Overview

overview

10

Static

static

10

88bc7b6a62...00.exe

windows7-x64

7

88bc7b6a62...00.exe

windows10-2004-x64

7

88cdf3a075...59.exe

windows7-x64

10

88cdf3a075...59.exe

windows10-2004-x64

10

89000a0d00...5b.exe

windows7-x64

10

89000a0d00...5b.exe

windows10-2004-x64

10

89270d6b49...b4.exe

windows7-x64

1

89270d6b49...b4.exe

windows10-2004-x64

1

892ac0ac36...51.exe

windows7-x64

8

892ac0ac36...51.exe

windows10-2004-x64

8

894b900bb7...92.exe

windows7-x64

8

894b900bb7...92.exe

windows10-2004-x64

8

896493118e...17.exe

windows7-x64

10

896493118e...17.exe

windows10-2004-x64

10

89652cefa9...84.exe

windows7-x64

3

89652cefa9...84.exe

windows10-2004-x64

10

897255af35...03.exe

windows7-x64

10

897255af35...03.exe

windows10-2004-x64

10

897b60be56...d4.exe

windows7-x64

6

897b60be56...d4.exe

windows10-2004-x64

6

89a1a21003...9d.exe

windows7-x64

3

89a1a21003...9d.exe

windows10-2004-x64

3

89ed231ad6...9a.exe

windows7-x64

10

89ed231ad6...9a.exe

windows10-2004-x64

10

8a4e1b5c29...83.exe

windows7-x64

10

8a4e1b5c29...83.exe

windows10-2004-x64

10

8a7ce080bb...ba.exe

windows7-x64

10

8a7ce080bb...ba.exe

windows10-2004-x64

10

8aa071d8cc...3d.exe

windows7-x64

7

8aa071d8cc...3d.exe

windows10-2004-x64

7

8acb86332d...4c.exe

windows7-x64

10

8acb86332d...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe

  • Size

    1.9MB

  • MD5

    9f30385fab69f24df7f2e9403fb5465e

  • SHA1

    1f9027f32b0ad3b0783679096649f9941bc7e802

  • SHA256

    896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17

  • SHA512

    3be52680b247764f555ea23382d05b1e08f955aa2e89378fcb6e41dfdede63af8e0510e2adc848ba0cb7e9eae362996421fba880110f3167ade8400beedabadc

  • SSDEEP

    24576:0z4T3bMX0/0ZqSEaa3OVFu8VQTo8Ia29MSVyAXmFPf87ptY60/YYhdbh7JRj:0OMX0/08SVYTcxMXPxthD

Score
10/10
defense_evasionexecutiontrojan

Malware Config

Signatures

  • Process spawned unexpected child process 27 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 21 IoCs
    defense_evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 7 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 14 IoCs
    defense_evasiontrojan
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 7 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • System policy modification 1 TTPs 21 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
    "C:\Users\Admin\AppData\Local\Temp\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe"
    1⤵
    • UAC bypass
    • Drops file in Drivers directory
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:232
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3756
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\sppsvc.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1656
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\60739cf6f660743813\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4760
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\900323d723f1dd1206\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4420
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\sihost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\System.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5160
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1592
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pWeIzPTbmL.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5128
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3364
        • C:\Windows\Tasks\dllhost.exe
          "C:\Windows\Tasks\dllhost.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5584
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46563a00-cd34-4061-a4b0-1fa20f7d20ce.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:6108
            • C:\Windows\Tasks\dllhost.exe
              C:\Windows\Tasks\dllhost.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • System policy modification
              PID:6116
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bac3daec-57db-4991-9608-bd1bc236b4f9.vbs"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1704
                • C:\Windows\Tasks\dllhost.exe
                  C:\Windows\Tasks\dllhost.exe
                  7⤵
                  • UAC bypass
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:5652
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7466eddc-71d3-4805-8e5d-289433d3a929.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4980
                    • C:\Windows\Tasks\dllhost.exe
                      C:\Windows\Tasks\dllhost.exe
                      9⤵
                      • UAC bypass
                      • Checks computer location settings
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:3300
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ebfa81e-aec7-432d-ae35-9ee637f87a12.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4448
                        • C:\Windows\Tasks\dllhost.exe
                          C:\Windows\Tasks\dllhost.exe
                          11⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:2524
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b304b7d-6209-42d0-83b0-96d6be79c261.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:5184
                            • C:\Windows\Tasks\dllhost.exe
                              C:\Windows\Tasks\dllhost.exe
                              13⤵
                              • UAC bypass
                              • Checks computer location settings
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:1460
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d8767651-aeb1-4a17-aa61-b58dec782bb2.vbs"
                                14⤵
                                  PID:3152
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0a499d9-ad0b-431b-815e-cb30c4cbdbee.vbs"
                                  14⤵
                                    PID:4732
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\346dcbc8-85a8-4190-8ff2-a6e4f8ae7e71.vbs"
                                12⤵
                                  PID:4672
                            • C:\Windows\System32\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b9efc5e-f3a6-4cce-aa08-470d1678479d.vbs"
                              10⤵
                                PID:536
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d6aa4ac-1bb9-42f0-add5-1492afd5e967.vbs"
                            8⤵
                              PID:1112
                        • C:\Windows\System32\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59a7a50f-cbff-4ff2-a1f6-6af94f0c5bbf.vbs"
                          6⤵
                            PID:4764
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\899a4f92-867f-45a3-8820-591bfc72fbeb.vbs"
                        4⤵
                          PID:4552
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4656
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4640
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\60739cf6f660743813\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4732
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\sppsvc.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4800
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\900323d723f1dd1206\sppsvc.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4808
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\900323d723f1dd1206\sppsvc.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4900
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b178" /sc MINUTE /mo 6 /tr "'C:\60739cf6f660743813\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4908
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17" /sc ONLOGON /tr "'C:\60739cf6f660743813\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4888
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b178" /sc MINUTE /mo 8 /tr "'C:\60739cf6f660743813\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4828
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\dllhost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4708
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:3580
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:1452
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\900323d723f1dd1206\System.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2580
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\900323d723f1dd1206\System.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4048
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\900323d723f1dd1206\System.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:2084
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4616
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:5876
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4132
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\sihost.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4848
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4840
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\sihost.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4976
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\System.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:5988
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:5012
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\System.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:5036
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4996
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4868
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\RuntimeBroker.exe'" /rl HIGHEST /f
                    1⤵
                    • Process spawned unexpected child process
                    • Scheduled Task/Job: Scheduled Task
                    PID:4876

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\60739cf6f660743813\896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17.exe
                    Filesize

                    1.9MB

                    MD5

                    6d3fc346713e89ca4b5245ca6464d320

                    SHA1

                    4ca2a82156e560a64bc1139d393c1ccee3382380

                    SHA256

                    6bf89b318cc2d02abe252e155e68ceb9377d84a72f110438b0c14afb0c7717d9

                    SHA512

                    65e0fed0cebf94cc03179e13221cfd1f0f3f46cf39ea763bc6b45260f0c429f4751f36df0eba72b1ca19889bae56bd7e8f335299b7152aceed9e50be25a19ce9

                    Download Submit

                  • C:\900323d723f1dd1206\System.exe
                    Filesize

                    1.9MB

                    MD5

                    9f30385fab69f24df7f2e9403fb5465e

                    SHA1

                    1f9027f32b0ad3b0783679096649f9941bc7e802

                    SHA256

                    896493118eef774a76d4ea1ef6ead5a805b0d99452a2c423da8c617c459f5b17

                    SHA512

                    3be52680b247764f555ea23382d05b1e08f955aa2e89378fcb6e41dfdede63af8e0510e2adc848ba0cb7e9eae362996421fba880110f3167ade8400beedabadc

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log
                    Filesize

                    1KB

                    MD5

                    364147c1feef3565925ea5b4ac701a01

                    SHA1

                    9a46393ac3ffad3bb3c8f0e074b65d68d75e21ef

                    SHA256

                    38cf1ab1146ad24e88763fc0508c2a99478d8428b453ba8c8b830d2883a4562b

                    SHA512

                    bfec1d3f22abd5668def189259deb4d919ceb4d51ac965d0baf9b6cf8bea0db680d49a2b8d0b75524cc04c7803cdfd91e484b31dc8ddc3ff47d1e5c59a9e35cf

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                    Filesize

                    2KB

                    MD5

                    d85ba6ff808d9e5444a4b369f5bc2730

                    SHA1

                    31aa9d96590fff6981b315e0b391b575e4c0804a

                    SHA256

                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                    SHA512

                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    0c56ba5098c530bbd1cdb28d50090d39

                    SHA1

                    ff63178ea722ec2db118c81051bf85544fb6b316

                    SHA256

                    0299d374c4b984cb0475284b966dfbe8bb08e45b93dabdf327f96a60b05273d1

                    SHA512

                    cbbf27ac30e55f4df35ae5aae50d1a2f9475dc2ac0eecf9ce0ab19adef606fff08c26d0eef5686012d36566551179afe09b15c1da1840415b1696f76324a03f2

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    77c3c3e6edde95327e5255c97f03f1aa

                    SHA1

                    bf90bbebcadd07d730c5793a512ed30c4db1d776

                    SHA256

                    a80450170e547a9d4d050e3237edfcc561a6c936d180f6d0867a22a6487afa99

                    SHA512

                    8c3fbc3312def0c2ba51036a30ac23d5c50bcdf2a273ee4802fe05c73c0d94cb8b115291e0ed91a23f150ff9f69b2046276cc062a9ba6c7be92bcd975e850077

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    e452a0569a88103800ef1fdb9d028088

                    SHA1

                    b73c91d1a9b444033dd5824543c4b9e9538e379f

                    SHA256

                    c0f2157095cd92cebe6ea87b14b366ff5ff71ef681785ac8363b1ca59b0ca242

                    SHA512

                    5141bd6ceaaefae93e4663b8235ecb1ff87017c2ed1c5a1cfa249bb5d9b646d6d0493e1f85aebe4ae9bddfd2ff7210ada1217bb32d52a1ac582a2f6d636e08a7

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    3c7942d5130e519e28d6051f8513f7c4

                    SHA1

                    e768daf9cbd6a718a8a60c08c893ce1797cd86fb

                    SHA256

                    83042c329ad8e497403069fdb4718252bd97c127d4e04fae1977349d767c90a1

                    SHA512

                    c7456ee68bea337227d9ac5f20acdcce72abad524cc771f8d9e49e8ca8811a093d1972d88da72c612a865de9417c6dec258148ff94e739a50097b62415566bc5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                    Filesize

                    944B

                    MD5

                    ac71252a5ec972a71c8da205ce8b70ca

                    SHA1

                    7aecda992f788df0af9d62bf872a0bbe24ce28c6

                    SHA256

                    377b163bdf5d0c30ff2166c0d6ac4652acfbf9461339394b11ae9e5c855474a5

                    SHA512

                    77a842a39d0e25ed3000fa6dc99e56bb39ec8f19ee649d6368699384c61a01ce9e4d136e2b3a67a56f924986bcc42a18e60d2875117ed419ec4ca133414c1360

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\1b304b7d-6209-42d0-83b0-96d6be79c261.vbs
                    Filesize

                    704B

                    MD5

                    2ce1e543d712539bc3c867cf4c316997

                    SHA1

                    9b1562106bd8d23ebe5fbfe692ab61dbd5f803e2

                    SHA256

                    f91328f6198258552d88514aa97fb3c83af17203032e3312a7d8694c8a62b838

                    SHA512

                    47ecb6f4f4aeb9cf513d2ef971d7078bcb1a97d55dabe11bc6a7599a7d7a8f1e064f1fb217c386ff2156855330b4cbe21b0b9fee0e1a3a9fa7231c08ca8aab1e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\46563a00-cd34-4061-a4b0-1fa20f7d20ce.vbs
                    Filesize

                    704B

                    MD5

                    df5ffad2773d3568f2b6018dbaaf6e5b

                    SHA1

                    cb10592a8c9622620bc36c1df2d9ab72c1dcee11

                    SHA256

                    1300b18dfeacd992b55a9f37f19a2502f52f72f0480b15a93689a0ebc1749684

                    SHA512

                    b9c077ae8f1304b4cdbe376299b2a2a82fd596c82b538dbce10b6e35b1a7f8401403bc1bac56cc6859af1cfaa7ba6f5deb4242cd9d5ec533764ffa86394bb209

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\6ebfa81e-aec7-432d-ae35-9ee637f87a12.vbs
                    Filesize

                    704B

                    MD5

                    5b99886eb55cebe1b79714b953633ec2

                    SHA1

                    9ccdf5e08e7d5c88401aa1bc811d065fc9f22262

                    SHA256

                    383a16a4c544fb04e11352fec9c7f9e6efd0c6411afc464027198c4fcf9a9caa

                    SHA512

                    05bf6b8c3bf53cab1d8110154e52630834590b34f0b9e881aba3cb960f09b2ba6ac5f42bd633efe96ef863831ca15e89c939392f85f5d1012d302de5b0897b67

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\7466eddc-71d3-4805-8e5d-289433d3a929.vbs
                    Filesize

                    704B

                    MD5

                    8d78d98bfed50c8822d64a4123727644

                    SHA1

                    fd4c86f7da45093e5b3371c65045240598ea0f8a

                    SHA256

                    4a98593d20c63e78b9aba09ed5b1249393d249389e8b21c2e5690199811b2cd8

                    SHA512

                    aa6c6e592ca97626497824431cd2230bf8c2df89150cd5be81b3d336b2fe0a07cce52411a9d52a92565daecd4a5991e74de56dae5719faceb86d58a9623189c4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\899a4f92-867f-45a3-8820-591bfc72fbeb.vbs
                    Filesize

                    480B

                    MD5

                    876996b45669af5dcaf6651b1632f96f

                    SHA1

                    e5d78c39baf94ddf2b996fee9c14386f62ffcd55

                    SHA256

                    df3d1f8bbbe47cdac26e6a08e251404e936623c87485702b4f170858cbb25365

                    SHA512

                    d4ee0208929f129387b8c41090a0b26157b59022c25e8085022f85fd0b0e208f33de96d325f05c5a6d5dad788535363e9a405d33fc9c6a09fee4019362c25aba

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzwl4iwp.klt.ps1
                    Filesize

                    60B

                    MD5

                    d17fe0a3f47be24a6453e9ef58c94641

                    SHA1

                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                    SHA256

                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                    SHA512

                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\d8767651-aeb1-4a17-aa61-b58dec782bb2.vbs
                    Filesize

                    704B

                    MD5

                    ce2fcbf6940139aa2f1ef6e2766f2c36

                    SHA1

                    956c4266e3556110cb24124be44f8d0bc3286b02

                    SHA256

                    ff0228a2ddbb038974d02f336de2a56d4122eb98559d9c615e2f8148ef524dc8

                    SHA512

                    f21c46fda1b56fd0e81fef08fa5bf8b3f9b09d2ec4fdc738437229eb057e45549830a01b1ca953bba5e9daad156a0ebd9e9dd982e1922da6aa4643ff813b3d6e

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\pWeIzPTbmL.bat
                    Filesize

                    193B

                    MD5

                    f33ec99929cd3d2b91e4f70829dae7e3

                    SHA1

                    db2b16a1b58511dd1954b0b1f6f01f849cedab2a

                    SHA256

                    4ded7e00e380bd21d5d4c4c7906a93d0d79883248c9c58a9849ba91d7cd4c424

                    SHA512

                    789f61baa6ad9d7df87c2eb8f64da38f81bbbfd7014b7916cbef629e331bf8cdbc2197a67fc76bb03b611d1017a4674456356ca54bb529240a65b820c96bd738

                    Download Submit

                  • C:\Users\Public\Desktop\dllhost.exe
                    Filesize

                    1.9MB

                    MD5

                    0d3dd83128c23a6c412751932b08494d

                    SHA1

                    4795c61babedebacbff327e1809eaaf2d2f3fd20

                    SHA256

                    ade08bc1cc1df48c957d5c2eecf99960e0ff5ad82ec11a0e24cb0d160b8f6d68

                    SHA512

                    9d2101d8b58e68684d239a623a7cc6f8e2c436e06f8d649761e180b12569bb8d3870a47603e44ebec9e8d00b4a4f9e2f5dccc4f2cd74961111e53f93725d479b

                    Download Submit

                  • C:\Users\Public\Videos\sihost.exe
                    Filesize

                    1.9MB

                    MD5

                    5ed7126187c0d78ee16364b956d90bfe

                    SHA1

                    da470f645853982a06835a03f9dd6c9d141155bb

                    SHA256

                    2481d009255d1aee7c857ecafe7f180325607af84b15276033057bfa842a6e6c

                    SHA512

                    333a1274700aaeb2b128a0468635631da2e79278b7c64fb4e47330756cf84fced5bdf7e5f8d844b993a10c33bed42a40c3ead56f660ce093ba2f74810d18e9d4

                    Download Submit

                  • memory/232-18-0x000000001B750000-0x000000001B758000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/232-9-0x000000001AFC0000-0x000000001B016000-memory.dmp

                    Filesize

                    344KB

                    Download

                  • memory/232-10-0x0000000002480000-0x000000000248C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/232-0-0x00007FFA878C3000-0x00007FFA878C5000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/232-4-0x000000001AF70000-0x000000001AFC0000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/232-153-0x00007FFA878C0000-0x00007FFA88381000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/232-14-0x000000001C150000-0x000000001C678000-memory.dmp

                    Filesize

                    5.2MB

                    Download

                  • memory/232-1-0x0000000000120000-0x000000000030A000-memory.dmp

                    Filesize

                    1.9MB

                    Download

                  • memory/232-16-0x000000001B1E0000-0x000000001B1EA000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/232-17-0x000000001B1F0000-0x000000001B1FE000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/232-19-0x000000001B760000-0x000000001B76C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/232-5-0x0000000002430000-0x0000000002438000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/232-3-0x0000000002410000-0x000000000242C000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/232-8-0x0000000002470000-0x000000000247A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/232-20-0x000000001B770000-0x000000001B77C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/232-2-0x00007FFA878C0000-0x00007FFA88381000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/232-11-0x000000001B120000-0x000000001B128000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/232-6-0x0000000002440000-0x0000000002450000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/232-7-0x0000000002450000-0x0000000002466000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/232-13-0x000000001B130000-0x000000001B142000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/232-15-0x000000001B160000-0x000000001B16C000-memory.dmp

                    Filesize

                    48KB

                    Download

                  • memory/1460-316-0x000000001BDC0000-0x000000001BE16000-memory.dmp

                    Filesize

                    344KB

                    Download

                  • memory/3300-293-0x000000001B800000-0x000000001B812000-memory.dmp

                    Filesize

                    72KB

                    Download

                  • memory/5584-268-0x0000000003200000-0x0000000003256000-memory.dmp

                    Filesize

                    344KB

                    Download

                  • memory/5972-163-0x00000165A7D00000-0x00000165A7D22000-memory.dmp

                    Filesize

                    136KB

                    Download