vbs

Filesize
725B

MD5
915213b6a0eaa24e5d3117440178b39b

SHA1
d9e49414905d72691d3ad319429b36e40603e2f7

SHA256
af10a737d1593ebbf199e948eeb3abc05aa0f1f59a18120725878e5b10530288

SHA512
9978d47ece86c10db83cbbeb596b778f9f028872a94c4ba38a4bc1793c72298dd6418f61a45a7f3ce80d636a912fe31658b421600a7c294d6728a2d4007be4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gfg6Yq8j47.bat

Filesize
214B

MD5
f515a8a3c2fc70fbb9451e373e405b24

SHA1
7bd0909f6113dfea6303abd71d0ef408c76ccb0c

SHA256
57d5284c70c1aec4477bc8f5741d489d45c7db609bdedafbe9ab0015efd1b426

SHA512
e411e31ff55154c1cece32e1940a6a9aff61e01c7d40d6f676c539f83d2e5fe3505ecccc9aa25bb19adccec76136b8b9eb0263333d9672234d4eda4438db17d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qd1lblxs.f0y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7c1a959-2f96-4f8f-82a5-9e75b8c22725.vbs

Filesize
725B

MD5
f3b9e18706b1b11274c83411eb16876a

SHA1
06f86b49736a5605ecc2c4ad41928f5ac590f2eb

SHA256
28b5e0ec283cb38e4dd155ba619a5536e7e03b6723683d473a2bed08868a1646

SHA512
56ed23b0d250093a940d5de7f67570fe6328f483a4e3f1e8096f6f13b978f1341d13c4372715697206a83a23002c22ee9af2b156c87a87a63e01a8277b78f6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfb0898e-cd97-45ae-8106-9940601d240f.vbs

Filesize
725B

MD5
c97c45cde4c6cc1e8db6fff8329dfd19

SHA1
db73486bb140f3de989076193d3634e47f0403f5

SHA256
817e4a0fa7ec68be34c8c5205b5aecc7d11d7b81aa1f021f3fa8837fb98ff394

SHA512
953264687c96319c2545df51177154f02d879ea70a849241c90d6d5d876aae417204890ff5311279d5deade7806898a4ed8d831f47a3e1ce1976c2b0f2869fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca59b035-f07f-462e-93eb-e705500a8161.vbs

Filesize
725B

MD5
ddc3662d2cae6336bc1ff72199fb7c8e

SHA1
b8488c7eee78d9b986cf31fe213276d02228425c

SHA256
3f9670d3c21342918090e05ae1029e5d89c3b4cef0c4f5126c642161dc4784e9

SHA512
fb2b137e7bd5eac26c66e1e9d42bbd32be40f78726552b7a2bce6c897b519b4106746e0b424f7eb59b376d562145018e0bc1aad45327a0723b76f4e33617c351

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc08b205-085b-45d1-ba9b-164ddc0f048a.vbs

Filesize
501B

MD5
2563bdf6ac31985bed10a6af91324b0b

SHA1
4c13e7edc70f0e45885d9d289762f9a6e89e3d4e

SHA256
3a941117952682a23373981219a7f8f3a491c30561732e2d29d2c3dd2b7f879a

SHA512
fb02fc13ee909f4ccf8489aee3ad055c2fe2b85f52b301930c07c8ec675c2c10c781e055a9d0ce6622ff697dce01746e713b78a15f70543b20a57570ef470f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4d16495-e1cb-4d1d-a882-f06298c95b9e.vbs

Filesize
725B

MD5
d94ce1421bef74f042070afc88f51b76

SHA1
faab3fa6cba4d579142a17dd3db96d384ac24304

SHA256
80da514c6744621f9686a70cc50099428d02dd6aae2d576446871f105d27a588

SHA512
e461ad57ff73c7f3db41ab5e8525f85b83816042f8182b063bc845ed1cb0fed789113cb90043e670c72e459e276baa1e692c3f647c628eaff1186a746ae22590

Download Submit
memory/1496-454-0x0000000000010000-0x00000000001B2000-memory.dmp

Filesize
1.6MB

Download
memory/4200-9-0x00000000024B0000-0x00000000024B8000-memory.dmp

Filesize
32KB

Download
memory/4200-7-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/4200-6-0x0000000002470000-0x0000000002486000-memory.dmp

Filesize
88KB

Download
memory/4200-5-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/4200-4-0x000000001AEF0000-0x000000001AF40000-memory.dmp

Filesize
320KB

Download
memory/4200-3-0x0000000002450000-0x000000000246C000-memory.dmp

Filesize
112KB

Download
memory/4200-2-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

Filesize
10.8MB

Download
memory/4200-0-0x00007FF969713000-0x00007FF969715000-memory.dmp

Filesize
8KB

Download
memory/4200-14-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

Filesize
32KB

Download
memory/4200-267-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

Filesize
10.8MB

Download
memory/4200-1-0x00000000001A0000-0x0000000000342000-memory.dmp

Filesize
1.6MB

Download
memory/4200-8-0x00000000024A0000-0x00000000024B0000-memory.dmp

Filesize
64KB

Download
memory/4200-10-0x00000000024C0000-0x00000000024CC000-memory.dmp

Filesize
48KB

Download
memory/4200-16-0x000000001AFD0000-0x000000001AFDA000-memory.dmp

Filesize
40KB

Download
memory/4200-195-0x00007FF969710000-0x00007FF96A1D1000-memory.dmp

Filesize
10.8MB

Download
memory/4200-182-0x00007FF969713000-0x00007FF969715000-memory.dmp

Filesize
8KB

Download
memory/4200-11-0x00000000024D0000-0x00000000024DC000-memory.dmp

Filesize
48KB

Download
memory/4200-12-0x00000000024E0000-0x00000000024EA000-memory.dmp

Filesize
40KB

Download
memory/4200-15-0x000000001AFC0000-0x000000001AFC8000-memory.dmp

Filesize
32KB

Download
memory/4200-17-0x000000001B0F0000-0x000000001B0FC000-memory.dmp

Filesize
48KB

Download
memory/4200-13-0x0000000002500000-0x000000000250E000-memory.dmp

Filesize
56KB

Download
memory/5952-266-0x00000235CB450000-0x00000235CB472000-memory.dmp

Filesize
136KB

Download