quasar | 7915d96fd92766003b73b58c3e9b375487479b9b582ed3be8a88bf5fed8a8208

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lypha-Builder.exe
Size

1.3MB
MD5

51bacfc2db65bb01e860893dd01c57bc
SHA1

1499f3ba3f3cbdc3e4db3aff5d15cb38c5cfebd5
SHA256

7915d96fd92766003b73b58c3e9b375487479b9b582ed3be8a88bf5fed8a8208
SHA512

9e93171d3118f192f60e5b52fea67a66a3eca1ab23230da44c1a1ce80119c642ba65f61eee32afe6cec8fbe0a7fd5176cea9fdff9e3917a26114a3d11d33cb66
SSDEEP

24576:OeZa7DEThQ6Cyn2OV7s+y1SXHNC0ssga+R6bcj+RZuQHWi3F//vxy6omL2:d8ETq6CyVA+y1I40ROIbNB2YFpPomL

Score

10^/10

quasar remcos spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Remcos

team-circles.gl.at.ply.gg:25349

Mutex

109bae44-c7e4-46f2-82cd-2c3efb4dc47e

Attributes

encryption_key
78AF43F549EE55D0FC30D38EC96EAA6F3A3F5CDF
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Runtime Broker
subdirectory
WD Defender

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe	family_quasar
behavioral1/memory/4516-17-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Lypha-Builder.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exeRuntime Broker.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeRuntime Broker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Lypha-Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Runtime Broker.exe

Executes dropped EXE 64 IoCs

Processes:

Runtime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exe

pid	process
4516	Runtime Broker.exe
3160	Runtime Broker.exe
3148	Runtime Broker.exe
2708	Runtime Broker.exe
3780	Runtime Broker.exe
4856	Runtime Broker.exe
4036	Runtime Broker.exe
2328	Runtime Broker.exe
2740	Runtime Broker.exe
2700	Runtime Broker.exe
3944	Runtime Broker.exe
3268	Runtime Broker.exe
3880	Runtime Broker.exe
4516	Runtime Broker.exe
2928	Runtime Broker.exe
3780	Runtime Broker.exe
1396	Runtime Broker.exe
828	Runtime Broker.exe
3776	Runtime Broker.exe
4964	Runtime Broker.exe
3540	Runtime Broker.exe
396	Runtime Broker.exe
1456	Runtime Broker.exe
972	Runtime Broker.exe
1040	Runtime Broker.exe
4804	Runtime Broker.exe
3268	Runtime Broker.exe
2912	Runtime Broker.exe
4708	Runtime Broker.exe
1484	Runtime Broker.exe
3696	Runtime Broker.exe
1984	Runtime Broker.exe
4544	Runtime Broker.exe
3276	Runtime Broker.exe
4428	Runtime Broker.exe
4192	Runtime Broker.exe
4880	Runtime Broker.exe
3440	Runtime Broker.exe
3536	Runtime Broker.exe
1064	Runtime Broker.exe
5040	Runtime Broker.exe
2040	Runtime Broker.exe
1572	Runtime Broker.exe
1484	Runtime Broker.exe
4548	Runtime Broker.exe
3932	Runtime Broker.exe
2728	Runtime Broker.exe
2448	Runtime Broker.exe
3624	Runtime Broker.exe
5076	Runtime Broker.exe
4116	Runtime Broker.exe
3244	Runtime Broker.exe
2496	Runtime Broker.exe
1328	Runtime Broker.exe
644	Runtime Broker.exe
3144	Runtime Broker.exe
2124	Runtime Broker.exe
1620	Runtime Broker.exe
4600	Runtime Broker.exe
1072	Runtime Broker.exe
4784	Runtime Broker.exe
3296	Runtime Broker.exe
2940	Runtime Broker.exe
4876	Runtime Broker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4692	schtasks.exe
4552	schtasks.exe
2608	schtasks.exe
4916	schtasks.exe
5076	schtasks.exe
1128	schtasks.exe
628	schtasks.exe
3592	schtasks.exe
4956	schtasks.exe
756	schtasks.exe
744	schtasks.exe
3996	schtasks.exe
836	schtasks.exe
368	schtasks.exe
1952	schtasks.exe
3232	schtasks.exe
4276	schtasks.exe
2940	schtasks.exe
516	schtasks.exe
116	schtasks.exe
3728	schtasks.exe
1988	schtasks.exe
4664	schtasks.exe
5048	schtasks.exe
4660	schtasks.exe
2324	schtasks.exe
2608	schtasks.exe
3136	schtasks.exe
1920	schtasks.exe
1476	schtasks.exe
1852	schtasks.exe
4980	schtasks.exe
1484	schtasks.exe
3848	schtasks.exe
5100	schtasks.exe
756	schtasks.exe
4696	schtasks.exe
4488	schtasks.exe
1820	schtasks.exe
4688	schtasks.exe
4888	schtasks.exe
4508	schtasks.exe
2716	schtasks.exe
4972	schtasks.exe
4808	schtasks.exe
4864	schtasks.exe
2400	schtasks.exe
5028	schtasks.exe
1524	schtasks.exe
3168	schtasks.exe
3592	schtasks.exe

Runs ping.exe 1 TTPs 25 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
2940	PING.EXE
4664	PING.EXE
1408	PING.EXE
3760	PING.EXE
760	PING.EXE
2728	PING.EXE
4724	PING.EXE
2000	PING.EXE
2436	PING.EXE
1328	PING.EXE
1300	PING.EXE
1256	PING.EXE
4188	PING.EXE
4360	PING.EXE
4376	PING.EXE
3236	PING.EXE
1624	PING.EXE
4808	PING.EXE
3100	PING.EXE
2480	PING.EXE
1648	PING.EXE
1776	PING.EXE
4008	PING.EXE
1036	PING.EXE
748	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Runtime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exe

pid process

1984 Runtime Broker.exe
3276 Runtime Broker.exe
4192 Runtime Broker.exe
2968 Runtime Broker.exe

pid	process
1984	Runtime Broker.exe
3276	Runtime Broker.exe
4192	Runtime Broker.exe
2968	Runtime Broker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4516	Runtime Broker.exe
Token: SeDebugPrivilege	3160	Runtime Broker.exe
Token: SeDebugPrivilege	2708	Runtime Broker.exe
Token: SeDebugPrivilege	3148	Runtime Broker.exe
Token: SeDebugPrivilege	3780	Runtime Broker.exe
Token: SeDebugPrivilege	4856	Runtime Broker.exe
Token: SeDebugPrivilege	4036	Runtime Broker.exe
Token: SeDebugPrivilege	2328	Runtime Broker.exe
Token: SeDebugPrivilege	2740	Runtime Broker.exe
Token: SeDebugPrivilege	2700	Runtime Broker.exe
Token: SeDebugPrivilege	3944	Runtime Broker.exe
Token: SeDebugPrivilege	3268	Runtime Broker.exe
Token: SeDebugPrivilege	3880	Runtime Broker.exe
Token: SeDebugPrivilege	4516	Runtime Broker.exe
Token: SeDebugPrivilege	2928	Runtime Broker.exe
Token: SeDebugPrivilege	3780	Runtime Broker.exe
Token: SeDebugPrivilege	1396	Runtime Broker.exe
Token: SeDebugPrivilege	828	Runtime Broker.exe
Token: SeDebugPrivilege	3776	Runtime Broker.exe
Token: SeDebugPrivilege	4964	Runtime Broker.exe
Token: SeDebugPrivilege	3540	Runtime Broker.exe
Token: SeDebugPrivilege	396	Runtime Broker.exe
Token: SeDebugPrivilege	1456	Runtime Broker.exe
Token: SeDebugPrivilege	972	Runtime Broker.exe
Token: SeDebugPrivilege	1040	Runtime Broker.exe
Token: SeDebugPrivilege	4804	Runtime Broker.exe
Token: SeDebugPrivilege	3268	Runtime Broker.exe
Token: SeDebugPrivilege	2912	Runtime Broker.exe
Token: SeDebugPrivilege	4708	Runtime Broker.exe
Token: SeDebugPrivilege	1484	Runtime Broker.exe
Token: SeDebugPrivilege	3880	Runtime Broker.exe
Token: SeDebugPrivilege	3696	Runtime Broker.exe
Token: SeDebugPrivilege	1984	Runtime Broker.exe
Token: SeDebugPrivilege	4544	Runtime Broker.exe
Token: SeDebugPrivilege	3276	Runtime Broker.exe
Token: SeDebugPrivilege	4428	Runtime Broker.exe
Token: SeDebugPrivilege	4192	Runtime Broker.exe
Token: SeDebugPrivilege	4880	Runtime Broker.exe
Token: SeDebugPrivilege	3440	Runtime Broker.exe
Token: SeDebugPrivilege	3536	Runtime Broker.exe
Token: SeDebugPrivilege	1064	Runtime Broker.exe
Token: SeDebugPrivilege	5040	Runtime Broker.exe
Token: SeDebugPrivilege	2040	Runtime Broker.exe
Token: SeDebugPrivilege	1572	Runtime Broker.exe
Token: SeDebugPrivilege	1484	Runtime Broker.exe
Token: SeDebugPrivilege	4548	Runtime Broker.exe
Token: SeDebugPrivilege	3932	Runtime Broker.exe
Token: SeDebugPrivilege	2728	Runtime Broker.exe
Token: SeDebugPrivilege	2448	Runtime Broker.exe
Token: SeDebugPrivilege	3624	Runtime Broker.exe
Token: SeDebugPrivilege	5076	Runtime Broker.exe
Token: SeDebugPrivilege	4116	Runtime Broker.exe
Token: SeDebugPrivilege	3244	Runtime Broker.exe
Token: SeDebugPrivilege	2496	Runtime Broker.exe
Token: SeDebugPrivilege	1328	Runtime Broker.exe
Token: SeDebugPrivilege	644	Runtime Broker.exe
Token: SeDebugPrivilege	3144	Runtime Broker.exe
Token: SeDebugPrivilege	2124	Runtime Broker.exe
Token: SeDebugPrivilege	1620	Runtime Broker.exe
Token: SeDebugPrivilege	4600	Runtime Broker.exe
Token: SeDebugPrivilege	1072	Runtime Broker.exe
Token: SeDebugPrivilege	4784	Runtime Broker.exe
Token: SeDebugPrivilege	3296	Runtime Broker.exe
Token: SeDebugPrivilege	2940	Runtime Broker.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Runtime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exe

pid	process
2708	Runtime Broker.exe
3268	Runtime Broker.exe
2912	Runtime Broker.exe
3536	Runtime Broker.exe
3244	Runtime Broker.exe
4876	Runtime Broker.exe
516	Runtime Broker.exe
904	Runtime Broker.exe
4464	Runtime Broker.exe
4844	Runtime Broker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Lypha-Builder.exeLypha-Builder.exeRuntime Broker.exeRuntime Broker.exeLypha-Builder.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.exeLypha-Builder.execmd.exeLypha-Builder.exeRuntime Broker.exeRuntime Broker.exeLypha-Builder.exeLypha-Builder.exe

description	pid	process	target process
PID 3056 wrote to memory of 3224	3056	Lypha-Builder.exe	Lypha-Builder.exe
PID 3056 wrote to memory of 3224	3056	Lypha-Builder.exe	Lypha-Builder.exe
PID 3056 wrote to memory of 4516	3056	Lypha-Builder.exe	Runtime Broker.exe
PID 3056 wrote to memory of 4516	3056	Lypha-Builder.exe	Runtime Broker.exe
PID 3224 wrote to memory of 2968	3224	Lypha-Builder.exe	Lypha-Builder.exe
PID 3224 wrote to memory of 2968	3224	Lypha-Builder.exe	Lypha-Builder.exe
PID 3224 wrote to memory of 3160	3224	Lypha-Builder.exe	Runtime Broker.exe
PID 3224 wrote to memory of 3160	3224	Lypha-Builder.exe	Runtime Broker.exe
PID 4516 wrote to memory of 3996	4516	Runtime Broker.exe	schtasks.exe
PID 4516 wrote to memory of 3996	4516	Runtime Broker.exe	schtasks.exe
PID 3160 wrote to memory of 5048	3160	Runtime Broker.exe	schtasks.exe
PID 3160 wrote to memory of 5048	3160	Runtime Broker.exe	schtasks.exe
PID 4516 wrote to memory of 3148	4516	Runtime Broker.exe	Runtime Broker.exe
PID 4516 wrote to memory of 3148	4516	Runtime Broker.exe	Runtime Broker.exe
PID 3160 wrote to memory of 2708	3160	Runtime Broker.exe	Runtime Broker.exe
PID 3160 wrote to memory of 2708	3160	Runtime Broker.exe	Runtime Broker.exe
PID 2968 wrote to memory of 2248	2968	Lypha-Builder.exe	Lypha-Builder.exe
PID 2968 wrote to memory of 2248	2968	Lypha-Builder.exe	Lypha-Builder.exe
PID 2968 wrote to memory of 3780	2968	Lypha-Builder.exe	Runtime Broker.exe
PID 2968 wrote to memory of 3780	2968	Lypha-Builder.exe	Runtime Broker.exe
PID 2708 wrote to memory of 4980	2708	Runtime Broker.exe	schtasks.exe
PID 2708 wrote to memory of 4980	2708	Runtime Broker.exe	schtasks.exe
PID 2248 wrote to memory of 3356	2248	Lypha-Builder.exe	Lypha-Builder.exe
PID 2248 wrote to memory of 3356	2248	Lypha-Builder.exe	Lypha-Builder.exe
PID 2248 wrote to memory of 4856	2248	Lypha-Builder.exe	Runtime Broker.exe
PID 2248 wrote to memory of 4856	2248	Lypha-Builder.exe	Runtime Broker.exe
PID 3356 wrote to memory of 4188	3356	Lypha-Builder.exe	Lypha-Builder.exe
PID 3356 wrote to memory of 4188	3356	Lypha-Builder.exe	Lypha-Builder.exe
PID 3356 wrote to memory of 4036	3356	Lypha-Builder.exe	Runtime Broker.exe
PID 3356 wrote to memory of 4036	3356	Lypha-Builder.exe	Runtime Broker.exe
PID 4188 wrote to memory of 3756	4188	Lypha-Builder.exe	Lypha-Builder.exe
PID 4188 wrote to memory of 3756	4188	Lypha-Builder.exe	Lypha-Builder.exe
PID 4188 wrote to memory of 2328	4188	Lypha-Builder.exe	Runtime Broker.exe
PID 4188 wrote to memory of 2328	4188	Lypha-Builder.exe	Runtime Broker.exe
PID 3756 wrote to memory of 2196	3756	Lypha-Builder.exe	Lypha-Builder.exe
PID 3756 wrote to memory of 2196	3756	Lypha-Builder.exe	Lypha-Builder.exe
PID 3756 wrote to memory of 2740	3756	Lypha-Builder.exe	Runtime Broker.exe
PID 3756 wrote to memory of 2740	3756	Lypha-Builder.exe	Runtime Broker.exe
PID 2196 wrote to memory of 1896	2196	Lypha-Builder.exe	Lypha-Builder.exe
PID 2196 wrote to memory of 1896	2196	Lypha-Builder.exe	Lypha-Builder.exe
PID 2196 wrote to memory of 2700	2196	Lypha-Builder.exe	Runtime Broker.exe
PID 2196 wrote to memory of 2700	2196	Lypha-Builder.exe	Runtime Broker.exe
PID 2708 wrote to memory of 4696	2708	Runtime Broker.exe	cmd.exe
PID 2708 wrote to memory of 4696	2708	Runtime Broker.exe	cmd.exe
PID 4696 wrote to memory of 532	4696	cmd.exe	chcp.com
PID 4696 wrote to memory of 532	4696	cmd.exe	chcp.com
PID 4696 wrote to memory of 2940	4696	cmd.exe	PING.EXE
PID 4696 wrote to memory of 2940	4696	cmd.exe	PING.EXE
PID 1896 wrote to memory of 4904	1896	Lypha-Builder.exe	Lypha-Builder.exe
PID 1896 wrote to memory of 4904	1896	Lypha-Builder.exe	Lypha-Builder.exe
PID 1896 wrote to memory of 3944	1896	Lypha-Builder.exe	Runtime Broker.exe
PID 1896 wrote to memory of 3944	1896	Lypha-Builder.exe	Runtime Broker.exe
PID 3944 wrote to memory of 4956	3944	Runtime Broker.exe	schtasks.exe
PID 3944 wrote to memory of 4956	3944	Runtime Broker.exe	schtasks.exe
PID 3944 wrote to memory of 3268	3944	Runtime Broker.exe	Runtime Broker.exe
PID 3944 wrote to memory of 3268	3944	Runtime Broker.exe	Runtime Broker.exe
PID 3268 wrote to memory of 1820	3268	Runtime Broker.exe	schtasks.exe
PID 3268 wrote to memory of 1820	3268	Runtime Broker.exe	schtasks.exe
PID 4904 wrote to memory of 2068	4904	Lypha-Builder.exe	Lypha-Builder.exe
PID 4904 wrote to memory of 2068	4904	Lypha-Builder.exe	Lypha-Builder.exe
PID 4904 wrote to memory of 3880	4904	Lypha-Builder.exe	Runtime Broker.exe
PID 4904 wrote to memory of 3880	4904	Lypha-Builder.exe	Runtime Broker.exe
PID 2068 wrote to memory of 3748	2068	Lypha-Builder.exe	Lypha-Builder.exe
PID 2068 wrote to memory of 3748	2068	Lypha-Builder.exe	Lypha-Builder.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
6⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
8⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
9⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
10⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
11⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
12⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
13⤵
- Checks computer location settings
PID:1996

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
14⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
15⤵
- Checks computer location settings
PID:2036

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
16⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
17⤵
- Checks computer location settings
PID:1460

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
18⤵
PID:3528

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
19⤵
- Checks computer location settings
PID:4880

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
20⤵
- Checks computer location settings
PID:2328

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
21⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
22⤵
- Checks computer location settings
PID:2448

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
23⤵
- Checks computer location settings
PID:2476

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
24⤵
- Checks computer location settings
PID:4580

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
25⤵
- Checks computer location settings
PID:3772

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
26⤵
- Checks computer location settings
PID:4560

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
27⤵
- Checks computer location settings
PID:1328

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
28⤵
- Checks computer location settings
PID:2480

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
29⤵
- Checks computer location settings
PID:1460

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
30⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
31⤵
- Checks computer location settings
PID:2556

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
32⤵
- Checks computer location settings
PID:332

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
33⤵
- Checks computer location settings
PID:2352

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
34⤵
- Checks computer location settings
PID:1928

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
35⤵
- Checks computer location settings
PID:4536

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
36⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
37⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
38⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
39⤵
- Checks computer location settings
PID:4612

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
40⤵
- Checks computer location settings
PID:1472

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
41⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
42⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
43⤵
- Checks computer location settings
PID:1128

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
44⤵
- Checks computer location settings
PID:3916

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
45⤵
- Checks computer location settings
PID:996

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
46⤵
- Checks computer location settings
PID:440

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
47⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
48⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
49⤵
- Checks computer location settings
PID:4596

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
50⤵
- Checks computer location settings
PID:3520

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
51⤵
- Checks computer location settings
PID:908

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
52⤵
- Checks computer location settings
PID:776

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
53⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
54⤵
- Checks computer location settings
PID:1612

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
55⤵
- Checks computer location settings
PID:632

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
56⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
57⤵
- Checks computer location settings
PID:4508

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
58⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
59⤵
- Checks computer location settings
PID:3288

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
60⤵
- Checks computer location settings
PID:908

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
61⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
62⤵
- Checks computer location settings
PID:348

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
63⤵
- Checks computer location settings
PID:1640

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
64⤵
- Checks computer location settings
PID:4488

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
65⤵
- Checks computer location settings
PID:2452

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
66⤵
- Checks computer location settings
PID:3172

C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Lypha-Builder.exe"
67⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
67⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
66⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
65⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
64⤵
PID:4596

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
65⤵
- Creates scheduled task(s)
PID:3592

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
65⤵
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
66⤵
- Creates scheduled task(s)
PID:1920

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
63⤵
PID:764

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
64⤵
- Creates scheduled task(s)
PID:2716

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
64⤵
- Checks computer location settings
PID:1452

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
65⤵
- Creates scheduled task(s)
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wkXKc22LSlO3.bat" "
65⤵
PID:4876

C:\Windows\system32\chcp.com
chcp 65001
66⤵
PID:4560

C:\Windows\system32\PING.EXE
ping -n 10 localhost
66⤵
- Runs ping.exe
PID:1648

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
62⤵
PID:4448

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
63⤵
- Creates scheduled task(s)
PID:3232

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
63⤵
- Checks computer location settings
PID:4260

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
64⤵
- Creates scheduled task(s)
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jWTgd1puwKT2.bat" "
64⤵
PID:4988

C:\Windows\system32\chcp.com
chcp 65001
65⤵
PID:3536

C:\Windows\system32\PING.EXE
ping -n 10 localhost
65⤵
- Runs ping.exe
PID:1328

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
65⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
61⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
60⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
59⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
58⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
57⤵
PID:4396

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
58⤵
- Creates scheduled task(s)
PID:2400

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
58⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4464

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
59⤵
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fBsHq93w9Kc2.bat" "
59⤵
PID:4792

C:\Windows\system32\chcp.com
chcp 65001
60⤵
PID:3500

C:\Windows\system32\PING.EXE
ping -n 10 localhost
60⤵
- Runs ping.exe
PID:1776

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
60⤵
PID:1052

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
56⤵
PID:2588

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
57⤵
- Creates scheduled task(s)
PID:4664

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
57⤵
- Checks computer location settings
PID:3348

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
58⤵
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\v4Knujc5q3kp.bat" "
58⤵
PID:3972

C:\Windows\system32\chcp.com
chcp 65001
59⤵
PID:724

C:\Windows\system32\PING.EXE
ping -n 10 localhost
59⤵
- Runs ping.exe
PID:3760

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
59⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
55⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
54⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
53⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
52⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
51⤵
PID:1456

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
52⤵
- Creates scheduled task(s)
PID:116

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
52⤵
- Suspicious use of SetWindowsHookEx
PID:904

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
53⤵
- Creates scheduled task(s)
PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wtf415HuDUAJ.bat" "
53⤵
PID:1460

C:\Windows\system32\chcp.com
chcp 65001
54⤵
PID:1328

C:\Windows\system32\PING.EXE
ping -n 10 localhost
54⤵
- Runs ping.exe
PID:3236

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
54⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
50⤵
PID:4628

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
51⤵
- Creates scheduled task(s)
PID:3592

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
51⤵
- Checks computer location settings
PID:1352

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
52⤵
- Creates scheduled task(s)
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PMzO9mgXUyDG.bat" "
52⤵
PID:4696

C:\Windows\system32\chcp.com
chcp 65001
53⤵
PID:1268

C:\Windows\system32\PING.EXE
ping -n 10 localhost
53⤵
- Runs ping.exe
PID:748

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
53⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
49⤵
PID:2904

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
48⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
47⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
46⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
45⤵
PID:4580

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
46⤵
- Creates scheduled task(s)
PID:744

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
46⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:516

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
47⤵
- Creates scheduled task(s)
PID:1852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xRd6nQctwjU1.bat" "
47⤵
PID:4356

C:\Windows\system32\chcp.com
chcp 65001
48⤵
PID:2776

C:\Windows\system32\PING.EXE
ping -n 10 localhost
48⤵
- Runs ping.exe
PID:2480

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
48⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
44⤵
PID:2448

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
45⤵
- Creates scheduled task(s)
PID:1476

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
45⤵
- Checks computer location settings
PID:4708

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
46⤵
- Creates scheduled task(s)
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zHOzCozhReER.bat" "
46⤵
PID:2588

C:\Windows\system32\chcp.com
chcp 65001
47⤵
PID:3496

C:\Windows\system32\PING.EXE
ping -n 10 localhost
47⤵
- Runs ping.exe
PID:4360

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
47⤵
- Checks computer location settings
PID:532

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
48⤵
- Creates scheduled task(s)
PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEQXw8RRm9yI.bat" "
48⤵
PID:3500

C:\Windows\system32\chcp.com
chcp 65001
49⤵
PID:4216

C:\Windows\system32\PING.EXE
ping -n 10 localhost
49⤵
- Runs ping.exe
PID:3100

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
49⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
43⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
42⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
41⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
40⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
39⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
40⤵
- Creates scheduled task(s)
PID:516

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
40⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
41⤵
- Creates scheduled task(s)
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aV7drPZapwRi.bat" "
41⤵
PID:1288

C:\Windows\system32\chcp.com
chcp 65001
42⤵
PID:3920

C:\Windows\system32\PING.EXE
ping -n 10 localhost
42⤵
- Runs ping.exe
PID:1408

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
42⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:5100

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
39⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
40⤵
- Creates scheduled task(s)
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fNyW9AUPA9QZ.bat" "
40⤵
PID:3624

C:\Windows\system32\chcp.com
chcp 65001
41⤵
PID:4744

C:\Windows\system32\PING.EXE
ping -n 10 localhost
41⤵
- Runs ping.exe
PID:4188

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
41⤵
- Checks computer location settings
PID:4396

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
42⤵
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fK3rpUUItVZt.bat" "
42⤵
PID:1616

C:\Windows\system32\chcp.com
chcp 65001
43⤵
PID:1444

C:\Windows\system32\PING.EXE
ping -n 10 localhost
43⤵
- Runs ping.exe
PID:4808

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
43⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
37⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
38⤵
- Creates scheduled task(s)
PID:4508

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
38⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
39⤵
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0rImd7GT25nw.bat" "
39⤵
PID:688

C:\Windows\system32\chcp.com
chcp 65001
40⤵
PID:628

C:\Windows\system32\PING.EXE
ping -n 10 localhost
40⤵
- Runs ping.exe
PID:1036

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
40⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
36⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
33⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
34⤵
- Creates scheduled task(s)
PID:4488

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3244

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
35⤵
- Creates scheduled task(s)
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bsGRTk5jVA7m.bat" "
35⤵
PID:1968

C:\Windows\system32\chcp.com
chcp 65001
36⤵
PID:3212

C:\Windows\system32\PING.EXE
ping -n 10 localhost
36⤵
- Runs ping.exe
PID:1624

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
36⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:3728

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
33⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
34⤵
- Creates scheduled task(s)
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mtjQGD3xPATe.bat" "
34⤵
PID:1064

C:\Windows\system32\chcp.com
chcp 65001
35⤵
PID:368

C:\Windows\system32\PING.EXE
ping -n 10 localhost
35⤵
- Runs ping.exe
PID:2436

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
31⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
32⤵
- Creates scheduled task(s)
PID:4552

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
33⤵
- Creates scheduled task(s)
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G9nUYsq8YZb4.bat" "
33⤵
PID:2476

C:\Windows\system32\chcp.com
chcp 65001
34⤵
PID:1672

C:\Windows\system32\PING.EXE
ping -n 10 localhost
34⤵
- Runs ping.exe
PID:1256

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
34⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
30⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
29⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
27⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
26⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
25⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
26⤵
- Creates scheduled task(s)
PID:4692

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
27⤵
- Creates scheduled task(s)
PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Fhdehw6vI6xr.bat" "
27⤵
PID:3572

C:\Windows\system32\chcp.com
chcp 65001
28⤵
PID:968

C:\Windows\system32\PING.EXE
ping -n 10 localhost
28⤵
- Runs ping.exe
PID:2000

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
24⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
23⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
22⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
22⤵
- Creates scheduled task(s)
PID:2608

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:4276

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2912

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
22⤵
- Creates scheduled task(s)
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FdiB9P3X49or.bat" "
22⤵
PID:3944

C:\Windows\system32\chcp.com
chcp 65001
23⤵
PID:1768

C:\Windows\system32\PING.EXE
ping -n 10 localhost
23⤵
- Runs ping.exe
PID:4008

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
23⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
19⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
20⤵
- Creates scheduled task(s)
PID:3168

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
21⤵
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aO6qbqOaxawj.bat" "
21⤵
PID:640

C:\Windows\system32\chcp.com
chcp 65001
22⤵
PID:2036

C:\Windows\system32\PING.EXE
ping -n 10 localhost
22⤵
- Runs ping.exe
PID:1300

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
22⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:836

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
20⤵
- Creates scheduled task(s)
PID:368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GcI1BpvbzmJU.bat" "
20⤵
PID:4696

C:\Windows\system32\chcp.com
chcp 65001
21⤵
PID:3212

C:\Windows\system32\PING.EXE
ping -n 10 localhost
21⤵
- Runs ping.exe
PID:4724

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
17⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
18⤵
- Creates scheduled task(s)
PID:1484

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
18⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
19⤵
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\51IZHGMBDLxx.bat" "
19⤵
PID:3592

C:\Windows\system32\chcp.com
chcp 65001
20⤵
PID:3144

C:\Windows\system32\PING.EXE
ping -n 10 localhost
20⤵
- Runs ping.exe
PID:2728

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
16⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
17⤵
- Creates scheduled task(s)
PID:4660

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
18⤵
- Creates scheduled task(s)
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n5GB6O33sknp.bat" "
18⤵
PID:4340

C:\Windows\system32\chcp.com
chcp 65001
19⤵
PID:756

C:\Windows\system32\PING.EXE
ping -n 10 localhost
19⤵
- Runs ping.exe
PID:760

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
19⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
20⤵
- Creates scheduled task(s)
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6S6NXqGuQXHy.bat" "
20⤵
PID:748

C:\Windows\system32\chcp.com
chcp 65001
21⤵
PID:3080

C:\Windows\system32\PING.EXE
ping -n 10 localhost
21⤵
- Runs ping.exe
PID:4376

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
21⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
11⤵
- Creates scheduled task(s)
PID:4956

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
12⤵
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeW58JcGe6BY.bat" "
12⤵
PID:1920

C:\Windows\system32\chcp.com
chcp 65001
13⤵
PID:2792

C:\Windows\system32\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:4664

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:5048

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIGNObGae6iv.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:4696

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:532

C:\Windows\system32\PING.EXE
ping -n 10 localhost
6⤵
- Runs ping.exe
PID:2940

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Runtime Broker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:3996

C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\WD Defender\Runtime Broker.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Lypha-Builder.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log
Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\51IZHGMBDLxx.bat
Filesize
220B

MD5
38dc8d51c3d2cff220730961823bb98d

SHA1
5b799cbf15b9f543ec69649434394ac0aa37208b

SHA256
5eecac9a3dab8e02dec461f8fa2111d6f88613225ffc15436a0f94ca8819b61b

SHA512
ab4a46c85c8d433935582a54649c342d83396da3d4c37c65376ae88604da33296002177bd7e3531df66ce2215979b240bb7d84c34f852c47565fc783dea83950

Download Submit
C:\Users\Admin\AppData\Local\Temp\GcI1BpvbzmJU.bat
Filesize
220B

MD5
dc24d1e05cc70a2d1db4e547c6e4a34f

SHA1
830a808221f0e20bf2e3214313eff2e10377e544

SHA256
d0b3443bb4d7af4f2997457a21a113be2f0752654a0c8d2b1fcca8b3feda229f

SHA512
4448eca52bd2549477019243a2cfffa2e413aaffcc54a9a9716d406b715576ef09162adbc4371067ed31e81fd364ee179256ed1c44de2b4e8a19aa28b55f0c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IeW58JcGe6BY.bat
Filesize
220B

MD5
6a91741a6a256fe14f774fb9228fa98d

SHA1
58b77f1537228388c5c91fef000159f4c67eb10d

SHA256
024c7a3a76470846c3c0180eb496c46286238bdbdff33c110b7be8fde6336232

SHA512
656f03710bc455698504c73fbd561794f83c1ea95265a89cf36e9a989cf0b04d64dbb4b7c2b56da17e88959d545a4735558e8e1a3edd5d632632f2f576b9d231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
Filesize
3.1MB

MD5
0296021acfb4f37e63df4de7461ebfd9

SHA1
14117dba6ce87cbb6561ebdfffec60cb21860800

SHA256
4fc6d003d67f0a1b3a276018516c6a0fe6301b10efe9e41fccd2e5a645a3333a

SHA512
ffff32821dc347531f6e814df23b1f848df002c33ca83c635bc2fb1d3b810e9c21ffa6da6f0beb1a207f55a9d4048828545d678a8137991d1de2266bcbe1deee

Download Submit
C:\Users\Admin\AppData\Local\Temp\aO6qbqOaxawj.bat
Filesize
220B

MD5
9d4d060a7d0b42696931bbb73537051f

SHA1
f10f6a1ca4374f0b4fc12687fd56bb56be7bd55f

SHA256
adc2221ca71b4d40f7f49187d0dea6394202f32b7b2ef06e471e17881bb1d9f1

SHA512
ae435781f5660674a32270cbd42e18ee73ba84d8b9d05948fb39ec35ccaef74e3b4fa4afa12d0daff1cefdfb892932d21cffdd9c3a104d52786a4009a52613fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIGNObGae6iv.bat
Filesize
220B

MD5
b61e628c7a5f32240e0490782c1a6e02

SHA1
2b82c68f1eaf7cf8c5a1cfb6e2b87a618d965ce8

SHA256
ecc6b37e03ea86e5623487645feb3afe36789d2682ff77639f40671f3bd80c2f

SHA512
2bb64c9b0b735ca17aaecda0488fd42a724bb767e76ad234870e94275e6a5148d6e2b70e23012929ee64025b2bb94dbd860d754da99c38d6b8caa7b92ebc9121

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5GB6O33sknp.bat
Filesize
220B

MD5
2c02fef1e9c3050debabda1b8547345a

SHA1
7e18a822aee92d36e412426ae1a257195d7bfee5

SHA256
096c53334c99a51c16e5b8a7762407f9c55c02b2a7ed6791bdbf679a3a344ebc

SHA512
7f563fdfff7eb55cdebace910d976c09409acc4c7670357681346edec8f8e8f99482402fab36a71be34f9002094db9b2bea923478269220b403a39a268af2c67

Download Submit
memory/2708-45-0x000000001C1D0000-0x000000001C282000-memory.dmp

Filesize
712KB

Download
memory/2708-44-0x000000001C0C0000-0x000000001C110000-memory.dmp

Filesize
320KB

Download
memory/3056-18-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/3056-0-0x0000000000060000-0x00000000001BE000-memory.dmp

Filesize
1.4MB

Download
memory/3056-2-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/3056-1-0x00007FFBF0A03000-0x00007FFBF0A05000-memory.dmp

Filesize
8KB

Download
memory/3224-22-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/3224-19-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/3224-12-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-32-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-16-0x00007FFBF0A00000-0x00007FFBF14C1000-memory.dmp

Filesize
10.8MB

Download
memory/4516-17-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download