dcrat | 667cb510540d8e7a6cd30007d30a8ca11110dde57bd03d2cbf87ca6b7868bdb9

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef9c94ed2f87a7be79dfaaa427604df4.exe
Size

1.1MB
MD5

ef9c94ed2f87a7be79dfaaa427604df4
SHA1

ca7fc1e83b76575b172d1e8da2b95a32929004a4
SHA256

897d2f5a9ba328ff88d123d0900e9727fed9da63b44e870f0369233510a8ec04
SHA512

4065d78cd8fa37cd0155fb13f173397601b1b1a669bfd8b8bf7bb0be31c0521aaa03d1dfd18bb437cb154a12e64c9083322d348334829ee79d4b6837d4e4d9dd
SSDEEP

12288:Kmc4TfAkdN7TPPl2Eh8Nv6L1FMCubuoGTeh46qTnnCPQeB89hNuD1hOp1i3l10gR:Kh4TbLUEhZL/GspeYhkc9Soh2SfwJ

Score

10^/10

dcrat defense_evasion execution infostealer persistence rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\PolicMan\\unsecapp.exe\", \"C:\\Windows\\System32\\Windows.Media.Devices\\RuntimeBroker.exe\", \"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\ja-JP\\ef9c94ed2f87a7be79dfaaa427604df4.exe\", \"C:\\Windows\\TAPI\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\PolicMan\\unsecapp.exe\", \"C:\\Windows\\System32\\Windows.Media.Devices\\RuntimeBroker.exe\", \"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\ja-JP\\ef9c94ed2f87a7be79dfaaa427604df4.exe\", \"C:\\Windows\\TAPI\\RuntimeBroker.exe\", \"C:\\Windows\\System32\\DiagCpl\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\PolicMan\\unsecapp.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\PolicMan\\unsecapp.exe\", \"C:\\Windows\\System32\\Windows.Media.Devices\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\PolicMan\\unsecapp.exe\", \"C:\\Windows\\System32\\Windows.Media.Devices\\RuntimeBroker.exe\", \"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\System32\\wbem\\PolicMan\\unsecapp.exe\", \"C:\\Windows\\System32\\Windows.Media.Devices\\RuntimeBroker.exe\", \"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\ja-JP\\ef9c94ed2f87a7be79dfaaa427604df4.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5308	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	4572	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	4572	schtasks.exe	87

UAC bypass 3 TTPs 51 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
43	5700	RuntimeBroker.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1176	powershell.exe
5388	powershell.exe
5712	powershell.exe
5720	powershell.exe
1088	powershell.exe
4364	powershell.exe
5332	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ef9c94ed2f87a7be79dfaaa427604df4.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	ef9c94ed2f87a7be79dfaaa427604df4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 16 IoCs

pid	Process
4768	RuntimeBroker.exe
4280	RuntimeBroker.exe
5700	RuntimeBroker.exe
920	RuntimeBroker.exe
5420	RuntimeBroker.exe
2676	RuntimeBroker.exe
2432	RuntimeBroker.exe
4664	RuntimeBroker.exe
6100	RuntimeBroker.exe
4736	RuntimeBroker.exe
3584	RuntimeBroker.exe
4820	RuntimeBroker.exe
4408	RuntimeBroker.exe
1940	RuntimeBroker.exe
4392	RuntimeBroker.exe
1564	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ef9c94ed2f87a7be79dfaaa427604df4 = "\"C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\ja-JP\\ef9c94ed2f87a7be79dfaaa427604df4.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\DiagCpl\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.Media.Devices\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Migration\\WTR\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ef9c94ed2f87a7be79dfaaa427604df4 = "\"C:\\Program Files (x86)\\Common Files\\System\\Ole DB\\ja-JP\\ef9c94ed2f87a7be79dfaaa427604df4.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\TAPI\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\TAPI\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\DiagCpl\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\PolicMan\\unsecapp.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\System32\\wbem\\PolicMan\\unsecapp.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\Windows.Media.Devices\\RuntimeBroker.exe\""	ef9c94ed2f87a7be79dfaaa427604df4.exe

Checks whether UAC is enabled 1 TTPs 34 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DiagCpl\RuntimeBroker.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\wbem\PolicMan\unsecapp.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\wbem\PolicMan\unsecapp.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\wbem\PolicMan\29c1c3cc0f7685	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\Windows.Media.Devices\RuntimeBroker.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\DiagCpl\RuntimeBroker.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\DiagCpl\9e8d7a4ca61bd9	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\Windows.Media.Devices\RuntimeBroker.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\System32\Windows.Media.Devices\9e8d7a4ca61bd9	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\wbem\PolicMan\RCX562F.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\Windows.Media.Devices\RCX5834.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\System32\DiagCpl\RCX6046.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\ef9c94ed2f87a7be79dfaaa427604df4.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\55a23fb6f610ef	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\RCX5C3D.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\ef9c94ed2f87a7be79dfaaa427604df4.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\9e8d7a4ca61bd9	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\TAPI\RuntimeBroker.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\TAPI\9e8d7a4ca61bd9	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\Migration\WTR\RCX5A39.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\Migration\WTR\RuntimeBroker.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\TAPI\RCX5E42.tmp	ef9c94ed2f87a7be79dfaaa427604df4.exe
File opened for modification	C:\Windows\TAPI\RuntimeBroker.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe
File created	C:\Windows\Migration\WTR\RuntimeBroker.exe	ef9c94ed2f87a7be79dfaaa427604df4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	ef9c94ed2f87a7be79dfaaa427604df4.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4532	schtasks.exe
5308	schtasks.exe
2852	schtasks.exe
1256	schtasks.exe
4544	schtasks.exe
4764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
5332	powershell.exe
5332	powershell.exe
4364	powershell.exe
4364	powershell.exe
1176	powershell.exe
1176	powershell.exe
5720	powershell.exe
5720	powershell.exe
1088	powershell.exe
1088	powershell.exe
5712	powershell.exe
5712	powershell.exe
5388	powershell.exe
5388	powershell.exe
1088	powershell.exe
1176	powershell.exe
5332	powershell.exe
5720	powershell.exe
5388	powershell.exe
4364	powershell.exe
5712	powershell.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe
4768	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe
Token: SeDebugPrivilege	5332	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	4364	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	5720	powershell.exe
Token: SeDebugPrivilege	5712	powershell.exe
Token: SeDebugPrivilege	5388	powershell.exe
Token: SeDebugPrivilege	4768	RuntimeBroker.exe
Token: SeDebugPrivilege	4280	RuntimeBroker.exe
Token: SeDebugPrivilege	5700	RuntimeBroker.exe
Token: SeDebugPrivilege	920	RuntimeBroker.exe
Token: SeDebugPrivilege	5420	RuntimeBroker.exe
Token: SeDebugPrivilege	2676	RuntimeBroker.exe
Token: SeDebugPrivilege	2432	RuntimeBroker.exe
Token: SeDebugPrivilege	4664	RuntimeBroker.exe
Token: SeDebugPrivilege	6100	RuntimeBroker.exe
Token: SeDebugPrivilege	4736	RuntimeBroker.exe
Token: SeDebugPrivilege	3584	RuntimeBroker.exe
Token: SeDebugPrivilege	4820	RuntimeBroker.exe
Token: SeDebugPrivilege	4408	RuntimeBroker.exe
Token: SeDebugPrivilege	1940	RuntimeBroker.exe
Token: SeDebugPrivilege	4392	RuntimeBroker.exe
Token: SeDebugPrivilege	1564	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 1176	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	101
PID 3140 wrote to memory of 1176	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	101
PID 3140 wrote to memory of 5332	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	102
PID 3140 wrote to memory of 5332	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	102
PID 3140 wrote to memory of 4364	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	103
PID 3140 wrote to memory of 4364	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	103
PID 3140 wrote to memory of 1088	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	104
PID 3140 wrote to memory of 1088	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	104
PID 3140 wrote to memory of 5720	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	107
PID 3140 wrote to memory of 5720	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	107
PID 3140 wrote to memory of 5712	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	108
PID 3140 wrote to memory of 5712	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	108
PID 3140 wrote to memory of 5388	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	109
PID 3140 wrote to memory of 5388	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	109
PID 3140 wrote to memory of 1112	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	115
PID 3140 wrote to memory of 1112	3140	ef9c94ed2f87a7be79dfaaa427604df4.exe	115
PID 1112 wrote to memory of 5716	1112	cmd.exe	117
PID 1112 wrote to memory of 5716	1112	cmd.exe	117
PID 1112 wrote to memory of 4768	1112	cmd.exe	120
PID 1112 wrote to memory of 4768	1112	cmd.exe	120
PID 4768 wrote to memory of 4496	4768	RuntimeBroker.exe	121
PID 4768 wrote to memory of 4496	4768	RuntimeBroker.exe	121
PID 4768 wrote to memory of 4696	4768	RuntimeBroker.exe	122
PID 4768 wrote to memory of 4696	4768	RuntimeBroker.exe	122
PID 4496 wrote to memory of 4280	4496	WScript.exe	124
PID 4496 wrote to memory of 4280	4496	WScript.exe	124
PID 4280 wrote to memory of 2700	4280	RuntimeBroker.exe	125
PID 4280 wrote to memory of 2700	4280	RuntimeBroker.exe	125
PID 4280 wrote to memory of 3044	4280	RuntimeBroker.exe	126
PID 4280 wrote to memory of 3044	4280	RuntimeBroker.exe	126
PID 2700 wrote to memory of 5700	2700	WScript.exe	151
PID 2700 wrote to memory of 5700	2700	WScript.exe	151
PID 5700 wrote to memory of 3584	5700	RuntimeBroker.exe	155
PID 5700 wrote to memory of 3584	5700	RuntimeBroker.exe	155
PID 5700 wrote to memory of 3416	5700	RuntimeBroker.exe	129
PID 5700 wrote to memory of 3416	5700	RuntimeBroker.exe	129
PID 3584 wrote to memory of 920	3584	WScript.exe	131
PID 3584 wrote to memory of 920	3584	WScript.exe	131
PID 920 wrote to memory of 5988	920	RuntimeBroker.exe	132
PID 920 wrote to memory of 5988	920	RuntimeBroker.exe	132
PID 920 wrote to memory of 448	920	RuntimeBroker.exe	133
PID 920 wrote to memory of 448	920	RuntimeBroker.exe	133
PID 5988 wrote to memory of 5420	5988	WScript.exe	136
PID 5988 wrote to memory of 5420	5988	WScript.exe	136
PID 5420 wrote to memory of 5500	5420	RuntimeBroker.exe	137
PID 5420 wrote to memory of 5500	5420	RuntimeBroker.exe	137
PID 5420 wrote to memory of 3820	5420	RuntimeBroker.exe	138
PID 5420 wrote to memory of 3820	5420	RuntimeBroker.exe	138
PID 5500 wrote to memory of 2676	5500	WScript.exe	139
PID 5500 wrote to memory of 2676	5500	WScript.exe	139
PID 2676 wrote to memory of 3068	2676	RuntimeBroker.exe	140
PID 2676 wrote to memory of 3068	2676	RuntimeBroker.exe	140
PID 2676 wrote to memory of 4476	2676	RuntimeBroker.exe	141
PID 2676 wrote to memory of 4476	2676	RuntimeBroker.exe	141
PID 3068 wrote to memory of 2432	3068	WScript.exe	142
PID 3068 wrote to memory of 2432	3068	WScript.exe	142
PID 2432 wrote to memory of 5780	2432	RuntimeBroker.exe	143
PID 2432 wrote to memory of 5780	2432	RuntimeBroker.exe	143
PID 2432 wrote to memory of 5892	2432	RuntimeBroker.exe	144
PID 2432 wrote to memory of 5892	2432	RuntimeBroker.exe	144
PID 5780 wrote to memory of 4664	5780	WScript.exe	145
PID 5780 wrote to memory of 4664	5780	WScript.exe	145
PID 4664 wrote to memory of 5492	4664	RuntimeBroker.exe	146
PID 4664 wrote to memory of 5492	4664	RuntimeBroker.exe	146

System policy modification 1 TTPs 51 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	ef9c94ed2f87a7be79dfaaa427604df4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ef9c94ed2f87a7be79dfaaa427604df4.exe
"C:\Users\Admin\AppData\Local\Temp\ef9c94ed2f87a7be79dfaaa427604df4.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ef9c94ed2f87a7be79dfaaa427604df4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\wbem\PolicMan\unsecapp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\Windows.Media.Devices\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\ef9c94ed2f87a7be79dfaaa427604df4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\DiagCpl\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6dkZMOf1Vy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:5716
- - C:\Windows\TAPI\RuntimeBroker.exe
    "C:\Windows\TAPI\RuntimeBroker.exe"
    3⤵
    - UAC bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4768
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e4dcd43-d344-4690-a15b-559a66ae5f81.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        5⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4280
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24ee0afa-167e-4f5f-b0ee-bfe22c85d303.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        7⤵
        UAC bypass
        Blocklisted process makes network request
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\103d60ce-77cb-450c-b003-0e483759ded7.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        9⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\358272b1-4aa8-4798-9e99-fbcb8c34ef76.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5988
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        11⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:5420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d5658df-1b75-43d5-92a9-fcd9e04f0012.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5500
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        13⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01c07522-ca4a-4ecc-b5ee-35f3711cf004.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        15⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec2a2926-4db1-44c7-959d-06cf2c5a5267.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:5780
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        17⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f503ff8-a0b1-47ce-be2d-2408c640132b.vbs"
        18⤵
        
        PID:5492
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        19⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:6100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\586f3d10-56bc-4c3a-a69f-0e0b5a7167fb.vbs"
        20⤵
        
        PID:3168
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        21⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b0f9c21-6bd3-405f-a7af-b46edfa53ee1.vbs"
        22⤵
        
        PID:1276
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        23⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:3584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02bcd466-9b96-4087-8714-8ea726ff4324.vbs"
        24⤵
        
        PID:5644
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        25⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1b60ea5-5fa7-46dd-ac2a-45a269b0f643.vbs"
        26⤵
        
        PID:2992
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        27⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a26270a-a732-4e1f-93f0-20478edf1226.vbs"
        28⤵
        
        PID:5820
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        29⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db0a7e43-0516-44c1-9dd4-9cd48c6f1764.vbs"
        30⤵
        
        PID:1028
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        31⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef7aab12-7feb-4c8a-80ce-acbfd5cc0647.vbs"
        32⤵
        
        PID:1020
        
        C:\Windows\TAPI\RuntimeBroker.exe
        
        C:\Windows\TAPI\RuntimeBroker.exe
        33⤵
        UAC bypass
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:1564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00d85cc8-6be3-43a7-ad40-947110b44134.vbs"
        34⤵
        
        PID:2224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e33fc2c9-3e3c-4f4c-a0c8-242f8da5bc94.vbs"
        34⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2fae4d9-008a-4ab9-9e86-ca4e9bf56e00.vbs"
        32⤵
        
        PID:4472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1951bffb-00a9-47ae-9ab9-7b10e2b05b62.vbs"
        30⤵
        
        PID:4752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7f68b610-723f-4e27-9423-bc5c401f9ab0.vbs"
        28⤵
        
        PID:4440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\994643ca-c8af-45ed-a23e-f7f320de0578.vbs"
        26⤵
        
        PID:2424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16f5f418-f18e-4911-9730-f373a66c3450.vbs"
        24⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e824763-9a64-4e92-863e-6f0e186fc433.vbs"
        22⤵
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6820f8c9-03f4-43cb-829c-501e70fddd07.vbs"
        20⤵
        
        PID:5700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2313d74e-fa2c-4912-9973-c22cec2df232.vbs"
        18⤵
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2af9831c-ed65-4839-a2bf-89fcef37e43a.vbs"
        16⤵
        
        PID:5892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9698d11c-db39-46b7-96bc-787a54052368.vbs"
        14⤵
        
        PID:4476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bc866b2-afda-4055-ade5-b15abb975780.vbs"
        12⤵
        
        PID:3820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d595e6f0-0118-4dd1-8445-0dc42ff3cd1f.vbs"
        10⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009c03da-f0e3-406f-b7f3-39004698fbc6.vbs"
        8⤵
        
        PID:3416
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83a2c804-01d5-43ff-a6d1-4249e5a7a849.vbs"
        6⤵
        
        PID:3044
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9146b8f1-f36d-4656-afb0-ed3b3fee05f3.vbs"
      4⤵
      PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\System32\wbem\PolicMan\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\Windows.Media.Devices\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ef9c94ed2f87a7be79dfaaa427604df4" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\ja-JP\ef9c94ed2f87a7be79dfaaa427604df4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\TAPI\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\DiagCpl\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
029fbf628b046653ab7ff10b31deeeb2

SHA1
93c2cb1905c8f5e71f5ea97a1e8a8c891eae077c

SHA256
85f6b0971e94daf9fd4e39413824f162851a9f5ce7f989bd92c903a4dbcbef26

SHA512
d4e3626dba2572bd1e53446b384962f955cc0c7e56a72cacf50a845d74714ec1020bcb0fdcc50636a1dfd4f08dc34143dbb5638dd90180df6aa31dab9228c98c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3c99ea4e015d0033c75a3c50304499b1

SHA1
594e0bedf19484deec3202fd44225ea7d52cd888

SHA256
c695bd38b90537e2862d2f2e90f3401b9dc14af0792251ee897df2d0b0dc9467

SHA512
4b0c1d820db21868ec5885f11b6c5986d6ae691f5fda350b8004f8e8972da7b404b9a4cbcb4ed6bb5cf9a03829c99879cb484f7a857339d0c9fb4f9fffb2d46b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
164a45e66dbe5b4c1fad9ced25394a84

SHA1
5f90cf92b891734679ddb12be560b2ec4c6282d7

SHA256
e8f1393a9e1a21ef9c18231e6d1301624694e6036ec8ddf1234219eb96222a28

SHA512
d05e8eebd235ed67a9a4c8f13004cf576df60ae068b81cd11a9d3de69cde110bf3983005a55adac948c5e8f5843b44c865b56dad4d8a37de3d2e442c4ef2eb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\01c07522-ca4a-4ecc-b5ee-35f3711cf004.vbs

Filesize
709B

MD5
7e07d288f57674e82f831c3c4af50dc4

SHA1
30f381419f003f6f9bf0a8ce3c43f474f0636177

SHA256
b44ec1b3f3d6f0e7daf3771499694bf1f73178d42b74e01ca4d2308543d0c047

SHA512
24b82617ece03636653ad9f858964e143a4bb04949d6d9b44c234f8d5b2f3fe523fee5f9068cbcf205d3178690ed788ab77bf2b7134ad4c372a6ce5abbe19547

Download Submit
C:\Users\Admin\AppData\Local\Temp\02bcd466-9b96-4087-8714-8ea726ff4324.vbs

Filesize
709B

MD5
e7fe0fb38faf57d2da18bdb84cc23276

SHA1
2c92f96e6350b99c6ed5abdf9fabd97a36fca916

SHA256
f914b39722a2d3207c1016451c4b2aeab88430d4d26c245fdfe7c67a7c4ced47

SHA512
949aa297dacb45f57666924c900b52ae45699a4784fb8c5e19fe2839380ddf49a080258e0891dfbb0e481fbcd9dd87b52e455199dff1a242b562cf374d0709cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\103d60ce-77cb-450c-b003-0e483759ded7.vbs

Filesize
709B

MD5
eeb0b0805fe2789433339dc3de8541fa

SHA1
651d3133482792188fd4e035625dd7cdea04ab0f

SHA256
129c781155e4caaf0b79d158090477f95c6b05d098ee31f2f5381c42b5652c61

SHA512
90cea50b8ee30722e09324802525cac88e8693d095491cbc2811ef993446e0df9a297d262247e2ac0d59006797755b6074316612aa3f02b3fc83dcff5ede854d

Download Submit
C:\Users\Admin\AppData\Local\Temp\24ee0afa-167e-4f5f-b0ee-bfe22c85d303.vbs

Filesize
709B

MD5
d8472b67373b42ec088cc4b6f40cc0bd

SHA1
3690208aa16cef2edbeb8a5ecfb6b27d16aa6641

SHA256
700b14e35aa877c83fc83aca768813dfc78bdcedd0780c251bb927050afc4315

SHA512
285f3b34d51ada7f361c261d4676b5f8839769f23ed3f1b0f04f0d60cefec587155c566999ee6c0b2b088ef397aea7fd87005cb7a18f53c0452bdcd172096260

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a26270a-a732-4e1f-93f0-20478edf1226.vbs

Filesize
709B

MD5
e85d11b8a0301aa7d1d775ee98708ba6

SHA1
967d148a1d0ec790489030a0a1c0f7b2d757e3fa

SHA256
b21f6b8ea80d5456063abb191596985cacf1e0997c2620026c311a3e6ae4e6b6

SHA512
68115f4ae441364b48eedf0201d218f4fdd7b5947ae0e96633e0e4dd5995e1f66156ecccdec865e03bc11e95cabe6d711d391c7ad91eec8931166eb24d5389a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\358272b1-4aa8-4798-9e99-fbcb8c34ef76.vbs

Filesize
708B

MD5
90ec4d2802b2b4e3bdf8856b2a80fcfa

SHA1
4c9cc815ff2bebfe56aa9d35ea9347b3c5874462

SHA256
68823605c2d3f16c082a526fa5750207fcaf464cebd6e886a82626b663a14b75

SHA512
6c5a149b3b91dae94531cb597e6260dd1c99e233870d02d2b232f0330eefcae02175bbc7581e0f0ae32c289d1e0d8bd0ae9002d51d0e2acbe763788f25e3b684

Download Submit
C:\Users\Admin\AppData\Local\Temp\586f3d10-56bc-4c3a-a69f-0e0b5a7167fb.vbs

Filesize
709B

MD5
c3374fbd2d644c463399ab3bf9022786

SHA1
2cff0697071d5962881c4bf02a93c561c6d5fc6c

SHA256
3dd8bc85827a03fc77495fcdcb380826f114842039c8c80ec6befb2e7e8bc52b

SHA512
83e47c2e82c6a33e4ad7d2db2005c51cfb53f851390378a9096cc2ebae9527796c2aaea3d184dc53655817196bc8fc47c66b690522bca686afc93b43727cfbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e4dcd43-d344-4690-a15b-559a66ae5f81.vbs

Filesize
709B

MD5
d27fdd26ed3fd37b3c613ec68431275a

SHA1
f21e0dbfaa7fbe614a05381d172fc2098f850e91

SHA256
4a7d0689b5da3d4cfe8b69a35558ea327d762906fc44d354b1181058955ba686

SHA512
f92247170f1876406439f2435b91c5936570a79dd072830573101659236d2477d8e56f9a23620a99726bca6b4937b5aab34ffcd0eef72a187b49420dea3044ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\6dkZMOf1Vy.bat

Filesize
197B

MD5
49b6bb59615faa1d1e74be51db19294c

SHA1
276b68c6350fa1499f4368a996ddaef0daeea2f4

SHA256
927143ee803f2bd670078f4a3dd0397ee34b8be21a432a98fd34b90f15648081

SHA512
0ec420d3cc7664d8d73c5dd828592197d38751deacb22ff9da7e52ce9b684fe159a06cd16f980452b683a6415e59720917b8e6e0ca176fc8eeedfeb7910da19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f503ff8-a0b1-47ce-be2d-2408c640132b.vbs

Filesize
709B

MD5
a27557ee1847cf55f09d365f9d8f860f

SHA1
bc6f644039c236a988a609cdd842f33bc710b94a

SHA256
5d39a90d459fbc5f45bc7ccbcb6c897f8dbb47003e3cf284b97e862afff7d40b

SHA512
8f1a9b1819d2874ef9a8625c42f72bb4142dfe30fd5cdf5a939f26dd72d07b25fe5d212bd4fac292d11141cbda4c617b6e0b9bf59c637ff988722f76eaca47b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7d5658df-1b75-43d5-92a9-fcd9e04f0012.vbs

Filesize
709B

MD5
be68946182f25dc86140aaeb6267ad1c

SHA1
b57ed7e3ff2a13ad52c77fc33bc010199fced3dc

SHA256
646207ac956022b7e09506077db4c2fe62693d4fe40d7ba9f3157fd122a430a2

SHA512
19d25a0ee85ad8e7a89ca4ec535d91d579183f1580bf3146c318bad25a4562d6d5342e221a4249d21a1493f043e396419f048a8d83c4b8a3f8478dda3f9bace7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9146b8f1-f36d-4656-afb0-ed3b3fee05f3.vbs

Filesize
485B

MD5
33f702fbd8818909ebd6bbc1408f9560

SHA1
0ba0830dbb74c4fcd2a4f18979bedfbe7794e460

SHA256
7b201841f9c8a43a24007cf3e9026ccf7309e3e330ce0e450ef31cd428852a4f

SHA512
5dd2da8ca7cf5fc04f4b962d4937dc7d56d18e0b2e8197438659ddaced4a4a8d4a3dc00f756bda4edb6502fc496c8f0ca1a46773f7dbd6567c5472ef1d7f4c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b0f9c21-6bd3-405f-a7af-b46edfa53ee1.vbs

Filesize
709B

MD5
41475a44e0a8f8854d24ea660f8d5ff2

SHA1
933708495ae43a8a65c46fd4984cc4c585591754

SHA256
e3052bd6f0961ad02552ae57d73bff5b67708ece8527870e12cd58e321cfcb85

SHA512
b91a52d635e6a81de531e64cfe7a46599517dc28353bec3e54843a83bd8991d37acecac53da82dd7440832c7dcc8215897cf410a494de22ab357dec0fff0199e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_js1hlnns.n45.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\db0a7e43-0516-44c1-9dd4-9cd48c6f1764.vbs

Filesize
709B

MD5
e5d0343b465eba660f5641e4f210757a

SHA1
989a32c115797327f428476e63b709e6fe0cedde

SHA256
c653f08c6eecf88560fdd0e9a2b93da0ea975c21727fe023a415cf49f21b6790

SHA512
3216097265e383f5f94b74f0adb0be787e902f175f7e4b1cfab5a5da60aee28897972e4e6ebf96cb31490d5a5f31f9d7c6c18e32962686076902567559b5bfb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1b60ea5-5fa7-46dd-ac2a-45a269b0f643.vbs

Filesize
709B

MD5
72a293a0934fceff71d956f95bc17978

SHA1
318acedc83afd1cfe9d0adcc08292a6eea1180f6

SHA256
d05b1c9be9dffd05d7a0eecd706dc7d84f6dd46a681b89ec33346c12995e961b

SHA512
fa96d10ec46ea23e87fe11573b393d1871993445b0de02b9fc1a6617014c4404f887e80c9c543b26c227acd886c0bd6650a52190504cd9f847b74b11284665fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec2a2926-4db1-44c7-959d-06cf2c5a5267.vbs

Filesize
709B

MD5
8c55db2afa0e25774428deed17776061

SHA1
fd97ce269e7c7a4e53ad3d38dc254c8b69e0b0ef

SHA256
31f7a032604c05b02e6c3b7e781aa54159dc6bff41713302f38acf9582ce474a

SHA512
ebc05092f6c6bbb9e27f588d5e64d10196e0d400d08425ae9bc7aa4f425cd5326efb3c66171084d7fab2b88bc602b6a17fa77975e31ca54d21333b516768ee04

Download Submit
C:\Windows\TAPI\RuntimeBroker.exe

Filesize
1.1MB

MD5
ef9c94ed2f87a7be79dfaaa427604df4

SHA1
ca7fc1e83b76575b172d1e8da2b95a32929004a4

SHA256
897d2f5a9ba328ff88d123d0900e9727fed9da63b44e870f0369233510a8ec04

SHA512
4065d78cd8fa37cd0155fb13f173397601b1b1a669bfd8b8bf7bb0be31c0521aaa03d1dfd18bb437cb154a12e64c9083322d348334829ee79d4b6837d4e4d9dd

Download Submit
memory/1176-96-0x000001987E4E0000-0x000001987E502000-memory.dmp

Filesize
136KB

Download
memory/3140-13-0x000000001AF50000-0x000000001AF5A000-memory.dmp

Filesize
40KB

Download
memory/3140-4-0x000000001ADB0000-0x000000001ADC2000-memory.dmp

Filesize
72KB

Download
memory/3140-133-0x00007FF803CE0000-0x00007FF8047A1000-memory.dmp

Filesize
10.8MB

Download
memory/3140-24-0x00007FF803CE0000-0x00007FF8047A1000-memory.dmp

Filesize
10.8MB

Download
memory/3140-21-0x000000001B5D0000-0x000000001B5D8000-memory.dmp

Filesize
32KB

Download
memory/3140-18-0x000000001AFA0000-0x000000001AFA8000-memory.dmp

Filesize
32KB

Download
memory/3140-20-0x000000001B4C0000-0x000000001B4CC000-memory.dmp

Filesize
48KB

Download
memory/3140-17-0x000000001AF90000-0x000000001AF9C000-memory.dmp

Filesize
48KB

Download
memory/3140-16-0x000000001AF80000-0x000000001AF88000-memory.dmp

Filesize
32KB

Download
memory/3140-14-0x000000001AF60000-0x000000001AF6C000-memory.dmp

Filesize
48KB

Download
memory/3140-15-0x000000001AF70000-0x000000001AF7A000-memory.dmp

Filesize
40KB

Download
memory/3140-10-0x000000001AF20000-0x000000001AF30000-memory.dmp

Filesize
64KB

Download
memory/3140-29-0x00007FF803CE0000-0x00007FF8047A1000-memory.dmp

Filesize
10.8MB

Download
memory/3140-0-0x00007FF803CE3000-0x00007FF803CE5000-memory.dmp

Filesize
8KB

Download
memory/3140-12-0x000000001AF40000-0x000000001AF48000-memory.dmp

Filesize
32KB

Download
memory/3140-8-0x000000001AF00000-0x000000001AF08000-memory.dmp

Filesize
32KB

Download
memory/3140-9-0x000000001AF10000-0x000000001AF1C000-memory.dmp

Filesize
48KB

Download
memory/3140-1-0x00000000000A0000-0x00000000001B4000-memory.dmp

Filesize
1.1MB

Download
memory/3140-6-0x000000001ADC0000-0x000000001ADCA000-memory.dmp

Filesize
40KB

Download
memory/3140-7-0x000000001AEF0000-0x000000001AEFC000-memory.dmp

Filesize
48KB

Download
memory/3140-5-0x000000001ADD0000-0x000000001ADDC000-memory.dmp

Filesize
48KB

Download
memory/3140-2-0x00007FF803CE0000-0x00007FF8047A1000-memory.dmp

Filesize
10.8MB

Download
memory/3140-3-0x000000001ADA0000-0x000000001ADA8000-memory.dmp

Filesize
32KB

Download
memory/3140-11-0x000000001AF30000-0x000000001AF40000-memory.dmp

Filesize
64KB

Download
memory/3584-283-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/4664-249-0x00000000013F0000-0x0000000001402000-memory.dmp

Filesize
72KB

Download
memory/4820-295-0x000000001B7F0000-0x000000001B802000-memory.dmp

Filesize
72KB

Download