dcrat | f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 10:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Size

1.8MB
MD5

7582ed7a9f3ac0c15a2b7c81155d8b59
SHA1

0c0429b3d9f1acaeeffb7fd92946cab77d1be2f6
SHA256

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077
SHA512

6be6568d2109397e266ce71014f503ec10bd38626146bb38f7955b6f360fccd4c05bad19ac5f94f3695427c595e9eda61079c01e6d156634978039c3749245a0
SSDEEP

49152:OhjAJVllHZrhbBruPk+xjSMX4ODTDF8OcFSkMh:OgVTVXYNX9mOWSkM

Score

10^/10

dcrat evasion execution infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	216	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4100	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3904	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4828	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3916	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1508	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	1508	schtasks.exe

UAC bypass 3 TTPs 18 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral2/memory/2936-1-0x0000000000070000-0x000000000023E000-memory.dmp	dcrat
C:\Recovery\WindowsRE\RuntimeBroker.exe	dcrat
C:\Recovery\WindowsRE\RuntimeBroker.exe	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2300	powershell.exe
1040	powershell.exe
2460	powershell.exe
2072	powershell.exe
2692	powershell.exe
4472	powershell.exe
4456	powershell.exe
1068	powershell.exe
3944	powershell.exe
2276	powershell.exe
2388	powershell.exe
1020	powershell.exe
4816	powershell.exe
2040	powershell.exe
4580	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exef72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 5 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid process

5528 RuntimeBroker.exe
1592 RuntimeBroker.exe
4844 RuntimeBroker.exe
2160 RuntimeBroker.exe
6048 RuntimeBroker.exe

pid	process
5528	RuntimeBroker.exe
1592	RuntimeBroker.exe
4844	RuntimeBroker.exe
2160	RuntimeBroker.exe
6048	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe

Drops file in Program Files directory 24 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\eddb19405b7ce1	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\explorer.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXBAB0.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\services.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\ee2ad38f3d4382	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXA9FE.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXB4A2.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\RCXB6A7.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\c5b4cb5e9653cc	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\7a0fd90576e088	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Reference Assemblies\9e8d7a4ca61bd9	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\services.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCXB8AB.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ea1d8f6d871115	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCXB089.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\explorer.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

Drops file in Windows directory 12 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

description	ioc	process
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Windows\Setup\State\RuntimeBroker.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Windows\Setup\State\RuntimeBroker.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Windows\Setup\State\9e8d7a4ca61bd9	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Windows\TAPI\9e8d7a4ca61bd9	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Windows\TAPI\RuntimeBroker.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXC13B.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Windows\TAPI\RuntimeBroker.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\9e8d7a4ca61bd9	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Windows\Setup\State\RCXA5F5.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
File opened for modification	C:\Windows\TAPI\RCXB28E.tmp	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 6 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2468	schtasks.exe
4584	schtasks.exe
4824	schtasks.exe
2476	schtasks.exe
3256	schtasks.exe
4364	schtasks.exe
216	schtasks.exe
1256	schtasks.exe
3056	schtasks.exe
3968	schtasks.exe
1476	schtasks.exe
5100	schtasks.exe
4064	schtasks.exe
4412	schtasks.exe
1976	schtasks.exe
3252	schtasks.exe
4428	schtasks.exe
4884	schtasks.exe
3896	schtasks.exe
2180	schtasks.exe
4756	schtasks.exe
4828	schtasks.exe
1068	schtasks.exe
3904	schtasks.exe
2388	schtasks.exe
4416	schtasks.exe
4656	schtasks.exe
2188	schtasks.exe
920	schtasks.exe
2944	schtasks.exe
4844	schtasks.exe
1512	schtasks.exe
3052	schtasks.exe
404	schtasks.exe
704	schtasks.exe
892	schtasks.exe
3248	schtasks.exe
3008	schtasks.exe
4100	schtasks.exe
2024	schtasks.exe
3916	schtasks.exe
5028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid	process
2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
2460	powershell.exe
2460	powershell.exe
1068	powershell.exe
1068	powershell.exe
2276	powershell.exe
2276	powershell.exe
4456	powershell.exe
2692	powershell.exe
4456	powershell.exe
2692	powershell.exe
1020	powershell.exe
1020	powershell.exe
1040	powershell.exe
1040	powershell.exe
2072	powershell.exe
2072	powershell.exe
4472	powershell.exe
4472	powershell.exe
4816	powershell.exe
4816	powershell.exe
2040	powershell.exe
2040	powershell.exe
2300	powershell.exe
2300	powershell.exe
3944	powershell.exe
3944	powershell.exe
4580	powershell.exe
4580	powershell.exe
2388	powershell.exe
2388	powershell.exe
4456	powershell.exe
4580	powershell.exe
2460	powershell.exe
2460	powershell.exe
2692	powershell.exe
2692	powershell.exe
1068	powershell.exe
1068	powershell.exe
1040	powershell.exe
1040	powershell.exe
2072	powershell.exe
1020	powershell.exe
1020	powershell.exe
2276	powershell.exe
2276	powershell.exe
3944	powershell.exe
2300	powershell.exe
4472	powershell.exe
4472	powershell.exe
2040	powershell.exe
4816	powershell.exe
2388	powershell.exe
5528	RuntimeBroker.exe
5528	RuntimeBroker.exe
1592	RuntimeBroker.exe
4844	RuntimeBroker.exe
2160	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4816	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	5528	RuntimeBroker.exe
Token: SeDebugPrivilege	1592	RuntimeBroker.exe
Token: SeDebugPrivilege	4844	RuntimeBroker.exe
Token: SeDebugPrivilege	2160	RuntimeBroker.exe
Token: SeDebugPrivilege	6048	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeRuntimeBroker.exeWScript.exeRuntimeBroker.exeWScript.exeRuntimeBroker.exeWScript.exeRuntimeBroker.exeWScript.exeRuntimeBroker.exe

description	pid	process	target process
PID 2936 wrote to memory of 2388	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2388	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 4580	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 4580	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 1068	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 1068	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 4456	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 4456	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2276	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2276	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2460	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2460	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2040	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2040	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 4472	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 4472	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 3944	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 3944	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2692	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2692	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2072	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2072	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 4816	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 4816	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 1040	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 1040	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 1020	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 1020	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2300	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 2300	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	powershell.exe
PID 2936 wrote to memory of 5528	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	RuntimeBroker.exe
PID 2936 wrote to memory of 5528	2936	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe	RuntimeBroker.exe
PID 5528 wrote to memory of 5368	5528	RuntimeBroker.exe	WScript.exe
PID 5528 wrote to memory of 5368	5528	RuntimeBroker.exe	WScript.exe
PID 5528 wrote to memory of 5412	5528	RuntimeBroker.exe	WScript.exe
PID 5528 wrote to memory of 5412	5528	RuntimeBroker.exe	WScript.exe
PID 5368 wrote to memory of 1592	5368	WScript.exe	RuntimeBroker.exe
PID 5368 wrote to memory of 1592	5368	WScript.exe	RuntimeBroker.exe
PID 1592 wrote to memory of 5000	1592	RuntimeBroker.exe	WScript.exe
PID 1592 wrote to memory of 5000	1592	RuntimeBroker.exe	WScript.exe
PID 1592 wrote to memory of 6024	1592	RuntimeBroker.exe	WScript.exe
PID 1592 wrote to memory of 6024	1592	RuntimeBroker.exe	WScript.exe
PID 5000 wrote to memory of 4844	5000	WScript.exe	RuntimeBroker.exe
PID 5000 wrote to memory of 4844	5000	WScript.exe	RuntimeBroker.exe
PID 4844 wrote to memory of 2828	4844	RuntimeBroker.exe	WScript.exe
PID 4844 wrote to memory of 2828	4844	RuntimeBroker.exe	WScript.exe
PID 4844 wrote to memory of 656	4844	RuntimeBroker.exe	WScript.exe
PID 4844 wrote to memory of 656	4844	RuntimeBroker.exe	WScript.exe
PID 2828 wrote to memory of 2160	2828	WScript.exe	RuntimeBroker.exe
PID 2828 wrote to memory of 2160	2828	WScript.exe	RuntimeBroker.exe
PID 2160 wrote to memory of 3020	2160	RuntimeBroker.exe	WScript.exe
PID 2160 wrote to memory of 3020	2160	RuntimeBroker.exe	WScript.exe
PID 2160 wrote to memory of 3264	2160	RuntimeBroker.exe	WScript.exe
PID 2160 wrote to memory of 3264	2160	RuntimeBroker.exe	WScript.exe
PID 3020 wrote to memory of 6048	3020	WScript.exe	RuntimeBroker.exe
PID 3020 wrote to memory of 6048	3020	WScript.exe	RuntimeBroker.exe
PID 6048 wrote to memory of 4816	6048	RuntimeBroker.exe	WScript.exe
PID 6048 wrote to memory of 4816	6048	RuntimeBroker.exe	WScript.exe
PID 6048 wrote to memory of 5252	6048	RuntimeBroker.exe	WScript.exe
PID 6048 wrote to memory of 5252	6048	RuntimeBroker.exe	WScript.exe

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

Processes:

RuntimeBroker.exeRuntimeBroker.exef72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe
"C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\TAPI\RuntimeBroker.exe
  "C:\Windows\TAPI\RuntimeBroker.exe"
  2⤵
  - UAC bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5528
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b103845f-ba55-4d0c-bc0a-292c3454f994.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5368
  - - C:\Windows\TAPI\RuntimeBroker.exe
      C:\Windows\TAPI\RuntimeBroker.exe
      4⤵
      UAC bypass
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1592
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\546f8f7f-310e-4452-974f-37b168687fe1.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        6⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a83f5efa-c9dd-4eb1-83f5-9534b37da5c7.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        8⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b2a08e1-e034-441a-a272-c9ca5dd0a111.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        10⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:6048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5f61a2e-9599-4949-8ba6-c7c2e511b6a9.vbs"
        11⤵
        
        PID:4816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eba8885-800b-4b45-a50d-3601a2062df6.vbs"
        11⤵
        
        PID:5252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2462074-b900-4694-b961-9d10cb73e884.vbs"
        9⤵
        
        PID:3264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd8b5f71-5c5c-450a-8c7c-68e2e2a8fd0c.vbs"
        7⤵
        
        PID:656
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6cfcba29-d7ba-45ed-a8bd-1c8da07cb967.vbs"
        5⤵
        
        PID:6024
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeca4f33-15f0-40d6-b236-b8fffd4941a3.vbs"
    3⤵
    PID:5412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\Setup\State\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\HelpCfg\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.8MB

MD5
807ac822a1014a0037dca6a303474599

SHA1
cc9237042cb0c22109c7e34d934d1ddc13b2ffa1

SHA256
e2329d28ff879025168d396bf1d320efe1819f25dc97d9a51d33f72bf79b40cf

SHA512
c438b07fb6cb50425ddeafef02bd57df9e0bd84466648ca6203008c7a1f285b61c83528d314d3edc6dbc4b2201036f2e55da7ead956776da915f177e3dcd38cf

Download Submit
C:\Recovery\WindowsRE\RuntimeBroker.exe

Filesize
1.8MB

MD5
7582ed7a9f3ac0c15a2b7c81155d8b59

SHA1
0c0429b3d9f1acaeeffb7fd92946cab77d1be2f6

SHA256
f72e4dd60ebccfa1790bb49c335dd79ff4860da3c5623c30a778d4cbc6f61077

SHA512
6be6568d2109397e266ce71014f503ec10bd38626146bb38f7955b6f360fccd4c05bad19ac5f94f3695427c595e9eda61079c01e6d156634978039c3749245a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Temp\546f8f7f-310e-4452-974f-37b168687fe1.vbs

Filesize
709B

MD5
954e29d01b7743d64954ec88d75112b1

SHA1
cc810a147fc2fe924b5479f861841136954a7b58

SHA256
d9c8f837574d916cd01ba769ed372a35150dbffe31ec2d1e2ea07a84bb1ec0c5

SHA512
ca79c4bf78205fb25aee71f2f22218069c4fdd6999b0f955b56fe84d1406b8e9ca3320e2fdd151c53fad63dbf9e5bccf179025d22d984a30017a0431a863e518

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b2a08e1-e034-441a-a272-c9ca5dd0a111.vbs

Filesize
709B

MD5
224e150edcb81531eea9129866a75783

SHA1
6caf004c4882419dd6926f9653f51ec70ab31afb

SHA256
999a6e911bdda6a4b34e42e52a2ac4803f3673de3a18707c02312794475472a5

SHA512
94a51a0283aa1ca23a9fad644a3afc96451cea06068a135f89f0c5202332df2ad2eac722df93d206a672d13b77d3342820be52431b70d289dadf3e4d78fb6d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vaw3ejaa.yuw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a83f5efa-c9dd-4eb1-83f5-9534b37da5c7.vbs

Filesize
709B

MD5
660ac9a55fea46ba1820ef526a91eae3

SHA1
8412d23d966a3690170913f1fca63d89912b66f1

SHA256
59960831ca034df83c40168cbe67f3bcae6395b857e4638f1c23ed9e25b4526a

SHA512
0b468e5435c980a4e00a57e2e1f70a6da5148ccb9f79171ef59e48969b7d6a582ce1b69077c3df3f1f5807e9a7b5d3e2768f467b7107385f25a0fdc818069f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aeca4f33-15f0-40d6-b236-b8fffd4941a3.vbs

Filesize
485B

MD5
24ef277164f7dcac589d1b6bfe1eaa1b

SHA1
e0f3ca0af897a6c6e876e197d472ef81fc08d352

SHA256
f7cb8a174abc79921f8c25e407f0a1f07ea73ec6b4d315892b34c08029169c56

SHA512
129f98e929ba408f36cd8665d5206a77ac77b625ae11602030f9abc4438e14534ed16e98ed01934b0dab14052971b50a6f7849f3ab00260bac7d376dd4d01a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\b103845f-ba55-4d0c-bc0a-292c3454f994.vbs

Filesize
709B

MD5
9bafa6f32e0ff3b3fcb55fad3ef85c66

SHA1
9bf6bf28ac74776eb50b5c894e601505e5afd417

SHA256
257ac617e4f072766e0e32c5d6af509afe5c165a9fda765f148fa38bbb3dca5e

SHA512
c0f0caf74be9f50e4bbea0287c9b1e81ee006129098b0dd1bc70f6065be43903f4003192087b47ad90f42bb2e6ff4927d9c84b3345fa0dc05b6a4c94104aa600

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5f61a2e-9599-4949-8ba6-c7c2e511b6a9.vbs

Filesize
709B

MD5
f534a59bf334d136b125ab40b9dade6a

SHA1
d15d74952593ce25935be15a7ff166a55cbe6d22

SHA256
1c9124b7dd7f164101db1cf1f153030bd22d0e11a671896b8a613e6f1f8e2879

SHA512
528b8023ef2334038fcec9b99eec307326cd1937f7b9fd6585d545bb77b4001406da534487f460a5023319d78f2f322481e92e022f1d22eda53ebfcb6b00e733

Download Submit
memory/1592-388-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/2160-412-0x000000001C3F0000-0x000000001C402000-memory.dmp

Filesize
72KB

Download
memory/2460-204-0x00000294298D0000-0x00000294298F2000-memory.dmp

Filesize
136KB

Download
memory/2936-11-0x000000001B4D0000-0x000000001B4E2000-memory.dmp

Filesize
72KB

Download
memory/2936-3-0x000000001B470000-0x000000001B48C000-memory.dmp

Filesize
112KB

Download
memory/2936-342-0x00007FF97C480000-0x00007FF97CF41000-memory.dmp

Filesize
10.8MB

Download
memory/2936-14-0x000000001B670000-0x000000001B67E000-memory.dmp

Filesize
56KB

Download
memory/2936-2-0x00007FF97C480000-0x00007FF97CF41000-memory.dmp

Filesize
10.8MB

Download
memory/2936-130-0x00007FF97C483000-0x00007FF97C485000-memory.dmp

Filesize
8KB

Download
memory/2936-17-0x000000001B6A0000-0x000000001B6AC000-memory.dmp

Filesize
48KB

Download
memory/2936-16-0x000000001B690000-0x000000001B69C000-memory.dmp

Filesize
48KB

Download
memory/2936-13-0x000000001B660000-0x000000001B66A000-memory.dmp

Filesize
40KB

Download
memory/2936-15-0x000000001B680000-0x000000001B68E000-memory.dmp

Filesize
56KB

Download
memory/2936-1-0x0000000000070000-0x000000000023E000-memory.dmp

Filesize
1.8MB

Download
memory/2936-145-0x00007FF97C480000-0x00007FF97CF41000-memory.dmp

Filesize
10.8MB

Download
memory/2936-9-0x000000001B630000-0x000000001B640000-memory.dmp

Filesize
64KB

Download
memory/2936-10-0x000000001B4C0000-0x000000001B4CA000-memory.dmp

Filesize
40KB

Download
memory/2936-0-0x00007FF97C483000-0x00007FF97C485000-memory.dmp

Filesize
8KB

Download
memory/2936-7-0x000000001B490000-0x000000001B4A6000-memory.dmp

Filesize
88KB

Download
memory/2936-8-0x000000001B4B0000-0x000000001B4C2000-memory.dmp

Filesize
72KB

Download
memory/2936-4-0x000000001B4E0000-0x000000001B530000-memory.dmp

Filesize
320KB

Download
memory/2936-5-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2936-12-0x000000001BB90000-0x000000001C0B8000-memory.dmp

Filesize
5.2MB

Download
memory/2936-6-0x0000000002430000-0x0000000002440000-memory.dmp

Filesize
64KB

Download
memory/4844-400-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/5528-344-0x000000001C390000-0x000000001C3A2000-memory.dmp

Filesize
72KB

Download
memory/5528-343-0x000000001CF40000-0x000000001CF52000-memory.dmp

Filesize
72KB

Download