dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Size

1.6MB
MD5

517861702fe0a89aa5e3af35d9f96661
SHA1

50101d8bff153320694baf54bc7b68e585720d4d
SHA256

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4
SHA512

da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	3384	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3384	schtasks.exe	88

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral12/memory/3908-1-0x0000000000260000-0x0000000000402000-memory.dmp	dcrat
behavioral12/files/0x0007000000024142-26.dat	dcrat
behavioral12/files/0x000b000000024155-65.dat	dcrat
behavioral12/files/0x000a000000024137-88.dat	dcrat
behavioral12/files/0x000900000002413e-99.dat	dcrat
behavioral12/files/0x0009000000024142-110.dat	dcrat
behavioral12/files/0x000900000002414b-144.dat	dcrat
behavioral12/memory/4780-307-0x00000000002A0000-0x0000000000442000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4968	powershell.exe
4896	powershell.exe
3904	powershell.exe
772	powershell.exe
2788	powershell.exe
912	powershell.exe
1824	powershell.exe
2412	powershell.exe
4704	powershell.exe
3832	powershell.exe
1728	powershell.exe
264	powershell.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Executes dropped EXE 12 IoCs

pid	Process
4780	dwm.exe
1340	dwm.exe
4036	dwm.exe
4268	dwm.exe
3876	dwm.exe
1432	dwm.exe
3128	dwm.exe
3108	dwm.exe
4880	dwm.exe
4212	dwm.exe
1136	dwm.exe
2968	dwm.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\RCXBC8D.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\spoolsv.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\f3b6ecef712a24	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Internet Explorer\dwm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\SppExtComObj.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\RCXBD1B.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXC493.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Internet Explorer\6cb0b6c459d5d3	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\66fc9ff0ee96c2	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\ModifiableWindowsApps\services.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\spoolsv.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXC183.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\dwm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXC415.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\e1ef82546f0b02	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXC211.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXCB3F.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCXCBAE.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\SppExtComObj.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4144	schtasks.exe
4524	schtasks.exe
4880	schtasks.exe
2592	schtasks.exe
1096	schtasks.exe
1396	schtasks.exe
3692	schtasks.exe
2816	schtasks.exe
1404	schtasks.exe
4784	schtasks.exe
3284	schtasks.exe
2044	schtasks.exe
4816	schtasks.exe
736	schtasks.exe
4576	schtasks.exe
1124	schtasks.exe
3336	schtasks.exe
1336	schtasks.exe
2944	schtasks.exe
2104	schtasks.exe
1592	schtasks.exe
2644	schtasks.exe
4792	schtasks.exe
2056	schtasks.exe
5032	schtasks.exe
2904	schtasks.exe
4780	schtasks.exe
1848	schtasks.exe
1240	schtasks.exe
384	schtasks.exe
1796	schtasks.exe
5084	schtasks.exe
4508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
3832	powershell.exe
3832	powershell.exe
264	powershell.exe
264	powershell.exe
1824	powershell.exe
1824	powershell.exe
2412	powershell.exe
2412	powershell.exe
4896	powershell.exe
4896	powershell.exe
1728	powershell.exe
1728	powershell.exe
2788	powershell.exe
2788	powershell.exe
4704	powershell.exe
4704	powershell.exe
4968	powershell.exe
4968	powershell.exe
3904	powershell.exe
3904	powershell.exe
912	powershell.exe
912	powershell.exe
772	powershell.exe
772	powershell.exe
2412	powershell.exe
772	powershell.exe
1824	powershell.exe
3832	powershell.exe
264	powershell.exe
2788	powershell.exe
3904	powershell.exe
4896	powershell.exe
4968	powershell.exe
1728	powershell.exe
4704	powershell.exe
912	powershell.exe
4780	dwm.exe
1340	dwm.exe
4036	dwm.exe
4268	dwm.exe
4268	dwm.exe
3876	dwm.exe
3876	dwm.exe
1432	dwm.exe
1432	dwm.exe
3128	dwm.exe
3128	dwm.exe
3108	dwm.exe
3108	dwm.exe
4880	dwm.exe
4880	dwm.exe
4212	dwm.exe
4212	dwm.exe
1136	dwm.exe
1136	dwm.exe
2968	dwm.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	4968	powershell.exe
Token: SeDebugPrivilege	4780	dwm.exe
Token: SeDebugPrivilege	1340	dwm.exe
Token: SeDebugPrivilege	4036	dwm.exe
Token: SeDebugPrivilege	4268	dwm.exe
Token: SeDebugPrivilege	3876	dwm.exe
Token: SeDebugPrivilege	1432	dwm.exe
Token: SeDebugPrivilege	3128	dwm.exe
Token: SeDebugPrivilege	3108	dwm.exe
Token: SeDebugPrivilege	4880	dwm.exe
Token: SeDebugPrivilege	4212	dwm.exe
Token: SeDebugPrivilege	1136	dwm.exe
Token: SeDebugPrivilege	2968	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 2412	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	122
PID 3908 wrote to memory of 2412	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	122
PID 3908 wrote to memory of 4968	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	123
PID 3908 wrote to memory of 4968	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	123
PID 3908 wrote to memory of 4896	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	124
PID 3908 wrote to memory of 4896	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	124
PID 3908 wrote to memory of 4704	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	125
PID 3908 wrote to memory of 4704	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	125
PID 3908 wrote to memory of 3832	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	126
PID 3908 wrote to memory of 3832	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	126
PID 3908 wrote to memory of 3904	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	127
PID 3908 wrote to memory of 3904	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	127
PID 3908 wrote to memory of 772	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	128
PID 3908 wrote to memory of 772	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	128
PID 3908 wrote to memory of 1824	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	129
PID 3908 wrote to memory of 1824	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	129
PID 3908 wrote to memory of 264	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	130
PID 3908 wrote to memory of 264	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	130
PID 3908 wrote to memory of 912	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	131
PID 3908 wrote to memory of 912	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	131
PID 3908 wrote to memory of 1728	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	132
PID 3908 wrote to memory of 1728	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	132
PID 3908 wrote to memory of 2788	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	133
PID 3908 wrote to memory of 2788	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	133
PID 3908 wrote to memory of 868	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	146
PID 3908 wrote to memory of 868	3908	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	146
PID 868 wrote to memory of 4984	868	cmd.exe	148
PID 868 wrote to memory of 4984	868	cmd.exe	148
PID 868 wrote to memory of 4780	868	cmd.exe	151
PID 868 wrote to memory of 4780	868	cmd.exe	151
PID 4780 wrote to memory of 4852	4780	dwm.exe	153
PID 4780 wrote to memory of 4852	4780	dwm.exe	153
PID 4780 wrote to memory of 4820	4780	dwm.exe	154
PID 4780 wrote to memory of 4820	4780	dwm.exe	154
PID 4852 wrote to memory of 1340	4852	WScript.exe	158
PID 4852 wrote to memory of 1340	4852	WScript.exe	158
PID 1340 wrote to memory of 4916	1340	dwm.exe	160
PID 1340 wrote to memory of 4916	1340	dwm.exe	160
PID 1340 wrote to memory of 2088	1340	dwm.exe	161
PID 1340 wrote to memory of 2088	1340	dwm.exe	161
PID 4916 wrote to memory of 4036	4916	WScript.exe	163
PID 4916 wrote to memory of 4036	4916	WScript.exe	163
PID 4036 wrote to memory of 2240	4036	dwm.exe	164
PID 4036 wrote to memory of 2240	4036	dwm.exe	164
PID 4036 wrote to memory of 5096	4036	dwm.exe	165
PID 4036 wrote to memory of 5096	4036	dwm.exe	165
PID 2240 wrote to memory of 4268	2240	WScript.exe	171
PID 2240 wrote to memory of 4268	2240	WScript.exe	171
PID 4268 wrote to memory of 5040	4268	dwm.exe	172
PID 4268 wrote to memory of 5040	4268	dwm.exe	172
PID 4268 wrote to memory of 2632	4268	dwm.exe	173
PID 4268 wrote to memory of 2632	4268	dwm.exe	173
PID 5040 wrote to memory of 3876	5040	WScript.exe	174
PID 5040 wrote to memory of 3876	5040	WScript.exe	174
PID 3876 wrote to memory of 3376	3876	dwm.exe	175
PID 3876 wrote to memory of 3376	3876	dwm.exe	175
PID 3876 wrote to memory of 984	3876	dwm.exe	176
PID 3876 wrote to memory of 984	3876	dwm.exe	176
PID 3376 wrote to memory of 1432	3376	WScript.exe	177
PID 3376 wrote to memory of 1432	3376	WScript.exe	177
PID 1432 wrote to memory of 4036	1432	dwm.exe	178
PID 1432 wrote to memory of 4036	1432	dwm.exe	178
PID 1432 wrote to memory of 4864	1432	dwm.exe	179
PID 1432 wrote to memory of 4864	1432	dwm.exe	179

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
"C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MxgLx7H1D3.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4984
- - C:\Program Files (x86)\Internet Explorer\dwm.exe
    "C:\Program Files (x86)\Internet Explorer\dwm.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb06d8fa-7d0a-46ee-bb0e-ad5a5083bfa3.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4852
    - - C:\Program Files (x86)\Internet Explorer\dwm.exe
        
        "C:\Program Files (x86)\Internet Explorer\dwm.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75b2763d-4336-46a7-b72e-83bad83fc0b2.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Program Files (x86)\Internet Explorer\dwm.exe
        
        "C:\Program Files (x86)\Internet Explorer\dwm.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b65995f3-f02d-41fe-9856-a2e1b72eed32.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Program Files (x86)\Internet Explorer\dwm.exe
        
        "C:\Program Files (x86)\Internet Explorer\dwm.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0744a9d-8dfc-4a6c-9db5-b6da2a3f9fb6.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Program Files (x86)\Internet Explorer\dwm.exe
        
        "C:\Program Files (x86)\Internet Explorer\dwm.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b34f27fa-7bb2-44b7-8f09-2d831954eeb1.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Program Files (x86)\Internet Explorer\dwm.exe
        
        "C:\Program Files (x86)\Internet Explorer\dwm.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b872625-a2d8-4d1f-a8ab-723791e7f1ac.vbs"
        14⤵
        
        PID:4036
        
        C:\Program Files (x86)\Internet Explorer\dwm.exe
        
        "C:\Program Files (x86)\Internet Explorer\dwm.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\423585c1-5fbb-4ea3-a07e-ba746159702f.vbs"
        16⤵
        
        PID:1956
        
        C:\Program Files (x86)\Internet Explorer\dwm.exe
        
        "C:\Program Files (x86)\Internet Explorer\dwm.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c4aa8e2-d238-441c-85c6-e164a84746db.vbs"
        18⤵
        
        PID:2084
        
        C:\Program Files (x86)\Internet Explorer\dwm.exe
        
        "C:\Program Files (x86)\Internet Explorer\dwm.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ca261e3-8040-48cd-82c0-52f7e790b465.vbs"
        20⤵
        
        PID:2424
        
        C:\Program Files (x86)\Internet Explorer\dwm.exe
        
        "C:\Program Files (x86)\Internet Explorer\dwm.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6ffb3ae-3bd6-4eba-8f6e-2baa0f4c20f7.vbs"
        22⤵
        
        PID:2572
        
        C:\Program Files (x86)\Internet Explorer\dwm.exe
        
        "C:\Program Files (x86)\Internet Explorer\dwm.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9bee442-ebea-4301-aa0a-fe342640a6f8.vbs"
        24⤵
        
        PID:4988
        
        C:\Program Files (x86)\Internet Explorer\dwm.exe
        
        "C:\Program Files (x86)\Internet Explorer\dwm.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61d1a13f-1ed0-4c92-bad7-47960721e8ca.vbs"
        26⤵
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d547d8b-fb71-4aaa-a07c-bb2b160b8921.vbs"
        26⤵
        
        PID:4700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9448801a-6754-44a1-95f5-8c00cf6360a2.vbs"
        24⤵
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12719d0c-645e-48c6-ada4-574b88e6ca6f.vbs"
        22⤵
        
        PID:4896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a4509781-1dd7-4989-928c-789d68b86b3a.vbs"
        20⤵
        
        PID:3188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f4e5f93-e5a8-4c95-b456-d376d7147191.vbs"
        18⤵
        
        PID:5104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7ef7a28-806d-4afd-af73-71321970103e.vbs"
        16⤵
        
        PID:3084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07f1449e-f49d-47f1-bf6e-0e227de676ca.vbs"
        14⤵
        
        PID:4864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78f771ad-763b-44a4-8a0e-bcae1a029c1d.vbs"
        12⤵
        
        PID:984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\473c4a48-fd55-4939-b018-13977c5c2d07.vbs"
        10⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2f39e341-9007-45dd-9192-128b68ca4353.vbs"
        8⤵
        
        PID:5096
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\def2c17c-0ba7-418f-9bb3-d873c7e1ca73.vbs"
        6⤵
        
        PID:2088
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ba47797-a405-4010-84c0-9aa0529e6652.vbs"
      4⤵
      PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\d9c22b4eaa3c0b9c12c7\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\d9c22b4eaa3c0b9c12c7\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 12 /tr "'C:\d9c22b4eaa3c0b9c12c7\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\dfe2e59cddd00040f555dab607351a1d\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\dwm.exe

Filesize
1.6MB

MD5
374403e0212eb2f68d10b5cc299824c7

SHA1
a19a6d099ddc818d270c7ebe042d2e70efbca7a3

SHA256
1968fe4650f2baf117719410fd7bcdd19f5be3eb4ed4fc40bd117450e2c4a8de

SHA512
8d04cd0231c44a476deb9c104bff9d02e8c5e3751c4b524abf5a8e32747b11dd9035f7e181063675659eaa63386aa11eb8b1d31b28426bedcfce425f2bd1fb20

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\spoolsv.exe

Filesize
1.6MB

MD5
9772c0785b280f4794815b81bcfe9285

SHA1
b3673670db2ac09eb75b0f695534472550e43fcc

SHA256
15ce192b643ba729b0741f24d55a961c7cf3b9c96ea7da7393444c14790c7e80

SHA512
f9d6927595c40c74675a27a8f2ac869160638e9989c624d45b98aae6e28766364603ec80d0332d4472a831b6bbec3ffe123e9ec35a5fe7e372920f4c1c7cbbeb

Download Submit
C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe

Filesize
1.6MB

MD5
517861702fe0a89aa5e3af35d9f96661

SHA1
50101d8bff153320694baf54bc7b68e585720d4d

SHA256
1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4

SHA512
da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488

Download Submit
C:\Program Files (x86)\Windows Defender\fr-FR\sihost.exe

Filesize
1.6MB

MD5
f95755f81a53ecf26ecb4ea00523db63

SHA1
7ccc9813dfaad1f1ea537ab27eb7e344fa37e558

SHA256
780cea6fcfdb8fec67f93ff3f5f751505b2374d364007184c3bdc98807a0bed4

SHA512
ed240282cecc0ce6e4a9555b43f317603390b355b99f615057c81ec034c677f312412e7766ae41d9630e8d12f212f89eb94fdc04068314177b4cb1837f580a72

Download Submit
C:\Recovery\WindowsRE\spoolsv.exe

Filesize
1.6MB

MD5
d9eb8a91f2e234296cfc906d43839208

SHA1
09c5058e3369ae37fefc18a7975e16e3167d0476

SHA256
e217497c6e6fd6427447c107617b640d62e139bf8d1997200b3d771b5d100f72

SHA512
7da683f4417fc5bb2f99294dc45c8e986a958da4e9be44f33025fc9435c653c20b9fdc32029bfd2a764c0f1ac276adb3513958c7b3cab8d14e0e5d697c6d3fbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba8a00bf6995531451ca4ff43fecb0b9

SHA1
b590fcea37aded3a4b083ec2d39252fe10b97a61

SHA256
0211a4649daa040751a5aa8f42a3a677da906daf541fed80c2aa19c5f77e9a60

SHA512
e0cfd06cca6fca6d1b742ecc354c2dd9c0e72ab456525086c2af388cb533ff5baae6ff83fa4347dfbc28edc1a2c1b97ef986c2923af9634fd6d967e913fbfc4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a16aff60eb3c3e35753a259b050c8a27

SHA1
85196d5dfb23d0c8b32b186325e2d58315a11287

SHA256
a057f85fa5358fac25f1337c1fbabeffb1ca1908b352208038293ec575dfc206

SHA512
13e6514cddaafba8f4fe3b08f6d6e118823ad454aac4efcb71a82438de50f97cd9570f44d594db27e4c534912a12ed066ea098b95505a6994f854f8349f2f5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2cb0c163f92e343cbfa657ce4d842fb6

SHA1
0299696d7430f09f9e3d32aa5b95f01363b405f5

SHA256
c604c709aa50f7f59c87b4420713c8563bc5b80d9bce8f812d26e0a7c25d13f7

SHA512
780353a0fa086a96d6b186a4f38160b0521e972ccfa18803db64ecd2ef6d3c1c69ea4dba0b557f1cf7c1ff6ab8720e447e827c92549b6aea5a0ecacd0494b8d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47dc8ed1f00b2cf40d90efa529ee35cc

SHA1
851d6a181ebb44256367c73042ed4f774bce9bdd

SHA256
2a1fa5eb6fa8a3b821776f5db5d69d414ca120a4612e613ec6ad34d216b2223e

SHA512
3dc49732881a4c8d2edfd4619ea4d206cca74fabba7d00f2021a7e07dba47c436a10f2d591ca43930c674ffe6b5f528a9e10e543dd87edf97d3f2f078c23c928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f29d4b03e157fa020f2b793683543af

SHA1
1b0603266b02dd38444489e0d5e18ee93b6b766a

SHA256
eec5516679b34fb0efe983a81cc19b0b5cf33fd3191d5d8fd5c3fb082a55d410

SHA512
b0cca3aa1373f813a7a16a1ca94b7e048d83f8875b28949d7ece9668c5cb847250d1468080a85e478833a8876b668a8a6e0ef4df4a289ca66badac3af00dc5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
94f35f261590c8add6967ae13ee05fab

SHA1
e0e5828e2c4b7d1937fde13dbfcc63f59c1899c7

SHA256
db908d6ae1a8ae3e77e93332eaa24f8316aa9e65285996439d35a133024e1a63

SHA512
3e3438bc5e8dfe738d8cf374d444f9f8600cadac6071708426b7852d3a84f0363f79ae6895f11206b5c7fbb8c850725318196c4171112634cfef3d2d70d1e8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c4aa8e2-d238-441c-85c6-e164a84746db.vbs

Filesize
724B

MD5
6d2149f63df33778357b584cf4516235

SHA1
0ed9f47d972978be1d1c469c41c5bd9650af2698

SHA256
172dad8862c8647a1e1ef4d67f6ee501f4b56d1cabe8ff71d066742c7361a200

SHA512
7fa4b05fa5e9ee44621c1bbaf157a3eb7898f95d43e5a778e7341e07c15d9fc325f856d2260a5fc90bb433123afe515f45f7e6b66d1f5d63b5206451b26183a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ca261e3-8040-48cd-82c0-52f7e790b465.vbs

Filesize
724B

MD5
f7100d6b595fc504ab4f6053d6261e1e

SHA1
1998e9cadf5062881a6c31100bd8ddf445db6217

SHA256
8462d1be27659c7d64ac3ce4cc7eed2df1baa4b7cfee6ccea910975f56342ad7

SHA512
5f751e0dcd91f34c2cb7cbdc8f8cee7a651858e3b8b6131dbd2aecaa01b87be5a4bd1bf2960244a2126cdf547129f41c7034b151135a7f87f0ae24ccf8ad2bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\423585c1-5fbb-4ea3-a07e-ba746159702f.vbs

Filesize
724B

MD5
659576bc7b255322b1f387129b34e57d

SHA1
182ca7fb5f5175fcfbd914836775940f53fe6db4

SHA256
c4c24b27406baec4a78f9f6ec0698923167d8586445eecbab85a8d6a8f6a26ce

SHA512
fd8b8c3c4f391a804827ce588b4bf3eaf916ee08d65657a43256aa4073f7317e6a4b119f29d4a0edbf9cfa35e5e1ee3b2694aef282f6e937610beaea878bd4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\61d1a13f-1ed0-4c92-bad7-47960721e8ca.vbs

Filesize
724B

MD5
6266a474591a9c57c63b93ed86deea13

SHA1
61ebb4a6a3e3f767435f43bb1261f9932757e2d7

SHA256
804dbbaa206a6022bb9797cc4fa6eb7109db552e8bd8801324e3dabedfdcdecb

SHA512
c4806c5050d62717165687a561bab7219023bccd6742e37ecb7dc6c0900d14a40c874f84b2a0618ba7976623c3758e263770fd36ca59cd111f90d3efced2089e

Download Submit
C:\Users\Admin\AppData\Local\Temp\75b2763d-4336-46a7-b72e-83bad83fc0b2.vbs

Filesize
724B

MD5
2fe837d262e33f2721ac534481cc12b6

SHA1
5974607dc02f27f4bb01f10938b744a7a0528881

SHA256
0c031d72d3b59c774c26edc912dc93c66d2b7afb0ad68cd5e83e51b3081b66e6

SHA512
0b40439e007854b6635a88cd6a406b1856c5a43f7563869fdbf208f672fb29cb2796ec38d7812d191cc3fbb1fff02dfdf2f5c4d52dfb1b6127fbc934c79ddb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b872625-a2d8-4d1f-a8ab-723791e7f1ac.vbs

Filesize
724B

MD5
b5cacbe3f0fdbc8939e121232443b28d

SHA1
73987e923e60e15ba67d1ad3cf8c03ae18c32911

SHA256
11fb9482052417c8c74f34d7a4739e2c884a958826a6289f9697d9daf43d7790

SHA512
82b31ff1b1deb0a7c0adc35fadfd8e210c2116033f5a4a4e9a873de323eb45616775b0b4738d82d864d6e1b9ffb41383d8a9a5d721813423b3956faffb5b5722

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ba47797-a405-4010-84c0-9aa0529e6652.vbs

Filesize
500B

MD5
08ad540b49b1743053eb1a204014b20b

SHA1
81ca579f941d8a6e16584dce1392ebe08ce51cfa

SHA256
6737e84f6ddaadc84a7b6c96972586ea9576636cd0ddc5bab976599efaf00f33

SHA512
ba0d8a22d60120c2eefa488fe01fc3eb463a2600883d4163cfa1076caaaf284ce1fd734c5b5a235abcf63c7bd432ccf3e68c2f6a84021b6012e6eaecaaa0c8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MxgLx7H1D3.bat

Filesize
213B

MD5
34eb15d07cbeaca7f3acda5d3b490cf5

SHA1
1353fa5b7b17e222438260aeb951e6d5b50eb9b3

SHA256
8e1337d615501abd96ef179a55ac9682bca7927f60f43b369ddaaef71807fd8f

SHA512
ad5634a1f8c1102ec59ef46ddfe0a4ef40346a036dcd29afb09501364ad637184cdb8367297b45651d8ae5c90fdbd740b3e9806d1955bed3ac8a6b989ad76183

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mrmpd3lr.nz0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9bee442-ebea-4301-aa0a-fe342640a6f8.vbs

Filesize
724B

MD5
ad48a42f20f6d52320f7803b52bae070

SHA1
98d15bcfcc18d6b4f70d83b7cdc58490496affab

SHA256
2dc803ea06302701531165d7360a9e060655c767dc2347e3b3a80ed1cfce95cb

SHA512
130bdd1a150b46584b85fd38306fc76ec3b36a7b9ffd9b741f4864ff0f66c5a5d2fe2367b252f9295bb48b1e97961dcd1cbe5b1254e17087c34ebb3bf213b88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b34f27fa-7bb2-44b7-8f09-2d831954eeb1.vbs

Filesize
724B

MD5
ec54a9c8de6482f44c4257ffe3d7364b

SHA1
a3de32e9887458ca2a784eaa1fef71a69e0d8c05

SHA256
ea13bcc342137721367af543e87eb5332de1d86d2580a2bede2fe4f1cd1a025e

SHA512
327897e1397e53658c331cdd27a90616cbc0eb67c70b7f30d5233fab738a8df34b658d2660e56814f8828f163254be443cb8123c89f279c8ddddf3c1e8d26003

Download Submit
C:\Users\Admin\AppData\Local\Temp\b65995f3-f02d-41fe-9856-a2e1b72eed32.vbs

Filesize
724B

MD5
8b03394bc8e330a6050d17df99bdceda

SHA1
d3a45b8bd6ff6813dcd2b3508a5af54aaedde9c9

SHA256
9578d1e20b6754ab23a4e90150bc9007ccab3a6a2d2db5d8a2d02948bfe783d7

SHA512
fbedf163685b2331b4fcd4612167df7aca06b591ecc092f06f5cf93e413596e513172623a5bad7de17064e24dd8c231d234f5ad833ceaa1a445c63954383c9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb06d8fa-7d0a-46ee-bb0e-ad5a5083bfa3.vbs

Filesize
724B

MD5
c6512ffe486fa256752ce2c6cfa2b94f

SHA1
03e47462e47c199c5f237457c67750fdc8482b20

SHA256
723e250819ba4e36a7579406fe7208c9a80fdd39b194b866abef82178fbae383

SHA512
c6a9274ca4871a9f6e114ff2a8f09e4b07eb4ee9f53d620fd4e70e9b4a78e5801e3d533f4301710cd6070829565b87919205863a998e0edd1c72bd42cfed7795

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0744a9d-8dfc-4a6c-9db5-b6da2a3f9fb6.vbs

Filesize
724B

MD5
6474a8038f4f076538d64a8084dcb6c5

SHA1
3e047734732a4e3b24e4c660763a2d7d50a723d0

SHA256
b132538996e52139c25c09d5f9dd177da6eb8b0297ea7c47d4e35179414fe701

SHA512
c558dc7d6e6aca4a175c65d6b395bd7d9a11189e15752a27d273a3dd9c5720b5ea8300d758dce1ab01351bd3d4e27b3f0b8061666762df296ba9ffcfc0c3df32

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6ffb3ae-3bd6-4eba-8f6e-2baa0f4c20f7.vbs

Filesize
724B

MD5
58097281ae3996f5eb7039b956fe2a27

SHA1
1de1470fba564d61635526d30dffc66679ea8ef9

SHA256
ac41656d11d8e00ecdaf54332d1690af018a365342209e977e465ccb433eafe0

SHA512
75647b3d9c21111fd7e7fb32a819b09aaccf26841a16304682312ecf085e8ef8664c1b801e72e557355cbeacb5905539945de986ec67afc39b41d9777ad2b9f9

Download Submit
C:\d9c22b4eaa3c0b9c12c7\RuntimeBroker.exe

Filesize
1.6MB

MD5
ffe01c3ab70b5088fd1d0a6e9bdd24ba

SHA1
a9b0ef708abd34229367fd489edd0745c135fab4

SHA256
c5ebf3aeb91ca5c14b4c30543d40c34099d52c76cdfa57d71e47ccc97b6de449

SHA512
6b22ef4853b8c99014e8bbc02438292d356b7db4b6df6e407985dd9ff2671e114012d1d40d7f1ba65a74dc40aac9150124c4457cb2cea9dc3d9ce515a02923a5

Download Submit
memory/984-382-0x000002DADCFA0000-0x000002DADCFDB000-memory.dmp

Filesize
236KB

Download
memory/1824-185-0x0000028A31510000-0x0000028A31532000-memory.dmp

Filesize
136KB

Download
memory/2088-333-0x000001D41D8E0000-0x000001D41D91B000-memory.dmp

Filesize
236KB

Download
memory/2240-347-0x0000026607DC0000-0x0000026607DFB000-memory.dmp

Filesize
236KB

Download
memory/2572-470-0x000002048D6B0000-0x000002048D6EB000-memory.dmp

Filesize
236KB

Download
memory/2632-364-0x0000022EFFCC0000-0x0000022EFFCFB000-memory.dmp

Filesize
236KB

Download
memory/3084-427-0x0000021E440B0000-0x0000021E440EB000-memory.dmp

Filesize
236KB

Download
memory/3188-461-0x000002710FB30000-0x000002710FB6B000-memory.dmp

Filesize
236KB

Download
memory/3376-381-0x000001E31BB50000-0x000001E31BB8B000-memory.dmp

Filesize
236KB

Download
memory/3908-8-0x000000001AF50000-0x000000001AF60000-memory.dmp

Filesize
64KB

Download
memory/3908-161-0x00007FFBEDE73000-0x00007FFBEDE75000-memory.dmp

Filesize
8KB

Download
memory/3908-1-0x0000000000260000-0x0000000000402000-memory.dmp

Filesize
1.6MB

Download
memory/3908-16-0x000000001B8F0000-0x000000001B8FA000-memory.dmp

Filesize
40KB

Download
memory/3908-2-0x00007FFBEDE70000-0x00007FFBEE931000-memory.dmp

Filesize
10.8MB

Download
memory/3908-15-0x000000001B090000-0x000000001B098000-memory.dmp

Filesize
32KB

Download
memory/3908-13-0x000000001B070000-0x000000001B07E000-memory.dmp

Filesize
56KB

Download
memory/3908-3-0x0000000002610000-0x000000000262C000-memory.dmp

Filesize
112KB

Download
memory/3908-12-0x000000001B060000-0x000000001B06A000-memory.dmp

Filesize
40KB

Download
memory/3908-5-0x000000001AF10000-0x000000001AF20000-memory.dmp

Filesize
64KB

Download
memory/3908-4-0x000000001AF60000-0x000000001AFB0000-memory.dmp

Filesize
320KB

Download
memory/3908-0-0x00007FFBEDE73000-0x00007FFBEDE75000-memory.dmp

Filesize
8KB

Download
memory/3908-11-0x000000001B050000-0x000000001B05C000-memory.dmp

Filesize
48KB

Download
memory/3908-17-0x000000001B900000-0x000000001B90C000-memory.dmp

Filesize
48KB

Download
memory/3908-9-0x000000001AFB0000-0x000000001AFB8000-memory.dmp

Filesize
32KB

Download
memory/3908-10-0x000000001AFD0000-0x000000001AFDC000-memory.dmp

Filesize
48KB

Download
memory/3908-6-0x000000001AF20000-0x000000001AF36000-memory.dmp

Filesize
88KB

Download
memory/3908-7-0x000000001AF40000-0x000000001AF48000-memory.dmp

Filesize
32KB

Download
memory/3908-219-0x00007FFBEDE70000-0x00007FFBEE931000-memory.dmp

Filesize
10.8MB

Download
memory/3908-14-0x000000001B080000-0x000000001B088000-memory.dmp

Filesize
32KB

Download
memory/4780-307-0x00000000002A0000-0x0000000000442000-memory.dmp

Filesize
1.6MB

Download
memory/4820-320-0x000001DFE29C0000-0x000001DFE29FB000-memory.dmp

Filesize
236KB

Download
memory/4864-411-0x00000107B4690000-0x00000107B46CB000-memory.dmp

Filesize
236KB

Download
memory/4896-471-0x000002315A7D0000-0x000002315A80B000-memory.dmp

Filesize
236KB

Download
memory/4916-332-0x0000024B65240000-0x0000024B6527B000-memory.dmp

Filesize
236KB

Download
memory/5040-363-0x000001CBD6A00000-0x000001CBD6A3B000-memory.dmp

Filesize
236KB

Download
memory/5096-348-0x0000022229AE0000-0x0000022229B1B000-memory.dmp

Filesize
236KB

Download
memory/5104-443-0x00000221DE080000-0x00000221DE0BB000-memory.dmp

Filesize
236KB

Download