dcrat | ce63ae9069832ff3b0f2eb76b384c40cd8b70987280d4cc07559493a2b5c04ff

Analysis

max time kernel
98s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e248cce2fb9b5f155ca62d21c6e9da7.exe
Size

1.6MB
MD5

4e248cce2fb9b5f155ca62d21c6e9da7
SHA1

c5eab96ba2a3310bcb3cef05918a38efe5cfad86
SHA256

74c882cb1bc2e8f293c67a7c9a2bcc0c37e0aafa6fd173b1990b5ba667befe86
SHA512

958763f40b1371177b4cffa09701a600948f3126e6ac4d041a08e11f903f51f3beccd7a9ad9cd9b20cbc443310af573ac2fbb396c21f8d61fb05324553c0bb23
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5808	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6140	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5200	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5548	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5304	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4696	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	4564	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4564	schtasks.exe	86

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral32/memory/432-1-0x0000000000BE0000-0x0000000000D82000-memory.dmp	dcrat
behavioral32/files/0x000700000002422d-55.dat	dcrat
behavioral32/files/0x000700000002420e-26.dat	dcrat
behavioral32/files/0x000c00000001e69f-114.dat	dcrat
behavioral32/files/0x000b00000001e6be-149.dat	dcrat
behavioral32/files/0x001f0000000234ea-160.dat	dcrat
behavioral32/memory/4280-368-0x0000000000660000-0x0000000000802000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1972	powershell.exe
3280	powershell.exe
5856	powershell.exe
5216	powershell.exe
5920	powershell.exe
1608	powershell.exe
224	powershell.exe
2632	powershell.exe
4040	powershell.exe
1820	powershell.exe
2264	powershell.exe
2104	powershell.exe
4092	powershell.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	4e248cce2fb9b5f155ca62d21c6e9da7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 10 IoCs

pid	Process
4280	RuntimeBroker.exe
2416	RuntimeBroker.exe
2440	RuntimeBroker.exe
1904	RuntimeBroker.exe
1872	RuntimeBroker.exe
4580	RuntimeBroker.exe
5868	RuntimeBroker.exe
4116	RuntimeBroker.exe
1292	RuntimeBroker.exe
2496	RuntimeBroker.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\sihost.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\9e8d7a4ca61bd9	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX4CA1.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCX5C4F.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\upfc.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\RCX533F.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RCX5C50.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Program Files\Windows Photo Viewer\uk-UA\ea1d8f6d871115	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX4CA2.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\sihost.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\RCX5340.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Program Files (x86)\Windows Portable Devices\66fc9ff0ee96c2	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\uk-UA\upfc.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\IdentityCRL\production\unsecapp.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Windows\IdentityCRL\production\29c1c3cc0f7685	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Windows\Migration\WTR\RuntimeBroker.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX4604.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX4672.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\Migration\WTR\RCX50BC.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\Migration\WTR\RuntimeBroker.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\L2Schemas\RCX5ED3.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Windows\L2Schemas\Idle.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Windows\L2Schemas\6ccacd8608530f	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\IdentityCRL\production\unsecapp.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\Migration\WTR\RCX513A.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\L2Schemas\Idle.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Windows\Performance\WinSAT\DataStore\wininit.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\wininit.exe	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Windows\Performance\WinSAT\DataStore\56085415360792	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\L2Schemas\RCX5ED2.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File created	C:\Windows\Migration\WTR\9e8d7a4ca61bd9	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\IdentityCRL\production\RCX4EA7.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe
File opened for modification	C:\Windows\IdentityCRL\production\RCX4EA8.tmp	4e248cce2fb9b5f155ca62d21c6e9da7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	4e248cce2fb9b5f155ca62d21c6e9da7.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4748	schtasks.exe
5548	schtasks.exe
5200	schtasks.exe
848	schtasks.exe
2476	schtasks.exe
944	schtasks.exe
6140	schtasks.exe
3720	schtasks.exe
5304	schtasks.exe
852	schtasks.exe
3048	schtasks.exe
4100	schtasks.exe
2448	schtasks.exe
3224	schtasks.exe
4296	schtasks.exe
2248	schtasks.exe
3636	schtasks.exe
3612	schtasks.exe
1068	schtasks.exe
5032	schtasks.exe
3920	schtasks.exe
3908	schtasks.exe
4764	schtasks.exe
3984	schtasks.exe
3704	schtasks.exe
4860	schtasks.exe
4744	schtasks.exe
5808	schtasks.exe
4712	schtasks.exe
3740	schtasks.exe
4992	schtasks.exe
5160	schtasks.exe
2564	schtasks.exe
3668	schtasks.exe
4696	schtasks.exe
4684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

pid	Process
432	4e248cce2fb9b5f155ca62d21c6e9da7.exe
432	4e248cce2fb9b5f155ca62d21c6e9da7.exe
432	4e248cce2fb9b5f155ca62d21c6e9da7.exe
432	4e248cce2fb9b5f155ca62d21c6e9da7.exe
432	4e248cce2fb9b5f155ca62d21c6e9da7.exe
5920	powershell.exe
5920	powershell.exe
4040	powershell.exe
4040	powershell.exe
2264	powershell.exe
2264	powershell.exe
2632	powershell.exe
2632	powershell.exe
5216	powershell.exe
5216	powershell.exe
1608	powershell.exe
1608	powershell.exe
5856	powershell.exe
5856	powershell.exe
4092	powershell.exe
4092	powershell.exe
1820	powershell.exe
1820	powershell.exe
1972	powershell.exe
1972	powershell.exe
2104	powershell.exe
2104	powershell.exe
3280	powershell.exe
3280	powershell.exe
224	powershell.exe
224	powershell.exe
4092	powershell.exe
224	powershell.exe
5216	powershell.exe
5920	powershell.exe
5920	powershell.exe
1608	powershell.exe
5856	powershell.exe
2264	powershell.exe
4040	powershell.exe
2632	powershell.exe
1972	powershell.exe
1820	powershell.exe
2104	powershell.exe
3280	powershell.exe
4280	RuntimeBroker.exe
4280	RuntimeBroker.exe
2416	RuntimeBroker.exe
2440	RuntimeBroker.exe
1904	RuntimeBroker.exe
1904	RuntimeBroker.exe
1872	RuntimeBroker.exe
4580	RuntimeBroker.exe
5868	RuntimeBroker.exe
4116	RuntimeBroker.exe
1292	RuntimeBroker.exe
2496	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	5216	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	5856	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	224	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	4280	RuntimeBroker.exe
Token: SeDebugPrivilege	2416	RuntimeBroker.exe
Token: SeDebugPrivilege	2440	RuntimeBroker.exe
Token: SeDebugPrivilege	1904	RuntimeBroker.exe
Token: SeDebugPrivilege	1872	RuntimeBroker.exe
Token: SeDebugPrivilege	4580	RuntimeBroker.exe
Token: SeDebugPrivilege	5868	RuntimeBroker.exe
Token: SeDebugPrivilege	4116	RuntimeBroker.exe
Token: SeDebugPrivilege	1292	RuntimeBroker.exe
Token: SeDebugPrivilege	2496	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 5920	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	131
PID 432 wrote to memory of 5920	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	131
PID 432 wrote to memory of 5216	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	132
PID 432 wrote to memory of 5216	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	132
PID 432 wrote to memory of 4092	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	133
PID 432 wrote to memory of 4092	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	133
PID 432 wrote to memory of 2104	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	134
PID 432 wrote to memory of 2104	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	134
PID 432 wrote to memory of 2264	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	136
PID 432 wrote to memory of 2264	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	136
PID 432 wrote to memory of 1820	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	137
PID 432 wrote to memory of 1820	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	137
PID 432 wrote to memory of 5856	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	138
PID 432 wrote to memory of 5856	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	138
PID 432 wrote to memory of 4040	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	139
PID 432 wrote to memory of 4040	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	139
PID 432 wrote to memory of 3280	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	140
PID 432 wrote to memory of 3280	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	140
PID 432 wrote to memory of 2632	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	141
PID 432 wrote to memory of 2632	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	141
PID 432 wrote to memory of 224	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	142
PID 432 wrote to memory of 224	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	142
PID 432 wrote to memory of 1608	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	144
PID 432 wrote to memory of 1608	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	144
PID 432 wrote to memory of 1972	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	146
PID 432 wrote to memory of 1972	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	146
PID 432 wrote to memory of 4280	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	157
PID 432 wrote to memory of 4280	432	4e248cce2fb9b5f155ca62d21c6e9da7.exe	157
PID 4280 wrote to memory of 4668	4280	RuntimeBroker.exe	161
PID 4280 wrote to memory of 4668	4280	RuntimeBroker.exe	161
PID 4280 wrote to memory of 2012	4280	RuntimeBroker.exe	162
PID 4280 wrote to memory of 2012	4280	RuntimeBroker.exe	162
PID 4668 wrote to memory of 2416	4668	WScript.exe	165
PID 4668 wrote to memory of 2416	4668	WScript.exe	165
PID 2416 wrote to memory of 5584	2416	RuntimeBroker.exe	167
PID 2416 wrote to memory of 5584	2416	RuntimeBroker.exe	167
PID 2416 wrote to memory of 4772	2416	RuntimeBroker.exe	168
PID 2416 wrote to memory of 4772	2416	RuntimeBroker.exe	168
PID 5584 wrote to memory of 2440	5584	WScript.exe	169
PID 5584 wrote to memory of 2440	5584	WScript.exe	169
PID 2440 wrote to memory of 1676	2440	RuntimeBroker.exe	173
PID 2440 wrote to memory of 1676	2440	RuntimeBroker.exe	173
PID 2440 wrote to memory of 2072	2440	RuntimeBroker.exe	174
PID 2440 wrote to memory of 2072	2440	RuntimeBroker.exe	174
PID 1676 wrote to memory of 1904	1676	WScript.exe	176
PID 1676 wrote to memory of 1904	1676	WScript.exe	176
PID 1904 wrote to memory of 540	1904	RuntimeBroker.exe	180
PID 1904 wrote to memory of 540	1904	RuntimeBroker.exe	180
PID 1904 wrote to memory of 2460	1904	RuntimeBroker.exe	181
PID 1904 wrote to memory of 2460	1904	RuntimeBroker.exe	181
PID 540 wrote to memory of 1872	540	WScript.exe	186
PID 540 wrote to memory of 1872	540	WScript.exe	186
PID 1872 wrote to memory of 2244	1872	RuntimeBroker.exe	188
PID 1872 wrote to memory of 2244	1872	RuntimeBroker.exe	188
PID 1872 wrote to memory of 5432	1872	RuntimeBroker.exe	189
PID 1872 wrote to memory of 5432	1872	RuntimeBroker.exe	189
PID 2244 wrote to memory of 4580	2244	WScript.exe	191
PID 2244 wrote to memory of 4580	2244	WScript.exe	191
PID 4580 wrote to memory of 5848	4580	RuntimeBroker.exe	193
PID 4580 wrote to memory of 5848	4580	RuntimeBroker.exe	193
PID 4580 wrote to memory of 3532	4580	RuntimeBroker.exe	194
PID 4580 wrote to memory of 3532	4580	RuntimeBroker.exe	194
PID 5848 wrote to memory of 5868	5848	WScript.exe	195
PID 5848 wrote to memory of 5868	5848	WScript.exe	195

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4e248cce2fb9b5f155ca62d21c6e9da7.exe
"C:\Users\Admin\AppData\Local\Temp\4e248cce2fb9b5f155ca62d21c6e9da7.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\4e248cce2fb9b5f155ca62d21c6e9da7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\sysmon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\production\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\uk-UA\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Recovery\WindowsRE\RuntimeBroker.exe
  "C:\Recovery\WindowsRE\RuntimeBroker.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03c9790a-674b-4d47-918e-82228bb60177.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Recovery\WindowsRE\RuntimeBroker.exe
      C:\Recovery\WindowsRE\RuntimeBroker.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02670677-69f1-4bc2-8be4-8f42f75779d4.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5584
      - C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7041c290-6136-4210-85f3-35adfaa0bafb.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed015ce9-e0a8-4758-96fc-d1a188e36832.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ef39bf2-f9aa-40d4-8cf9-b1deadd75452.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99042490-4a28-4142-a131-3e479f9a7bd2.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5848
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36c15829-cfdd-42ea-9e31-3d572766cdd1.vbs"
        15⤵
        
        PID:3736
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8607b6b-5932-41dd-9b6e-2ee60be60b74.vbs"
        17⤵
        
        PID:3604
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd204a3e-4256-43d7-a7e3-3a4b27398a48.vbs"
        19⤵
        
        PID:3120
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f070491d-b27f-45a7-bc21-fcd4a0d356f5.vbs"
        21⤵
        
        PID:5784
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        22⤵
        
        PID:4784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a497086e-8ce3-41d6-963b-e4e8dc5cfca2.vbs"
        23⤵
        
        PID:3500
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        24⤵
        
        PID:5404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2d7a8d2-edbd-4de3-a458-ca7d538a7726.vbs"
        25⤵
        
        PID:4708
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        26⤵
        
        PID:4280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7faa571-c9c5-4db7-9ee6-45844736dd75.vbs"
        27⤵
        
        PID:332
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        28⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a23de27-6bbe-4d2d-ac4b-a9eddf81dd2c.vbs"
        29⤵
        
        PID:3512
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        30⤵
        
        PID:4124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e253e1eb-f71f-4a80-b786-bf24286fd0f7.vbs"
        31⤵
        
        PID:852
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        32⤵
        
        PID:1808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67fbd166-87ee-4151-a2dd-5be01d09214d.vbs"
        33⤵
        
        PID:5416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af03af74-52dd-4508-9549-0641c5e591c6.vbs"
        33⤵
        
        PID:368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc5759e2-254e-4c84-9dcd-f7a643c86fe2.vbs"
        31⤵
        
        PID:1668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0664340d-9616-44d1-a400-35baafbe3177.vbs"
        29⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14be1fb3-151d-472a-9c3b-030c4a74c584.vbs"
        27⤵
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74f3cc1e-08ba-4bcb-985f-7d4ef8d7860a.vbs"
        25⤵
        
        PID:5144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1058c60d-15e7-4a3e-b0fd-1eed59fa7bf9.vbs"
        23⤵
        
        PID:4944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59db9b37-6d98-4be3-914b-9a95ac754afe.vbs"
        21⤵
        
        PID:6028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\386623df-d761-449d-9b6d-6bba625ae71d.vbs"
        19⤵
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46a76f95-b64b-4308-8456-3b90f8bb134b.vbs"
        17⤵
        
        PID:5324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2ba67e8-262b-4f8c-98a3-88e6b3a57931.vbs"
        15⤵
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9cab7f62-0ffb-4d83-8a2b-8baf2830e3ed.vbs"
        13⤵
        
        PID:3532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea04f052-eb14-4b4b-8374-0a7b3cdc3d9a.vbs"
        11⤵
        
        PID:5432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b360b836-bf3e-4e12-97fa-49e00064f7fc.vbs"
        9⤵
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57c60ce7-388f-42ab-b76a-b9f271681d14.vbs"
        7⤵
        
        PID:2072
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f2cef360-917f-4648-85bf-89dd9b685468.vbs"
        5⤵
        
        PID:4772
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\310b2bb6-4714-423d-956e-e6e9b21d09d3.vbs"
    3⤵
    PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Local Settings\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Windows\IdentityCRL\production\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\IdentityCRL\production\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Migration\WTR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\uk-UA\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Application Data\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Application Data\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.6MB

MD5
25af5903ddab570bf98710f0057a194f

SHA1
bb4624f4b4abb4d147b719675e7d632de00c449b

SHA256
c0716b62fa8190d54f6e1ee2c73775f03df683ad31a611392162fb121303144a

SHA512
a91c35f202e165ca685e2990a968079b4f136dbb700995815ba63bfd0637e9037cd055a41139360300c65e19b454931490407a20c1470c9a3588214af9107522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
52154da84516c927c4571b3afe748773

SHA1
9060e24b271895bb2fbdeb9bada32d387cbf1a46

SHA256
9b12f0d1478f34794f3427ca46c163a4000976db9be93cab681881d355047653

SHA512
22329f756bca4290e06021e2aca9d74e5237282ae27fdef82ee26ceaaa7d07320703754a619c39bc542b3e97dde709b664e96b53726da3fe28065836f3b315e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a5d93882341ce023d4569907c3bb0def

SHA1
db0998ab671abb543a7ac78596c0b95743a9a2c8

SHA256
c3ea7d8d4ac21adbe8c93e10729367b0b7c3477e7758596609c8e25e45baaa78

SHA512
7bf5716c96d93da7d37bbedb9623c9ae2860ac7b1a0e9310cbee0962556705f8876aebdabb9820f1f1ed37e504e002f24507a23db302d0e180bb45092520cc7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5e4343881dc5fcb6305d29ef34a5ce28

SHA1
823b588ad6905d682cc3b7ac7bf7184d71da3d45

SHA256
27e82cc6e13b0db3a8b74798dffe21837cd4ef1f519519227bbd41ef05f428ac

SHA512
7a8c265e8dc6b4ad85132c4182270322023b4d59c97b466b5cce24402426c32fe14500343938c069cb17f985c73ef00f06187669d5b0c2050839a4cf6eb91762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f3d606f9a5f1201bfc1f01c54e842c4

SHA1
f1917e50b557b135953ecbe63e1fc1e675b541f1

SHA256
dcc09d3b5b17ef60cb35e4148230306cdcd68d18d18a39fd5fe220c34997a32a

SHA512
d85e1e1b4a552a8cdd21c4195a2ea082d3fcb40907d2a6a0ceb297f32defd1fba17d3b54dc954c26b3b731bc179bee5cfc011de3c667af47cdbe289b30fdfb38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1641de9a10da75d35edf03caa25212c1

SHA1
af73f64f8ce476c8e4eb56bb40426552d34c1ca8

SHA256
5fbacccb41dad88018fad178d824e1dc4cdc48e08032d374ac88d37c88ee60c2

SHA512
7123f9d69a0930a5143e442893cb2711bd9fd911f50e00f7b651ff8d448b78541ea0fa5f36452ad30e4c90ebfd1b1cc51e97422d6649089ec6b9f783ee6101e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47dc8ed1f00b2cf40d90efa529ee35cc

SHA1
851d6a181ebb44256367c73042ed4f774bce9bdd

SHA256
2a1fa5eb6fa8a3b821776f5db5d69d414ca120a4612e613ec6ad34d216b2223e

SHA512
3dc49732881a4c8d2edfd4619ea4d206cca74fabba7d00f2021a7e07dba47c436a10f2d591ca43930c674ffe6b5f528a9e10e543dd87edf97d3f2f078c23c928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c44e48d99762769d16de7352e92db16f

SHA1
29898e4ddba0504899fe0f0a55abacf592689e1b

SHA256
f92b4e399718fecfdc08924f70f0bdb7c5e0014eaeec343d815a503e06205bc8

SHA512
18cfd8b4bf3871c26c01d20ecd90f76493a6e55d7df33e78fb1491f6151ab3c04589758d6419f7b73a1288d5e65b85f40142bb7e3df5bc46e7fe4cf2da014879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
414d3c7be38a289ed476cbb4ac51ae02

SHA1
da5113d85edeefb5a20093e40bb548356316f3d4

SHA256
d8ce1dc945725e1a003fcad77de1db795d498003228c088506d286c613cd2e31

SHA512
a6db753e6e9515ad845b8073e725b2d0182697c6dd77475291aefd19e7331d78039c00b9d41ee8cccfabe9a2e0e2ab25753ebf9a865c4a3c18d77ee27cbbae93

Download Submit
C:\Users\Admin\AppData\Local\Temp\02670677-69f1-4bc2-8be4-8f42f75779d4.vbs

Filesize
715B

MD5
246d29efcb8ca09c7361ff2c6ab7f526

SHA1
fa0f5300ddf485c877f6cb761adac3bd0677787d

SHA256
00a4575f07e7df6d51be19f648adae3a9f6acb7d44a00c6c2013887a3b74a1f8

SHA512
96708e42e0487f1832b9deff88cc2968ed9f03fac4e71e098122f89fb24850bf76a7975938eb6d0b50554c58d8ffb2656534d73159de7297c6d08ba1925654b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\03c9790a-674b-4d47-918e-82228bb60177.vbs

Filesize
715B

MD5
874816edbe86d126e75b289ba1ef657e

SHA1
4b686a4c574624d460f0d407d6ddd4b40e4941ed

SHA256
6ea30fe0dcc845631b070a07d1b89e7c7933ca9f87a80c86bb973613d0b429c7

SHA512
b6a33ae57405e32b0cc6b83b929a932fc30fe17828c00853c34f3f76cdccd9a3faae2eafe8309a044907f4c3c781141476cf1bdbe30ad16f5adca134ee8c409d

Download Submit
C:\Users\Admin\AppData\Local\Temp\310b2bb6-4714-423d-956e-e6e9b21d09d3.vbs

Filesize
491B

MD5
5e32942abc45fb82bab4f3192e639bb3

SHA1
5bd7561c722e458fa4b14dac0ade835ac3563e5d

SHA256
654277e72cf1262e1c725bf3e73356d7fd0c88482955b18631f8892f5afd619d

SHA512
b380091bb9a934e9bdd6964f6e8f1cb9e3604eec43b3d070f40510dec68e9d38972e8ae61efcc7cfb3a1c5b782184813ac73b1886e2e9aa6db567959e01c30b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\36c15829-cfdd-42ea-9e31-3d572766cdd1.vbs

Filesize
715B

MD5
ed322ce23109017b77c5729c47d99a73

SHA1
d36c415242f4befa79d2c757dc1589d0b8726599

SHA256
2f7f34161d1c3f882b4238115451b3617c6c4eeb8b1c9dfcb324f7befd26c2ca

SHA512
87db840e3360ce060071787d06a614ea25a43270054ab01cdc79e236eacb33eb6d1c42679932a488603e8ff2d7faf62bbab1cddd54ab8c7628c180f8d0f6fec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ef39bf2-f9aa-40d4-8cf9-b1deadd75452.vbs

Filesize
715B

MD5
766773c7c6a7946dc48f235b79ee9715

SHA1
964261cf01840d14a80fa9460eaebe8fa1fc5d05

SHA256
647cd21994e50119fc8737ec80f3389d02fd167b1038b55c7c26abc25006e495

SHA512
e19bd5a2f5f316988664d166b12039330a7d66facb62382f807d5642313010bf349aecc61496a10a504bb0681de1926c6a4c3841a7613c95bcd50d2967355199

Download Submit
C:\Users\Admin\AppData\Local\Temp\7041c290-6136-4210-85f3-35adfaa0bafb.vbs

Filesize
715B

MD5
53707eff76488a5f4ae318d6dfffc519

SHA1
1a67a1146d4920229ce8ac2fef9bc64f4386974e

SHA256
fbcf4a9d506f6c54a76ca2c592354a34d0378bd579fca180878fbdee9e59a163

SHA512
30ce04f250f907b63dd9bd4ae29178e35497762d2eabfd6c0f726f881e5d8bb84a4e2f8ea974f4e848f2cb49bade9e366e87d311424b03c6a0e475d7b9917ccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\99042490-4a28-4142-a131-3e479f9a7bd2.vbs

Filesize
715B

MD5
d356f28913540f367fe8cd15f8302c3a

SHA1
03ae9cdcaf1826e9d55c5db0167f2af86af3ec3e

SHA256
676e26138abdf8a49b114b1b1948fa6648fa754f67c3fc831e20bddf5455822c

SHA512
ad4c9065ddb36693e40a4254059654d732fe81c6f6ccd2c2ad22ee640199dc2735dfa5c604a7a560d574741a4abcd8c6e3d3e0152688bca184db209ccbc315cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rq1e11or.txk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a497086e-8ce3-41d6-963b-e4e8dc5cfca2.vbs

Filesize
715B

MD5
9691599baef12eedec9e261a8b7bc7fb

SHA1
da8d75b6b35f956bffb6dc28c3cfe55ec3279922

SHA256
33c08e576bb4b1e6c666396e5e24994be2b6d1d73c37ae3b638f438a18e96896

SHA512
516d3e1b1d492509e09b6e0a775982b994554688bd44a571e902feab0581433d27b3c5d0d0ef6bf4a38122fd608341cf9e76fe15ba187d9180534ca99adeefae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8607b6b-5932-41dd-9b6e-2ee60be60b74.vbs

Filesize
715B

MD5
dcc342a7c5927e590a75cee7dd523a71

SHA1
25eb470d76020a65e652d2d09835ddb7530d6783

SHA256
cf5f079e7a544799c1b5215c817f150496cb4553449eb55f6b68c721d5120439

SHA512
b57b721929a5cbdf2c8fc273e6ef038d560c7d73b0d9eb42eacb4b9bb0139de36cc397398bbcbbca06aa22851f85f52f43a10185df28c3ca28de52072932cb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd204a3e-4256-43d7-a7e3-3a4b27398a48.vbs

Filesize
715B

MD5
efff269602a6b52cf7d5418ad818bac8

SHA1
1dffebd57ec3424e978e75211620bd0b72bfa702

SHA256
51fb75699f5c2455a739f1d5460ef4a844d0b9a48fad31711261752cc660b7f3

SHA512
01ad23d06ca46bc1342085926808f3cbc5c454f78bec4c5d456071cbb70cd61f43a2fd160b3d0fe7d82b4bbe490b799bb17a689c17f3321e2773da56b753fb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2d7a8d2-edbd-4de3-a458-ca7d538a7726.vbs

Filesize
715B

MD5
613cf7bee38163531705173e8f4e388d

SHA1
0e0964efa14974426a669988917d1b66c1701734

SHA256
92c3800ae9ef73a192e95c5c1b7cf59a91180b0289eed25f6b32e9b246ff98f5

SHA512
9e10bbcd3279d7382a54080f0b03f8906f8198c94ecc969cd1f83cc3aaaead8df41a911a936adcf75e8b8c52cc3691e27d167ccc5552206f5278bfad6837345f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed015ce9-e0a8-4758-96fc-d1a188e36832.vbs

Filesize
715B

MD5
d47d343a763472cb1bf25f56914a8523

SHA1
42d277db2b419fd8d02f9d6bc52ec15d36709a80

SHA256
d86b579fa24762585802c70d2250adc50cd42eb44c198e47d93bc2e494296b77

SHA512
cf02d751ffc5fb956d1d57ad5244cbe8d66269fa4ec612ec62f02b1f4bd60f97a8a1b81a63a2e4679957dfc3a09626ce1ab5e1f551a106581379cad6e5af6fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\f070491d-b27f-45a7-bc21-fcd4a0d356f5.vbs

Filesize
715B

MD5
01b24bd53dc2319c5ccc484efba10c65

SHA1
10b41292c2e32a063a08d779e90b9c66402f0a25

SHA256
7f888b507c5b0e67f00da7dc679ebbacc83b76f3648935d6f1bb88b67e247232

SHA512
5f22727b167e7c18ba502fe6f6f0c2f54d2fea8bded329651af47c07df1e8f17be217dd3b7a2795a879aaf26dfb2d79f045e27fae8dd85fc48edfdf99709e8ad

Download Submit
C:\Users\Default\AppData\Roaming\Registry.exe

Filesize
1.6MB

MD5
73662601f7516be2c488bcb93cae5f8d

SHA1
89566fabb0e701022927aa294c63a6396c8269c6

SHA256
9e124ec29c04015ad14640e6a54765e04410da8824f4651b782b56fab101fdb2

SHA512
7f228dd194a22252e59c6b08d83a9d47c0893c72ee6747a1ec80e462cc50c0dbe96d341b3715ea0aa717fe88717cce7a6e1eff7e1d954a3fdaf450e4624b88c1

Download Submit
C:\Windows\IdentityCRL\production\unsecapp.exe

Filesize
1.6MB

MD5
4e248cce2fb9b5f155ca62d21c6e9da7

SHA1
c5eab96ba2a3310bcb3cef05918a38efe5cfad86

SHA256
74c882cb1bc2e8f293c67a7c9a2bcc0c37e0aafa6fd173b1990b5ba667befe86

SHA512
958763f40b1371177b4cffa09701a600948f3126e6ac4d041a08e11f903f51f3beccd7a9ad9cd9b20cbc443310af573ac2fbb396c21f8d61fb05324553c0bb23

Download Submit
C:\Windows\Migration\WTR\RuntimeBroker.exe

Filesize
1.6MB

MD5
705bdab486ed50902c67beb08a815ad6

SHA1
737228d50dba4b3db6a01d7fc6cde22b82abd02a

SHA256
2d5c38b33d861e3a85a1abcc31fe00a77a7fe26ef4646674c3e3059eb076a5c7

SHA512
114c8d983fb5cdfd679c936c8cb81268ad476706745baf194b13ff4b5ce179cc1b29afb5b233f2945136f7835014d56aaafd835a3b8132936654dc7cf0fe57de

Download Submit
C:\Windows\Performance\WinSAT\DataStore\wininit.exe

Filesize
1.6MB

MD5
5d468492c73aaed678f9094ada4c8fb1

SHA1
4a78f69d28f382cc7b75a6fc25b31b770108ce79

SHA256
1d861da23f0fe516bb9bf64a52011c1924e339d5ce106f1c755b3a9f57b16214

SHA512
52a8c8ab24fd30f2ae8d65dde67d19705862855a0a12edcd09b7d19acd62229fd38b4dee09d36cf083f9c5ddec86302c79b29ededb6f5900880d3f8710a4bb2c

Download Submit
memory/432-11-0x0000000002F40000-0x0000000002F4C000-memory.dmp

Filesize
48KB

Download
memory/432-10-0x0000000002F20000-0x0000000002F2C000-memory.dmp

Filesize
48KB

Download
memory/432-1-0x0000000000BE0000-0x0000000000D82000-memory.dmp

Filesize
1.6MB

Download
memory/432-235-0x00007FF9B2733000-0x00007FF9B2735000-memory.dmp

Filesize
8KB

Download
memory/432-3-0x0000000002EC0000-0x0000000002EDC000-memory.dmp

Filesize
112KB

Download
memory/432-4-0x0000000002F60000-0x0000000002FB0000-memory.dmp

Filesize
320KB

Download
memory/432-7-0x0000000002F00000-0x0000000002F08000-memory.dmp

Filesize
32KB

Download
memory/432-13-0x0000000002FC0000-0x0000000002FCE000-memory.dmp

Filesize
56KB

Download
memory/432-12-0x0000000002FB0000-0x0000000002FBA000-memory.dmp

Filesize
40KB

Download
memory/432-0-0x00007FF9B2733000-0x00007FF9B2735000-memory.dmp

Filesize
8KB

Download
memory/432-2-0x00007FF9B2730000-0x00007FF9B31F1000-memory.dmp

Filesize
10.8MB

Download
memory/432-367-0x00007FF9B2730000-0x00007FF9B31F1000-memory.dmp

Filesize
10.8MB

Download
memory/432-9-0x0000000002F10000-0x0000000002F18000-memory.dmp

Filesize
32KB

Download
memory/432-14-0x0000000002FD0000-0x0000000002FD8000-memory.dmp

Filesize
32KB

Download
memory/432-15-0x0000000002FE0000-0x0000000002FE8000-memory.dmp

Filesize
32KB

Download
memory/432-17-0x000000001C290000-0x000000001C29C000-memory.dmp

Filesize
48KB

Download
memory/432-16-0x0000000002FF0000-0x0000000002FFA000-memory.dmp

Filesize
40KB

Download
memory/432-8-0x0000000002F30000-0x0000000002F40000-memory.dmp

Filesize
64KB

Download
memory/432-6-0x0000000002EE0000-0x0000000002EF6000-memory.dmp

Filesize
88KB

Download
memory/432-5-0x00000000016B0000-0x00000000016C0000-memory.dmp

Filesize
64KB

Download
memory/4280-368-0x0000000000660000-0x0000000000802000-memory.dmp

Filesize
1.6MB

Download
memory/4280-535-0x000000001D880000-0x000000001D982000-memory.dmp

Filesize
1.0MB

Download
memory/5920-245-0x0000027F74AA0000-0x0000027F74AC2000-memory.dmp

Filesize
136KB

Download