Overview

overview

10

Static

static

3

26ea7d480a...ae.exe

windows7-x64

10

26ea7d480a...ae.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-09-2024 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26ea7d480a77e3f9aaa9b52aaaa2e028fea4e286c53905b3e304ec96a34027ae.exe

  • Size

    4.9MB

  • MD5

    60562837aa924e28dab54be5c6decd4a

  • SHA1

    29e02ab31f9d2b86b2fe3b3bea05adbbaaa87990

  • SHA256

    26ea7d480a77e3f9aaa9b52aaaa2e028fea4e286c53905b3e304ec96a34027ae

  • SHA512

    a45d9d38a47b590e051ab9057d89d2f8abd00f4b148fa2c0bc77e0284bdb9ce0833ff3c0f7c7ae5cbbc80b181184e294e2c23d9bcaa41e3970af959c079c2b52

  • SSDEEP

    49152:bl5MTGChZpxtlBBgxchXb/zqP6DUtRgs5q289dAnSz44hnW1XgnYu6fYmPkMSx8E:

Score
10/10
colibridcratbuild1discoveryevasionexecutioninfostealerloaderrattrojan

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php
rc4.plain

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

    loadercolibri
  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 51 IoCs
    evasiontrojan
  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 17 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 49 IoCs
  • Checks whether UAC is enabled 1 TTPs 34 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 16 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 17 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 51 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\26ea7d480a77e3f9aaa9b52aaaa2e028fea4e286c53905b3e304ec96a34027ae.exe
    "C:\Users\Admin\AppData\Local\Temp\26ea7d480a77e3f9aaa9b52aaaa2e028fea4e286c53905b3e304ec96a34027ae.exe"
    1⤵
    • UAC bypass
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2996
    • C:\Users\Admin\AppData\Local\Temp\tmp92DD.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp92DD.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Users\Admin\AppData\Local\Temp\tmp92DD.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp92DD.tmp.exe"
        3⤵
        • Executes dropped EXE
        PID:2948
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3168
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4264
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1368
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1396
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4784
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZs7GmYgEk.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Windows\system32\w32tm.exe
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        3⤵
          PID:3820
        • C:\Users\Default\Pictures\RuntimeBroker.exe
          "C:\Users\Default\Pictures\RuntimeBroker.exe"
          3⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2616
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fda6fded-fcb7-4110-873e-6321f4076da6.vbs"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:544
            • C:\Users\Default\Pictures\RuntimeBroker.exe
              C:\Users\Default\Pictures\RuntimeBroker.exe
              5⤵
              • UAC bypass
              • Checks computer location settings
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4320
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae0d08b9-f408-41d1-a05c-33a12d1ed607.vbs"
                6⤵
                  PID:3504
                  • C:\Users\Default\Pictures\RuntimeBroker.exe
                    C:\Users\Default\Pictures\RuntimeBroker.exe
                    7⤵
                    • UAC bypass
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • System policy modification
                    PID:3240
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\324b703b-23eb-4b0d-a4d7-547760559135.vbs"
                      8⤵
                        PID:992
                        • C:\Users\Default\Pictures\RuntimeBroker.exe
                          C:\Users\Default\Pictures\RuntimeBroker.exe
                          9⤵
                          • UAC bypass
                          • Checks computer location settings
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • System policy modification
                          PID:1864
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93e8c23d-fdb8-4d2e-8e6d-c458a46b5538.vbs"
                            10⤵
                              PID:3936
                              • C:\Users\Default\Pictures\RuntimeBroker.exe
                                C:\Users\Default\Pictures\RuntimeBroker.exe
                                11⤵
                                • UAC bypass
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Checks whether UAC is enabled
                                • Modifies registry class
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • System policy modification
                                PID:2008
                                • C:\Windows\System32\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9d61a3b-3fca-44e1-a302-d044ebc10936.vbs"
                                  12⤵
                                    PID:4944
                                    • C:\Users\Default\Pictures\RuntimeBroker.exe
                                      C:\Users\Default\Pictures\RuntimeBroker.exe
                                      13⤵
                                      • UAC bypass
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • System policy modification
                                      PID:216
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89b5d60f-131f-426b-ad60-197c9183c022.vbs"
                                        14⤵
                                          PID:4344
                                          • C:\Users\Default\Pictures\RuntimeBroker.exe
                                            C:\Users\Default\Pictures\RuntimeBroker.exe
                                            15⤵
                                            • UAC bypass
                                            • Checks computer location settings
                                            • Executes dropped EXE
                                            • Checks whether UAC is enabled
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            • System policy modification
                                            PID:4512
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac6f063c-91ba-4a7e-9455-b9e87c9c8bff.vbs"
                                              16⤵
                                                PID:3168
                                                • C:\Users\Default\Pictures\RuntimeBroker.exe
                                                  C:\Users\Default\Pictures\RuntimeBroker.exe
                                                  17⤵
                                                  • UAC bypass
                                                  • Checks computer location settings
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  • Modifies registry class
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • System policy modification
                                                  PID:396
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba2decca-68ae-4344-9e9b-2519154218a6.vbs"
                                                    18⤵
                                                      PID:3272
                                                      • C:\Users\Default\Pictures\RuntimeBroker.exe
                                                        C:\Users\Default\Pictures\RuntimeBroker.exe
                                                        19⤵
                                                        • UAC bypass
                                                        • Checks computer location settings
                                                        • Executes dropped EXE
                                                        • Checks whether UAC is enabled
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        • System policy modification
                                                        PID:4328
                                                        • C:\Windows\System32\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1599520-e379-407f-97f6-c584328d8255.vbs"
                                                          20⤵
                                                            PID:1324
                                                            • C:\Users\Default\Pictures\RuntimeBroker.exe
                                                              C:\Users\Default\Pictures\RuntimeBroker.exe
                                                              21⤵
                                                              • UAC bypass
                                                              • Checks computer location settings
                                                              • Executes dropped EXE
                                                              • Checks whether UAC is enabled
                                                              • Modifies registry class
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • System policy modification
                                                              PID:4412
                                                              • C:\Windows\System32\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99b6baed-ae2c-4c08-a425-08b4cf4ac3cf.vbs"
                                                                22⤵
                                                                  PID:4496
                                                                  • C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                    C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                    23⤵
                                                                    • UAC bypass
                                                                    • Checks computer location settings
                                                                    • Executes dropped EXE
                                                                    • Checks whether UAC is enabled
                                                                    • Modifies registry class
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    • System policy modification
                                                                    PID:4616
                                                                    • C:\Windows\System32\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c16ae515-6a1f-4c6e-876b-9d9d5e53cab7.vbs"
                                                                      24⤵
                                                                        PID:4580
                                                                        • C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                          C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                          25⤵
                                                                          • UAC bypass
                                                                          • Checks computer location settings
                                                                          • Executes dropped EXE
                                                                          • Checks whether UAC is enabled
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          • System policy modification
                                                                          PID:2648
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3c065ec-6043-4c73-9f98-f58362ef6d8e.vbs"
                                                                            26⤵
                                                                              PID:4604
                                                                              • C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                                C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                                27⤵
                                                                                • UAC bypass
                                                                                • Checks computer location settings
                                                                                • Executes dropped EXE
                                                                                • Checks whether UAC is enabled
                                                                                • Modifies registry class
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                • System policy modification
                                                                                PID:4764
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b20cbcce-515b-484b-add6-080d2e479eba.vbs"
                                                                                  28⤵
                                                                                    PID:2544
                                                                                    • C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                                      C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                                      29⤵
                                                                                      • UAC bypass
                                                                                      • Checks computer location settings
                                                                                      • Executes dropped EXE
                                                                                      • Checks whether UAC is enabled
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      • System policy modification
                                                                                      PID:2176
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0530053-40d4-4806-a5be-8d623802f2c8.vbs"
                                                                                        30⤵
                                                                                          PID:1088
                                                                                          • C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                                            C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                                            31⤵
                                                                                            • UAC bypass
                                                                                            • Checks computer location settings
                                                                                            • Executes dropped EXE
                                                                                            • Checks whether UAC is enabled
                                                                                            • Modifies registry class
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            • System policy modification
                                                                                            PID:2312
                                                                                            • C:\Windows\System32\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d82f373-4c6b-46be-8765-a43b1919e4e4.vbs"
                                                                                              32⤵
                                                                                                PID:3764
                                                                                                • C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                                                  C:\Users\Default\Pictures\RuntimeBroker.exe
                                                                                                  33⤵
                                                                                                  • UAC bypass
                                                                                                  • Checks computer location settings
                                                                                                  • Executes dropped EXE
                                                                                                  • Checks whether UAC is enabled
                                                                                                  • Modifies registry class
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • System policy modification
                                                                                                  PID:536
                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca0db0e2-73aa-4ef7-b2d9-2d8da6c36f82.vbs"
                                                                                                    34⤵
                                                                                                      PID:1080
                                                                                                    • C:\Windows\System32\WScript.exe
                                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae010d0a-fa3b-49bf-87e5-2e25106a63f2.vbs"
                                                                                                      34⤵
                                                                                                        PID:748
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpC366.tmp.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpC366.tmp.exe"
                                                                                                        34⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        • System Location Discovery: System Language Discovery
                                                                                                        PID:2104
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpC366.tmp.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpC366.tmp.exe"
                                                                                                          35⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:4132
                                                                                                  • C:\Windows\System32\WScript.exe
                                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf3ccb7d-53ab-418c-bb91-bf56a2c11d98.vbs"
                                                                                                    32⤵
                                                                                                      PID:3168
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp92FF.tmp.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp92FF.tmp.exe"
                                                                                                      32⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious use of SetThreadContext
                                                                                                      • System Location Discovery: System Language Discovery
                                                                                                      PID:1908
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp92FF.tmp.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp92FF.tmp.exe"
                                                                                                        33⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:2648
                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4abbc5e9-2fa4-4bb9-ab90-bb7ea4298c0c.vbs"
                                                                                                  30⤵
                                                                                                    PID:2564
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp768E.tmp.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp768E.tmp.exe"
                                                                                                    30⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • System Location Discovery: System Language Discovery
                                                                                                    PID:2740
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp768E.tmp.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp768E.tmp.exe"
                                                                                                      31⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:4016
                                                                                              • C:\Windows\System32\WScript.exe
                                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\963221ce-f782-4c70-8ca0-41d5250d021c.vbs"
                                                                                                28⤵
                                                                                                  PID:3272
                                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp5B16.tmp.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp5B16.tmp.exe"
                                                                                                  28⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of SetThreadContext
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:4416
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp5B16.tmp.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp5B16.tmp.exe"
                                                                                                    29⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:4312
                                                                                            • C:\Windows\System32\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\198ca149-b496-4faa-bcc3-5d8995214238.vbs"
                                                                                              26⤵
                                                                                                PID:1072
                                                                                          • C:\Windows\System32\WScript.exe
                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4fe45aaa-2578-4f17-a0b6-fb07798d0365.vbs"
                                                                                            24⤵
                                                                                              PID:4760
                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp230F.tmp.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp230F.tmp.exe"
                                                                                              24⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of SetThreadContext
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:3116
                                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp230F.tmp.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp230F.tmp.exe"
                                                                                                25⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:864
                                                                                        • C:\Windows\System32\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f56b73cd-cc2e-40a6-a689-f3abcddf632d.vbs"
                                                                                          22⤵
                                                                                            PID:4904
                                                                                          • C:\Users\Admin\AppData\Local\Temp\tmp6AD.tmp.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\tmp6AD.tmp.exe"
                                                                                            22⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetThreadContext
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            PID:1716
                                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp6AD.tmp.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp6AD.tmp.exe"
                                                                                              23⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:3912
                                                                                      • C:\Windows\System32\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41518755-c766-4457-9a35-841270b06d30.vbs"
                                                                                        20⤵
                                                                                          PID:3760
                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpEAA9.tmp.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpEAA9.tmp.exe"
                                                                                          20⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:4416
                                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpEAA9.tmp.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpEAA9.tmp.exe"
                                                                                            21⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:628
                                                                                    • C:\Windows\System32\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a6b12fa-db87-474f-bfe2-77327234ebba.vbs"
                                                                                      18⤵
                                                                                        PID:448
                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpCF70.tmp.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpCF70.tmp.exe"
                                                                                        18⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetThreadContext
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        PID:4604
                                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpCF70.tmp.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpCF70.tmp.exe"
                                                                                          19⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:5032
                                                                                  • C:\Windows\System32\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d5d1170-17ae-4f44-b9c7-b71a650ca037.vbs"
                                                                                    16⤵
                                                                                      PID:3524
                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmpB244.tmp.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\tmpB244.tmp.exe"
                                                                                      16⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:4208
                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmpB244.tmp.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmpB244.tmp.exe"
                                                                                        17⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:1048
                                                                                • C:\Windows\System32\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1020261-07e5-4cba-b8fa-23388aed1bb1.vbs"
                                                                                  14⤵
                                                                                    PID:3140
                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe"
                                                                                    14⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    PID:2680
                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe"
                                                                                      15⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetThreadContext
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:4396
                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\tmp81DD.tmp.exe"
                                                                                        16⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:4100
                                                                              • C:\Windows\System32\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41e23d23-b62d-435d-8419-70356e2205d6.vbs"
                                                                                12⤵
                                                                                  PID:4192
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp652D.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp652D.tmp.exe"
                                                                                  12⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:4484
                                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp652D.tmp.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\tmp652D.tmp.exe"
                                                                                    13⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:4328
                                                                            • C:\Windows\System32\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8cd3bfd6-0b4a-4283-9642-e6e8b8f32280.vbs"
                                                                              10⤵
                                                                                PID:3748
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp3544.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp3544.tmp.exe"
                                                                                10⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                • System Location Discovery: System Language Discovery
                                                                                PID:3928
                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp3544.tmp.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmp3544.tmp.exe"
                                                                                  11⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:1696
                                                                          • C:\Windows\System32\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b410278-d080-4850-a4d8-d94591ceef31.vbs"
                                                                            8⤵
                                                                              PID:1828
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmp51C.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmp51C.tmp.exe"
                                                                              8⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetThreadContext
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:4872
                                                                              • C:\Users\Admin\AppData\Local\Temp\tmp51C.tmp.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\tmp51C.tmp.exe"
                                                                                9⤵
                                                                                • Executes dropped EXE
                                                                                PID:916
                                                                        • C:\Windows\System32\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\40ef4e89-a125-4807-b5ee-4312ac47b1fb.vbs"
                                                                          6⤵
                                                                            PID:3520
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpE7DF.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpE7DF.tmp.exe"
                                                                            6⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of WriteProcessMemory
                                                                            PID:3028
                                                                            • C:\Users\Admin\AppData\Local\Temp\tmpE7DF.tmp.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\tmpE7DF.tmp.exe"
                                                                              7⤵
                                                                              • Executes dropped EXE
                                                                              PID:4484
                                                                      • C:\Windows\System32\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20be505e-197c-4937-836b-32c60d2b8412.vbs"
                                                                        4⤵
                                                                          PID:1648
                                                                        • C:\Users\Admin\AppData\Local\Temp\tmpCB5E.tmp.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\tmpCB5E.tmp.exe"
                                                                          4⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          • System Location Discovery: System Language Discovery
                                                                          • Suspicious use of WriteProcessMemory
                                                                          PID:3852
                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpCB5E.tmp.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\tmpCB5E.tmp.exe"
                                                                            5⤵
                                                                            • Executes dropped EXE
                                                                            PID:4964
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2376
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2724
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3740
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3736
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3636
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1664
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sysmon.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4028
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sysmon.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4060
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\sysmon.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3048
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3492
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1096
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:64
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\unsecapp.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4968
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Public\Libraries\unsecapp.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1004
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\unsecapp.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4524
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Default\AppData\Roaming\upfc.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2280
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\upfc.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2732
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Users\Default\AppData\Roaming\upfc.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1560
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\explorer.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1928
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\explorer.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2616
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\explorer.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2708
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4520
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2200
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office16\smss.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3596
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\services.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2540
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:2964
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\services.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3504
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:4428
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:3252
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                    1⤵
                                                                    • Process spawned unexpected child process
                                                                    • Scheduled Task/Job: Scheduled Task
                                                                    PID:1204

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Program Files\Microsoft Office\Office16\smss.exe
                                                                    Filesize

                                                                    4.9MB

                                                                    MD5

                                                                    693358487611380e25c4aedbc722164a

                                                                    SHA1

                                                                    0948d8209fb08c8df2747fa1a71e87198a7c7a19

                                                                    SHA256

                                                                    e5cb16c62c1e9c6b7dff9e4768230410aa50d371e0a68913913ac14824837d62

                                                                    SHA512

                                                                    0abfe6faef49da0aa05c3ce7c08f12dbefe1e0a170239a815eb513ac2cdcdf4515c25959464e9d1f58392d34f28100c6eb2750df83b5771933f793c2baab7eed

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    4a667f150a4d1d02f53a9f24d89d53d1

                                                                    SHA1

                                                                    306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

                                                                    SHA256

                                                                    414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

                                                                    SHA512

                                                                    4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    440cb38dbee06645cc8b74d51f6e5f71

                                                                    SHA1

                                                                    d7e61da91dc4502e9ae83281b88c1e48584edb7c

                                                                    SHA256

                                                                    8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

                                                                    SHA512

                                                                    3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    4d8567f2d1c8a09bbfe613145bf78577

                                                                    SHA1

                                                                    f2af10d629e6d7d2ecec76c34bd755ecf61be931

                                                                    SHA256

                                                                    7437b098af4618fbcefe7522942c862aeaf39a0b82ce05b0797185c552f22a3c

                                                                    SHA512

                                                                    89130e5c514e33f5108e308f300614dc63989f3e6a4e762a12982af341ab1c5748dd93fd185698dcf6d3a1ea7234228d04ad962e4ee0a15a683e988f115a84ea

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    6d3e9c29fe44e90aae6ed30ccf799ca8

                                                                    SHA1

                                                                    c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                                    SHA256

                                                                    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                                    SHA512

                                                                    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    2e907f77659a6601fcc408274894da2e

                                                                    SHA1

                                                                    9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                                    SHA256

                                                                    385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                                    SHA512

                                                                    34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    3a6bad9528f8e23fb5c77fbd81fa28e8

                                                                    SHA1

                                                                    f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                                    SHA256

                                                                    986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                                    SHA512

                                                                    846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    d28a889fd956d5cb3accfbaf1143eb6f

                                                                    SHA1

                                                                    157ba54b365341f8ff06707d996b3635da8446f7

                                                                    SHA256

                                                                    21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

                                                                    SHA512

                                                                    0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\20be505e-197c-4937-836b-32c60d2b8412.vbs
                                                                    Filesize

                                                                    495B

                                                                    MD5

                                                                    fe14947b024d89e48c89ee0818874f86

                                                                    SHA1

                                                                    5f87585c44a578df55411650c566ec4db0e4f424

                                                                    SHA256

                                                                    93868d0a5f1df8bf4d3a21fdd9898920830b746afc06981ede8298217b53a362

                                                                    SHA512

                                                                    1570feb6c27698b909cd957a4676b29961ec72073035bdf5374d93ceddb35b8478ce18bd8937329dde44251774a4ca5f0288340380801926cb0471facb2e5513

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\324b703b-23eb-4b0d-a4d7-547760559135.vbs
                                                                    Filesize

                                                                    719B

                                                                    MD5

                                                                    888324b0b2a798ac0d72ffa665ef6519

                                                                    SHA1

                                                                    a40500f7a3955d930e0b5614823edccab0de624f

                                                                    SHA256

                                                                    f3905a21b6dfb7e0ebfb4627c5a22dce73d99f2168c2b729f87103a8a5d651f7

                                                                    SHA512

                                                                    27cba7f5ba7bc6988e3a3dc73370811a41340ec265b5246ca9da3f52e6949e080ce49481a66c620d761d01afd5d992661b97d462445e9d1ffcd17bb0427ce5ea

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\89b5d60f-131f-426b-ad60-197c9183c022.vbs
                                                                    Filesize

                                                                    718B

                                                                    MD5

                                                                    2b49a80a684058cee8ae8cf551447aa4

                                                                    SHA1

                                                                    dc0ce29bf5b7207861f01ae1db4c293272e01501

                                                                    SHA256

                                                                    73555e5ba35746e5b55661a9c586a866eb4d2a3f96d1e7b4b7dda08dc9648351

                                                                    SHA512

                                                                    bbd3fb3bc9614f3490c62370a308942b5fb94209fbf377d1b4d3047010417cda9643a01025622730fcb38a7bd7728ce051fe6666ef499095056f91f8a03c3e55

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\93e8c23d-fdb8-4d2e-8e6d-c458a46b5538.vbs
                                                                    Filesize

                                                                    719B

                                                                    MD5

                                                                    d7ffcb3379e006459f6383499365becd

                                                                    SHA1

                                                                    b18353f67227e812f3949b7fe5e435c5c3a7b31f

                                                                    SHA256

                                                                    f3df53c738ef9086e4ee045bfb00051b420bf7d251f03689374ff7ba96f2a208

                                                                    SHA512

                                                                    8eac605bfa25178c8da7f07ef8ef4d7594df9091447e82c344055423b120b9d80cdc3b396a0dd54016e1608e8c289974a1da4bd20ca309984deea3235b3c606f

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55kjoui5.xcq.ps1
                                                                    Filesize

                                                                    60B

                                                                    MD5

                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                    SHA1

                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                    SHA256

                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                    SHA512

                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\ac6f063c-91ba-4a7e-9455-b9e87c9c8bff.vbs
                                                                    Filesize

                                                                    719B

                                                                    MD5

                                                                    54ada828f80d4345e0366115c75bd850

                                                                    SHA1

                                                                    399c01ad2517bb407deb23959fd6576316da322a

                                                                    SHA256

                                                                    b00478bc9739a5f190a02e241d5019b5bbc0282597d7abd71dbcfda8333c9cd6

                                                                    SHA512

                                                                    0d48da6b7fb554a84c7e0a911417c1b95e4a0aa3e9548e62a8ea0209afdc9ed91b444eb9e4935010eae621364a101b3fc61b3ec83908d870d96f2ab3002dc3d6

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\ae0d08b9-f408-41d1-a05c-33a12d1ed607.vbs
                                                                    Filesize

                                                                    719B

                                                                    MD5

                                                                    04b7daf7587f702b72d1cac4b6fe5b32

                                                                    SHA1

                                                                    8e615d803c1da6805ec7aaaadb0c64f949414669

                                                                    SHA256

                                                                    f56ae91e9b9662c9b0893db28907444b94e4c0c3eee9f3b46bc302a4948298d8

                                                                    SHA512

                                                                    1d9fd30729799408dda2124d3d08b4ec799d7145ddd40b2d1e885aa7e632f8046f58cf96050321f8908157629fbca4c9f6af633d7bf93d4d3bbec9b0747d2b6c

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\d9d61a3b-3fca-44e1-a302-d044ebc10936.vbs
                                                                    Filesize

                                                                    719B

                                                                    MD5

                                                                    adbb8ed48505abac38b9671ef1ab53a3

                                                                    SHA1

                                                                    bfeb0476a1c2e7a4cb3a04ecf1ccbddbf307eb58

                                                                    SHA256

                                                                    643567a9fbacc063386500def46647845de3db726391bd808b90280eeff15f7d

                                                                    SHA512

                                                                    216c81327aa450e844aa569720ad9ac3668f976363d6c61f5041148ab4c386407dc35debfd5e8b7614a1c83bcbb6565510e4f06e741812fb38a020b86808faae

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\fda6fded-fcb7-4110-873e-6321f4076da6.vbs
                                                                    Filesize

                                                                    719B

                                                                    MD5

                                                                    1bbcb47d9b1730057c65e10c4d8d46fb

                                                                    SHA1

                                                                    b3f2bf2518475ca7f2f146a4fd991130db4b76ca

                                                                    SHA256

                                                                    80ae4a2b48b36931de660039b0a9c3de914640eaf6611d7e39960bf63bc1f4a4

                                                                    SHA512

                                                                    81f35a1b6376186264fee687b43c67e9d00b70922ef10eba9fd63ac4962cf97d37220d8e8e917876ad3764f572a7f47984d961756b1ee064d1b0190cf9e628ce

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\rZs7GmYgEk.bat
                                                                    Filesize

                                                                    208B

                                                                    MD5

                                                                    067a290938b6a1e0a028b6f0e29ad219

                                                                    SHA1

                                                                    3e910ca5def3e0550b63528f760454eb230f96f6

                                                                    SHA256

                                                                    b15d93db8535fab63a8590f99098102c97e02adf4bb7b330996f9c481a8f9baf

                                                                    SHA512

                                                                    0d962219e4bc8140259441af66a677ec429088aa1edb8f7e021698536389262508aff37d859eae2c3cd8bdf7c1afdc8eb138bf6ddd6f39bcb019b5ff7f7b6a44

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\tmp92DD.tmp.exe
                                                                    Filesize

                                                                    75KB

                                                                    MD5

                                                                    e0a68b98992c1699876f818a22b5b907

                                                                    SHA1

                                                                    d41e8ad8ba51217eb0340f8f69629ccb474484d0

                                                                    SHA256

                                                                    2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

                                                                    SHA512

                                                                    856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

                                                                    Download Submit

                                                                  • C:\Users\Default\AppData\Roaming\upfc.exe
                                                                    Filesize

                                                                    4.9MB

                                                                    MD5

                                                                    0adb1175ec5e41457dfa35fa7f71c5e6

                                                                    SHA1

                                                                    ddfb9a3f0b88bef44aaed590d93f7ee85bd8b871

                                                                    SHA256

                                                                    7645cdfa9b9421335e748f4dd5cd773de57bd266d12a6656056e8c48c010ceca

                                                                    SHA512

                                                                    b9801b718175c7c81f48d4cbfb752384316ff08b74a1432ed6247e2f093160550e1ea7ac036e662e121fa3fb4a4e9814d5b249f7f29a9f64d59e6f639b7a2db9

                                                                    Download Submit

                                                                  • C:\Users\Public\Libraries\unsecapp.exe
                                                                    Filesize

                                                                    4.9MB

                                                                    MD5

                                                                    60562837aa924e28dab54be5c6decd4a

                                                                    SHA1

                                                                    29e02ab31f9d2b86b2fe3b3bea05adbbaaa87990

                                                                    SHA256

                                                                    26ea7d480a77e3f9aaa9b52aaaa2e028fea4e286c53905b3e304ec96a34027ae

                                                                    SHA512

                                                                    a45d9d38a47b590e051ab9057d89d2f8abd00f4b148fa2c0bc77e0284bdb9ce0833ff3c0f7c7ae5cbbc80b181184e294e2c23d9bcaa41e3970af959c079c2b52

                                                                    Download Submit

                                                                  • memory/1396-131-0x000002C8AB330000-0x000002C8AB352000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/2948-71-0x0000000000400000-0x0000000000407000-memory.dmp

                                                                    Filesize

                                                                    28KB

                                                                    Download

                                                                  • memory/2996-11-0x000000001C530000-0x000000001C542000-memory.dmp

                                                                    Filesize

                                                                    72KB

                                                                    Download

                                                                  • memory/2996-9-0x00000000031C0000-0x00000000031D0000-memory.dmp

                                                                    Filesize

                                                                    64KB

                                                                    Download

                                                                  • memory/2996-17-0x000000001C5D0000-0x000000001C5D8000-memory.dmp

                                                                    Filesize

                                                                    32KB

                                                                    Download

                                                                  • memory/2996-16-0x000000001C5C0000-0x000000001C5C8000-memory.dmp

                                                                    Filesize

                                                                    32KB

                                                                    Download

                                                                  • memory/2996-18-0x000000001C6E0000-0x000000001C6EC000-memory.dmp

                                                                    Filesize

                                                                    48KB

                                                                    Download

                                                                  • memory/2996-13-0x000000001C540000-0x000000001C54A000-memory.dmp

                                                                    Filesize

                                                                    40KB

                                                                    Download

                                                                  • memory/2996-14-0x000000001C550000-0x000000001C55E000-memory.dmp

                                                                    Filesize

                                                                    56KB

                                                                    Download

                                                                  • memory/2996-15-0x000000001C560000-0x000000001C56E000-memory.dmp

                                                                    Filesize

                                                                    56KB

                                                                    Download

                                                                  • memory/2996-12-0x000000001CAF0000-0x000000001D018000-memory.dmp

                                                                    Filesize

                                                                    5.2MB

                                                                    Download

                                                                  • memory/2996-1-0x0000000000B40000-0x0000000001034000-memory.dmp

                                                                    Filesize

                                                                    5.0MB

                                                                    Download

                                                                  • memory/2996-10-0x000000001C520000-0x000000001C52A000-memory.dmp

                                                                    Filesize

                                                                    40KB

                                                                    Download

                                                                  • memory/2996-123-0x00007FF844510000-0x00007FF844FD1000-memory.dmp

                                                                    Filesize

                                                                    10.8MB

                                                                    Download

                                                                  • memory/2996-8-0x00000000031F0000-0x0000000003206000-memory.dmp

                                                                    Filesize

                                                                    88KB

                                                                    Download

                                                                  • memory/2996-6-0x0000000001820000-0x0000000001828000-memory.dmp

                                                                    Filesize

                                                                    32KB

                                                                    Download

                                                                  • memory/2996-7-0x00000000031B0000-0x00000000031C0000-memory.dmp

                                                                    Filesize

                                                                    64KB

                                                                    Download

                                                                  • memory/2996-5-0x000000001C570000-0x000000001C5C0000-memory.dmp

                                                                    Filesize

                                                                    320KB

                                                                    Download

                                                                  • memory/2996-4-0x0000000001840000-0x000000000185C000-memory.dmp

                                                                    Filesize

                                                                    112KB

                                                                    Download

                                                                  • memory/2996-3-0x000000001BDF0000-0x000000001BF1E000-memory.dmp

                                                                    Filesize

                                                                    1.2MB

                                                                    Download

                                                                  • memory/2996-2-0x00007FF844510000-0x00007FF844FD1000-memory.dmp

                                                                    Filesize

                                                                    10.8MB

                                                                    Download

                                                                  • memory/2996-0-0x00007FF844513000-0x00007FF844515000-memory.dmp

                                                                    Filesize

                                                                    8KB

                                                                    Download

                                                                  • memory/4764-484-0x000000001BFF0000-0x000000001C002000-memory.dmp

                                                                    Filesize

                                                                    72KB

                                                                    Download