dcrat | 4bcbb8983fe7425976c5a1789deff73fb138e80981f5ebfef1f835bcc6757760

Resubmissions

14/04/2025, 07:51

250414-jp1kfssjz9 10

14/04/2025, 07:46

250414-jl9nyssjt9 10

08/04/2025, 15:58

250408-tevasswl18 10

08/04/2025, 14:19

250408-rm2nqsvqw2 10

Analysis

max time kernel
897s
max time network
891s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2025, 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Size

1.6MB
MD5

52e4554ec87085ec0d31bca66d35df00
SHA1

3196fc8f3064b5d80cd8829c0b3fd6730b2141c0
SHA256

f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93
SHA512

04070464d0489ec88509dc767f9c5f0db4dc2e1b3bb06ac3719441a5a923172d9fcac478dfab1b7ad4cdd2bbc0a39f77c6dd0d5d256dfd82d474e74e1b9af899
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4508	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3780	4844	schtasks.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	4844	schtasks.exe	89

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral29/memory/3260-1-0x0000000000C20000-0x0000000000DC2000-memory.dmp	dcrat
behavioral29/files/0x00070000000241ea-26.dat	dcrat
behavioral29/files/0x000b0000000241fa-96.dat	dcrat
behavioral29/files/0x00090000000241ea-107.dat	dcrat
behavioral29/memory/5776-266-0x0000000000C00000-0x0000000000DA2000-memory.dmp	dcrat
behavioral29/files/0x000900000002421a-337.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2480	powershell.exe
1208	powershell.exe
4012	powershell.exe
5344	powershell.exe
5104	powershell.exe
808	powershell.exe
2796	powershell.exe
4448	powershell.exe
1736	powershell.exe
1212	powershell.exe

Checks computer location settings 2 TTPs 60 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 64 IoCs

pid	Process
5776	RuntimeBroker.exe
4104	RuntimeBroker.exe
1728	RuntimeBroker.exe
4772	RuntimeBroker.exe
1416	RuntimeBroker.exe
744	RuntimeBroker.exe
2040	RuntimeBroker.exe
1556	RuntimeBroker.exe
5972	RuntimeBroker.exe
1660	fontdrvhost.exe
4652	RuntimeBroker.exe
4328	RuntimeBroker.exe
4912	RuntimeBroker.exe
5752	RuntimeBroker.exe
4952	RuntimeBroker.exe
1892	RuntimeBroker.exe
4152	RuntimeBroker.exe
6132	taskhostw.exe
1732	services.exe
1128	RuntimeBroker.exe
4440	RuntimeBroker.exe
6036	RuntimeBroker.exe
2432	RuntimeBroker.exe
2220	RuntimeBroker.exe
2252	RuntimeBroker.exe
4976	RuntimeBroker.exe
776	RuntimeBroker.exe
4692	RuntimeBroker.exe
3756	RuntimeBroker.exe
1124	RuntimeBroker.exe
4268	RuntimeBroker.exe
6008	Registry.exe
1644	RuntimeBroker.exe
5848	RuntimeBroker.exe
4588	RuntimeBroker.exe
4824	RuntimeBroker.exe
5576	RuntimeBroker.exe
564	RuntimeBroker.exe
5160	RuntimeBroker.exe
4636	RuntimeBroker.exe
456	RuntimeBroker.exe
3392	RuntimeBroker.exe
3412	RuntimeBroker.exe
5916	RuntimeBroker.exe
2252	RuntimeBroker.exe
4660	RuntimeBroker.exe
748	RuntimeBroker.exe
4296	RuntimeBroker.exe
4440	fontdrvhost.exe
4744	RuntimeBroker.exe
1396	RuntimeBroker.exe
368	RuntimeBroker.exe
2616	RuntimeBroker.exe
2348	RuntimeBroker.exe
4788	RuntimeBroker.exe
4880	RuntimeBroker.exe
1740	RuntimeBroker.exe
4744	RuntimeBroker.exe
3352	RuntimeBroker.exe
4924	RuntimeBroker.exe
2492	taskhostw.exe
4272	services.exe
5392	RuntimeBroker.exe
5700	RuntimeBroker.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\ja-JP\ee2ad38f3d4382	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Windows Media Player\es-ES\c5b4cb5e9653cc	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Extensions\RCX79B1.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\Windows Media Player\es-ES\services.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Extensions\fontdrvhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\RCX7DEB.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\RCX7DEC.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\services.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX7BD6.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Extensions\fontdrvhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Extensions\5b884080fd4f94	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\fontdrvhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files\VideoLAN\VLC\lua\modules\5b884080fd4f94	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Extensions\RCX7943.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\modules\fontdrvhost.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\RCX806D.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX7BD5.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\RCX806E.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tracing\csrss.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX71CB.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\Prefetch\ReadyBoot\c5b4cb5e9653cc	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\tracing\RCX6FB6.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\tracing\RCX6FB7.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\RCX71CC.tmp	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\services.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\tracing\csrss.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\tracing\886983d96e3d3e	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
File created	C:\Windows\Prefetch\ReadyBoot\services.exe	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3764	schtasks.exe
3780	schtasks.exe
4744	schtasks.exe
2916	schtasks.exe
3244	schtasks.exe
1732	schtasks.exe
4508	schtasks.exe
4980	schtasks.exe
5032	schtasks.exe
1384	schtasks.exe
3136	schtasks.exe
5052	schtasks.exe
5072	schtasks.exe
4812	schtasks.exe
3792	schtasks.exe
4900	schtasks.exe
4976	schtasks.exe
4352	schtasks.exe
3356	schtasks.exe
3724	schtasks.exe
5080	schtasks.exe
5048	schtasks.exe
3592	schtasks.exe
3848	schtasks.exe
4868	schtasks.exe
1672	schtasks.exe
5028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
808	powershell.exe
808	powershell.exe
4012	powershell.exe
4012	powershell.exe
2796	powershell.exe
2796	powershell.exe
5104	powershell.exe
5104	powershell.exe
4448	powershell.exe
4448	powershell.exe
2480	powershell.exe
2480	powershell.exe
1736	powershell.exe
1736	powershell.exe
2796	powershell.exe
1208	powershell.exe
1208	powershell.exe
5344	powershell.exe
5344	powershell.exe
1212	powershell.exe
1212	powershell.exe
2480	powershell.exe
1736	powershell.exe
808	powershell.exe
4012	powershell.exe
4448	powershell.exe
5104	powershell.exe
1208	powershell.exe
5344	powershell.exe
1212	powershell.exe
5776	RuntimeBroker.exe
4104	RuntimeBroker.exe
1728	RuntimeBroker.exe
4772	RuntimeBroker.exe
1416	RuntimeBroker.exe
744	RuntimeBroker.exe
2040	RuntimeBroker.exe
1556	RuntimeBroker.exe
5972	RuntimeBroker.exe
4652	RuntimeBroker.exe
4328	RuntimeBroker.exe
4912	RuntimeBroker.exe
5752	RuntimeBroker.exe
4952	RuntimeBroker.exe
1892	RuntimeBroker.exe
4152	RuntimeBroker.exe
1128	RuntimeBroker.exe
4440	RuntimeBroker.exe
6036	RuntimeBroker.exe
2432	RuntimeBroker.exe
2220	RuntimeBroker.exe
2252	RuntimeBroker.exe
4976	RuntimeBroker.exe
776	RuntimeBroker.exe
4692	RuntimeBroker.exe
3756	RuntimeBroker.exe
1124	RuntimeBroker.exe
4268	RuntimeBroker.exe
5848	RuntimeBroker.exe
4588	RuntimeBroker.exe
4824	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	4012	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	5104	powershell.exe
Token: SeDebugPrivilege	5344	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	5776	RuntimeBroker.exe
Token: SeDebugPrivilege	4104	RuntimeBroker.exe
Token: SeDebugPrivilege	1728	RuntimeBroker.exe
Token: SeDebugPrivilege	4772	RuntimeBroker.exe
Token: SeDebugPrivilege	1416	RuntimeBroker.exe
Token: SeDebugPrivilege	744	RuntimeBroker.exe
Token: SeDebugPrivilege	2040	RuntimeBroker.exe
Token: SeDebugPrivilege	1556	RuntimeBroker.exe
Token: SeDebugPrivilege	5972	RuntimeBroker.exe
Token: SeDebugPrivilege	1660	fontdrvhost.exe
Token: SeDebugPrivilege	4652	RuntimeBroker.exe
Token: SeDebugPrivilege	4328	RuntimeBroker.exe
Token: SeDebugPrivilege	4912	RuntimeBroker.exe
Token: SeDebugPrivilege	5752	RuntimeBroker.exe
Token: SeDebugPrivilege	4952	RuntimeBroker.exe
Token: SeDebugPrivilege	1892	RuntimeBroker.exe
Token: SeDebugPrivilege	4152	RuntimeBroker.exe
Token: SeDebugPrivilege	6132	taskhostw.exe
Token: SeDebugPrivilege	1732	services.exe
Token: SeDebugPrivilege	1128	RuntimeBroker.exe
Token: SeDebugPrivilege	4440	RuntimeBroker.exe
Token: SeDebugPrivilege	6036	RuntimeBroker.exe
Token: SeDebugPrivilege	2432	RuntimeBroker.exe
Token: SeDebugPrivilege	2220	RuntimeBroker.exe
Token: SeDebugPrivilege	2252	RuntimeBroker.exe
Token: SeDebugPrivilege	4976	RuntimeBroker.exe
Token: SeDebugPrivilege	776	RuntimeBroker.exe
Token: SeDebugPrivilege	4692	RuntimeBroker.exe
Token: SeDebugPrivilege	3756	RuntimeBroker.exe
Token: SeDebugPrivilege	1124	RuntimeBroker.exe
Token: SeDebugPrivilege	4268	RuntimeBroker.exe
Token: SeDebugPrivilege	6008	Registry.exe
Token: SeDebugPrivilege	1644	RuntimeBroker.exe
Token: SeDebugPrivilege	5848	RuntimeBroker.exe
Token: SeDebugPrivilege	4588	RuntimeBroker.exe
Token: SeDebugPrivilege	4824	RuntimeBroker.exe
Token: SeDebugPrivilege	5576	RuntimeBroker.exe
Token: SeDebugPrivilege	564	RuntimeBroker.exe
Token: SeDebugPrivilege	5160	RuntimeBroker.exe
Token: SeDebugPrivilege	4636	RuntimeBroker.exe
Token: SeDebugPrivilege	456	RuntimeBroker.exe
Token: SeDebugPrivilege	3392	RuntimeBroker.exe
Token: SeDebugPrivilege	3412	RuntimeBroker.exe
Token: SeDebugPrivilege	5916	RuntimeBroker.exe
Token: SeDebugPrivilege	2252	RuntimeBroker.exe
Token: SeDebugPrivilege	4660	RuntimeBroker.exe
Token: SeDebugPrivilege	748	RuntimeBroker.exe
Token: SeDebugPrivilege	4296	RuntimeBroker.exe
Token: SeDebugPrivilege	4440	fontdrvhost.exe
Token: SeDebugPrivilege	4744	RuntimeBroker.exe
Token: SeDebugPrivilege	1396	RuntimeBroker.exe
Token: SeDebugPrivilege	368	RuntimeBroker.exe
Token: SeDebugPrivilege	2616	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 808	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	122
PID 3260 wrote to memory of 808	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	122
PID 3260 wrote to memory of 2480	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	123
PID 3260 wrote to memory of 2480	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	123
PID 3260 wrote to memory of 2796	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	124
PID 3260 wrote to memory of 2796	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	124
PID 3260 wrote to memory of 1208	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	125
PID 3260 wrote to memory of 1208	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	125
PID 3260 wrote to memory of 4448	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	126
PID 3260 wrote to memory of 4448	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	126
PID 3260 wrote to memory of 5104	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	127
PID 3260 wrote to memory of 5104	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	127
PID 3260 wrote to memory of 5344	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	128
PID 3260 wrote to memory of 5344	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	128
PID 3260 wrote to memory of 1212	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	129
PID 3260 wrote to memory of 1212	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	129
PID 3260 wrote to memory of 1736	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	130
PID 3260 wrote to memory of 1736	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	130
PID 3260 wrote to memory of 4012	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	131
PID 3260 wrote to memory of 4012	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	131
PID 3260 wrote to memory of 5252	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	142
PID 3260 wrote to memory of 5252	3260	f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe	142
PID 5252 wrote to memory of 2204	5252	cmd.exe	144
PID 5252 wrote to memory of 2204	5252	cmd.exe	144
PID 5776 wrote to memory of 5644	5776	RuntimeBroker.exe	165
PID 5776 wrote to memory of 5644	5776	RuntimeBroker.exe	165
PID 5776 wrote to memory of 968	5776	RuntimeBroker.exe	166
PID 5776 wrote to memory of 968	5776	RuntimeBroker.exe	166
PID 5644 wrote to memory of 4104	5644	WScript.exe	167
PID 5644 wrote to memory of 4104	5644	WScript.exe	167
PID 4104 wrote to memory of 4828	4104	RuntimeBroker.exe	169
PID 4104 wrote to memory of 4828	4104	RuntimeBroker.exe	169
PID 4104 wrote to memory of 724	4104	RuntimeBroker.exe	170
PID 4104 wrote to memory of 724	4104	RuntimeBroker.exe	170
PID 4828 wrote to memory of 1728	4828	WScript.exe	171
PID 4828 wrote to memory of 1728	4828	WScript.exe	171
PID 1728 wrote to memory of 2028	1728	RuntimeBroker.exe	173
PID 1728 wrote to memory of 2028	1728	RuntimeBroker.exe	173
PID 1728 wrote to memory of 4932	1728	RuntimeBroker.exe	174
PID 1728 wrote to memory of 4932	1728	RuntimeBroker.exe	174
PID 2028 wrote to memory of 4772	2028	WScript.exe	176
PID 2028 wrote to memory of 4772	2028	WScript.exe	176
PID 4772 wrote to memory of 5292	4772	RuntimeBroker.exe	178
PID 4772 wrote to memory of 5292	4772	RuntimeBroker.exe	178
PID 4772 wrote to memory of 3488	4772	RuntimeBroker.exe	179
PID 4772 wrote to memory of 3488	4772	RuntimeBroker.exe	179
PID 5292 wrote to memory of 1416	5292	WScript.exe	180
PID 5292 wrote to memory of 1416	5292	WScript.exe	180
PID 1416 wrote to memory of 5288	1416	RuntimeBroker.exe	182
PID 1416 wrote to memory of 5288	1416	RuntimeBroker.exe	182
PID 1416 wrote to memory of 752	1416	RuntimeBroker.exe	183
PID 1416 wrote to memory of 752	1416	RuntimeBroker.exe	183
PID 5288 wrote to memory of 744	5288	WScript.exe	185
PID 5288 wrote to memory of 744	5288	WScript.exe	185
PID 744 wrote to memory of 5676	744	RuntimeBroker.exe	187
PID 744 wrote to memory of 5676	744	RuntimeBroker.exe	187
PID 744 wrote to memory of 1216	744	RuntimeBroker.exe	188
PID 744 wrote to memory of 1216	744	RuntimeBroker.exe	188
PID 5676 wrote to memory of 2040	5676	WScript.exe	190
PID 5676 wrote to memory of 2040	5676	WScript.exe	190
PID 2040 wrote to memory of 5764	2040	RuntimeBroker.exe	192
PID 2040 wrote to memory of 5764	2040	RuntimeBroker.exe	192
PID 2040 wrote to memory of 1084	2040	RuntimeBroker.exe	193
PID 2040 wrote to memory of 1084	2040	RuntimeBroker.exe	193

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe
"C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\taskhostw.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Extensions\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\modules\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\es-ES\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\roA8lMYOd0.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5252
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Public\AccountPictures\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Extensions\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Extensions\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Extensions\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\lua\modules\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5776
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c4bfcbd-00cc-4b5c-b8d0-1835f29bb167.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5644
- - C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
    C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14e49429-c160-4208-ada5-444996284720.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f618555-027d-4221-aa7e-15578fb980da.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef9cdbe5-7252-4605-beff-9043b0e70182.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5292
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a08011c7-feea-45ca-856f-309e1eba1802.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5288
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4489c06-2810-47a4-9378-0edd36b02d23.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:5676
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d243c922-91a8-4b41-89a8-406a802a484e.vbs"
        14⤵
        
        PID:5764
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bebe11a-9ce1-4918-b181-f7a43a10e3b0.vbs"
        16⤵
        
        PID:644
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb9f1532-5d16-47aa-86de-6b2f875005ee.vbs"
        18⤵
        
        PID:4860
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07728b55-21a7-4391-9b06-50113e443b5b.vbs"
        20⤵
        
        PID:1760
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9934ad3c-2865-484c-84f4-462c6c2a1a89.vbs"
        22⤵
        
        PID:1016
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\340b0cb9-c4c2-4250-b3ab-e178ce032037.vbs"
        24⤵
        
        PID:2960
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d938e7ab-82ef-41c0-b3e3-6ecb815978c6.vbs"
        26⤵
        
        PID:1664
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02eea804-24e4-4b6b-8134-0d91572ae950.vbs"
        28⤵
        
        PID:3192
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4156a580-79a9-4225-8171-c29a26ea7b70.vbs"
        30⤵
        
        PID:1548
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81cae9a0-7523-4f01-9b78-1f9d3b54ee19.vbs"
        32⤵
        
        PID:3836
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a987ae7-3da3-4d43-af13-128282cb6b75.vbs"
        34⤵
        
        PID:1860
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fedcd98f-0e7d-44e7-80ea-a51592d3afcb.vbs"
        36⤵
        
        PID:1040
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\711249ae-e6e7-4e77-a0e8-6a8008c3b5f6.vbs"
        38⤵
        
        PID:4024
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\633848cd-21ca-452e-ad1b-8670faa04b4c.vbs"
        40⤵
        
        PID:3808
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\115f2791-6db3-4b82-9f6b-249b4ab56938.vbs"
        42⤵
        
        PID:4460
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0740db68-3bba-4674-a1dd-aaaef1442372.vbs"
        44⤵
        
        PID:6028
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b43ee357-d6b9-4ef5-b0e3-ceba6be26255.vbs"
        46⤵
        
        PID:2664
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43eb715e-bfbd-4ca7-9388-7f02039844e7.vbs"
        48⤵
        
        PID:4220
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dac78ee7-7416-4d59-bb85-78845b33ff66.vbs"
        50⤵
        
        PID:2044
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\027004b8-244e-4ff9-98c5-ddc156e2fbe7.vbs"
        52⤵
        
        PID:5764
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73cd9081-dda1-4521-85a6-73f342651567.vbs"
        54⤵
        
        PID:456
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21064ab9-74ea-447e-9c94-626c2d031588.vbs"
        56⤵
        
        PID:5352
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        57⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49f7b7f7-ceb9-4911-986f-840631cd973e.vbs"
        56⤵
        
        PID:4420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7400380-e4a4-4678-b6b7-88941ae76e5a.vbs"
        54⤵
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4d6a56b-e321-476a-854f-84a9fbd4a235.vbs"
        52⤵
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59e6c674-db35-446f-aa6e-6102b995a0de.vbs"
        50⤵
        
        PID:4468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ccc081f-062f-4bd2-951d-c62c2687e548.vbs"
        48⤵
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f5b5b9f0-dfb2-4a5c-91ef-9f9cc09dc5ce.vbs"
        46⤵
        
        PID:5276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65aa3a19-a475-4388-b2bd-230322fb0c8e.vbs"
        44⤵
        
        PID:5864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7230dfe-1489-4288-a2ed-14ce894f8cb2.vbs"
        42⤵
        
        PID:4912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0d75a3a3-e665-4066-81f4-e6f860203815.vbs"
        40⤵
        
        PID:4084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4072df2e-95e3-456d-b40a-41a280f6c1b5.vbs"
        38⤵
        
        PID:1884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5b02c2e-4122-4002-8ecc-cbd56e6a1027.vbs"
        36⤵
        
        PID:948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae3d27e4-b658-45df-8345-a7a24d5eb962.vbs"
        34⤵
        
        PID:4132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ce041bf-50ef-4408-94d8-6263118ffeb0.vbs"
        32⤵
        
        PID:4996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\293e3ed8-d4e5-4b32-bb5f-c69c6a7f7544.vbs"
        30⤵
        
        PID:1176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdcb17ca-fe7c-42dd-b1d6-f2664b67a109.vbs"
        28⤵
        
        PID:584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d3af96b6-9cd9-4b3c-a755-38f4d0d9fb9c.vbs"
        26⤵
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5408292c-6a33-457d-bdc9-a55655867db0.vbs"
        24⤵
        
        PID:1452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b194c5c8-d2d3-4ec6-b553-2fddfc4be94e.vbs"
        22⤵
        
        PID:5400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3dbd9f7c-4e82-4885-a1d4-00e068da8ad6.vbs"
        20⤵
        
        PID:5544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfce6a2c-bf90-4f0d-b360-cb11f90079a2.vbs"
        18⤵
        
        PID:6088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02fc2f9e-2bd9-42c0-94a5-2366c7cf6b71.vbs"
        16⤵
        
        PID:3664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c27b423-33c2-4124-b7ad-71c63c27da9d.vbs"
        14⤵
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc3df9dc-65e1-4938-a10a-efe556880967.vbs"
        12⤵
        
        PID:1216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b298de03-01eb-43d7-8ac3-180896416578.vbs"
        10⤵
        
        PID:752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d43de348-2069-47f2-8146-5825719f2b9a.vbs"
        8⤵
        
        PID:3488
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acc81b33-1f94-4197-af8f-1ca24f0c0843.vbs"
        6⤵
        
        PID:4932
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\46b7d26a-0734-41fe-a4a0-cc84f83370bb.vbs"
      4⤵
      PID:724
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81894983-a75d-4e5c-a08c-f1cda0f7fe95.vbs"
  2⤵
  PID:968

C:\Program Files\VideoLAN\VLC\lua\modules\fontdrvhost.exe
"C:\Program Files\VideoLAN\VLC\lua\modules\fontdrvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Public\AccountPictures\taskhostw.exe
C:\Users\Public\AccountPictures\taskhostw.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6132

C:\Program Files\Windows Media Player\es-ES\services.exe
"C:\Program Files\Windows Media Player\es-ES\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe
"C:\Program Files (x86)\Windows Defender\ja-JP\Registry.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6008

C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5848
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f560cde5-15d5-4730-a046-76c2a23d68a6.vbs"
  2⤵
  PID:5268
- - C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
    C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4588
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e40cd89-6a0a-4eeb-aa3e-c3e4f7b4f444.vbs"
      4⤵
      PID:1316
    - - C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0ecb039-c781-4cd6-adb4-d653cdf95699.vbs"
        6⤵
        
        PID:3992
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32c197db-5f31-4b49-9a76-4fdc1469e2e8.vbs"
        8⤵
        
        PID:5976
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96e96376-0de2-49ec-9896-841a7be6dc55.vbs"
        10⤵
        
        PID:4536
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0566415-fcf8-46bd-b825-44eaf0c7f870.vbs"
        12⤵
        
        PID:884
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\089d9dba-e5ca-4b89-b0e0-68640807c2ba.vbs"
        14⤵
        
        PID:4676
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\df831c83-38f0-42b1-88bb-5de841312d90.vbs"
        16⤵
        
        PID:920
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6060be52-b8a4-4e89-94f8-2c6093fd6a9e.vbs"
        18⤵
        
        PID:4500
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5c75752-d65d-4c06-962c-1cd38eaf757c.vbs"
        20⤵
        
        PID:1364
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\869577e5-a535-4e81-bd08-b4b5e87fc998.vbs"
        22⤵
        
        PID:4928
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb6500de-92f8-4380-8ab4-2fc3388eaa43.vbs"
        24⤵
        
        PID:2792
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\24f79c22-a26e-42ec-b31d-9d5a9a835d34.vbs"
        26⤵
        
        PID:2280
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\486ad66d-b832-4cb0-850b-db17b243f623.vbs"
        28⤵
        
        PID:5500
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a1fd4a7-c8cd-4a3c-ae3f-7039368c0a05.vbs"
        30⤵
        
        PID:2232
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\907c0304-89f2-4a36-9185-993ac9bf9716.vbs"
        32⤵
        
        PID:4668
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97a11103-6632-43c4-8cd6-244ece604be7.vbs"
        34⤵
        
        PID:3572
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\304829a6-1b40-42ca-9270-73f923fa7a97.vbs"
        36⤵
        
        PID:5540
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0394f3b-5b8d-4688-b5ee-a2083075e6a8.vbs"
        38⤵
        
        PID:2744
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        39⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2a0532e-e50b-4a40-9d05-082e62a1b9b9.vbs"
        40⤵
        
        PID:5108
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\496947fb-fba5-4ccf-ad60-838157dfa9df.vbs"
        42⤵
        
        PID:3600
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        43⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a88bf66e-92a9-41a2-957e-cdf77be83ee8.vbs"
        44⤵
        
        PID:1220
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        45⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77a7af31-353b-44a8-9a09-226fe2c39b1c.vbs"
        46⤵
        
        PID:1188
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        47⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67a3062f-0093-4faf-8f8e-e8307934edfb.vbs"
        48⤵
        
        PID:2336
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        49⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8187bc6-46b5-4c6c-8ee5-90766066a4df.vbs"
        50⤵
        
        PID:1836
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        51⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:4924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44c4e2be-95f3-4b14-8113-c78ea83bd886.vbs"
        52⤵
        
        PID:5684
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        53⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bcd4f80-a7d8-44e7-baf3-c8f9a05dae43.vbs"
        54⤵
        
        PID:4088
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        55⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:5700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c46aefd-9f19-4f4f-ab81-cb6cb12da300.vbs"
        56⤵
        
        PID:748
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        57⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8831a5d2-685f-43ea-b7dd-d339989a5fb5.vbs"
        58⤵
        
        PID:5508
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        59⤵
        Checks computer location settings
        Modifies registry class
        
        PID:6056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21f96778-0649-4275-8e9c-4778b881c93c.vbs"
        60⤵
        
        PID:4288
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        61⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6f77404-9674-4492-9008-b84aebc1c1db.vbs"
        62⤵
        
        PID:4028
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        
        C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
        63⤵
        
        PID:3472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eae29f5e-7047-447b-8075-f0e872b5b731.vbs"
        62⤵
        
        PID:5048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b131341-4ff9-4927-b37b-6797650cbd3f.vbs"
        60⤵
        
        PID:6136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b4c1479f-fbc4-4013-9159-3234ec4c49c8.vbs"
        58⤵
        
        PID:4752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e70e0ed-c3a8-4c9b-bee7-5201b48117ab.vbs"
        56⤵
        
        PID:4548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25a7a42d-d2ce-4650-b7bf-2bb8ccc87487.vbs"
        54⤵
        
        PID:4904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7ec51926-50fa-48a8-875e-6e72d6504e3c.vbs"
        52⤵
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4650fc27-cd82-4800-bdd4-cca8c46f4f9a.vbs"
        50⤵
        
        PID:1560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b6d88d7-6074-432c-9aa5-5a8d2fe7c04b.vbs"
        48⤵
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db146fb9-964f-49ed-9cd5-aa3a8dffaacc.vbs"
        46⤵
        
        PID:4820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a68133c-8ef6-4480-a4e3-c690145a7624.vbs"
        44⤵
        
        PID:868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\57fc7773-d6ed-4536-942a-eff89a3acc65.vbs"
        42⤵
        
        PID:2436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b17b9005-72d2-4d36-9d1a-73f37dd8f733.vbs"
        40⤵
        
        PID:976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\180c10c8-1272-4086-9144-8dcb0eb6c722.vbs"
        38⤵
        
        PID:3832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0985046a-9173-4fed-93c8-41d40cf7f756.vbs"
        36⤵
        
        PID:728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c50ea82-079b-4ba6-9104-cb33043020c7.vbs"
        34⤵
        
        PID:824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7cfd8b4-9345-4387-96ef-92c03b94aaa9.vbs"
        32⤵
        
        PID:4628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4881cc6a-b18c-4ead-b0b3-0ead058a865d.vbs"
        30⤵
        
        PID:5016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\140df300-019f-4d88-929d-a41b742b009c.vbs"
        28⤵
        
        PID:4796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d94c7123-99b7-4bda-8b92-157bb74c5800.vbs"
        26⤵
        
        PID:1020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0bf8370-5f25-4822-b308-f47e8e241f2c.vbs"
        24⤵
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba72be83-77bc-409d-9b5a-ad5c005ac0e5.vbs"
        22⤵
        
        PID:6044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4824e180-50bc-4691-8923-026cd7a0b354.vbs"
        20⤵
        
        PID:1492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9d5057b-b0ea-4010-bd93-f9eadeead133.vbs"
        18⤵
        
        PID:4804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb35c297-6ddc-4f0b-8cbc-1cd8c6cdf405.vbs"
        16⤵
        
        PID:5460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\385ea857-bd52-4bf5-bcc1-51149741d050.vbs"
        14⤵
        
        PID:5196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\530e74d5-d5e1-4366-97ea-eb642355705e.vbs"
        12⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\78cf53a3-16da-423b-88ed-b436c60b5b99.vbs"
        10⤵
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96fabce9-ec15-4fbc-9602-8ae639cd8e8d.vbs"
        8⤵
        
        PID:4584
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\894fe04d-a456-4dad-9bba-7162a7c2c547.vbs"
        6⤵
        
        PID:6028
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef68633a-90bf-4348-a489-83f9850ceb06.vbs"
      4⤵
      PID:1588
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd835fc9-8c45-4a15-befa-c6d4cb984126.vbs"
  2⤵
  PID:1756

C:\Program Files\VideoLAN\VLC\lua\modules\fontdrvhost.exe
"C:\Program Files\VideoLAN\VLC\lua\modules\fontdrvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Users\Public\AccountPictures\taskhostw.exe
C:\Users\Public\AccountPictures\taskhostw.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Program Files\Windows Media Player\es-ES\services.exe
"C:\Program Files\Windows Media Player\es-ES\services.exe"
1⤵
- Executes dropped EXE
PID:4272

C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe
1⤵
PID:5896

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe

Filesize
1.6MB

MD5
52e4554ec87085ec0d31bca66d35df00

SHA1
3196fc8f3064b5d80cd8829c0b3fd6730b2141c0

SHA256
f99ae4a3786f8c8da71654ddaba30b4791692d795c93ec1f60b0c58f3be43c93

SHA512
04070464d0489ec88509dc767f9c5f0db4dc2e1b3bb06ac3719441a5a923172d9fcac478dfab1b7ad4cdd2bbc0a39f77c6dd0d5d256dfd82d474e74e1b9af899

Download Submit
C:\34c553de294c1d56d0a800105b\RuntimeBroker.exe

Filesize
1.6MB

MD5
e697e36a2463dfd11c8881738a353075

SHA1
9f88ed427b7b17b71a0248b2ad8269a833c7689b

SHA256
c67fdb18e77cfa68ffb5b6c6a16dd4ef9034f73a758232cc813d69ccddd2dbf3

SHA512
0c5fada065b318800101499be9918ee1f5301a57de464a75415dc4802303739ca85fdb895fde5d9f6890151969a4eeaae3e207a2e5dc8b87da4a6a2a1f5960f9

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Extensions\fontdrvhost.exe

Filesize
1.6MB

MD5
1e5612b83ae3f21e0f0ee4b0e7309abe

SHA1
e26b9edd63afdade954484a648eb84233bc84717

SHA256
5e2cb4c0d35340d307bbb99d938f08e446bca87108188fab6832da013d5b0b01

SHA512
645991b7dcb04018e1bbf74c3738ecd9e930c7d452b9f0bd690d575ddd35c5578d9e6415d0d6dccd46a74b19175f705911441eefc6e203c7338060617525392d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c79cf713064165d9921621736789b679

SHA1
4d8b3c69ddab8dd528496de06ce7e6e6c2758389

SHA256
6de25d006efb9912c4460725c3ff494adc8585749971235d743dae6cb568068e

SHA512
22dbec206c054253a245c7eac9cbfa4d62b49a11b02adea88b6dc8e1ee4243d46e8f61efa5374d43260ff686dbd3c769b7e14bbc6d5fb2f8999f258a904a04a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
19c1c95807d53fcb88e1e2289e645f0b

SHA1
832c029a7433b229e66296b6f8a4ba56b0246298

SHA256
73f393ffbdb24758131fa51669790c37ed233802f1ed85f7bdfd058e0b5fb83f

SHA512
f528e937baf51c0b85aa25277bd8d12a10e5f8a78187b32eaaacd0dfceba6f3bf90cf21945e299f52fe1110e48ebabe1a8df868e94a72d8899e7f4f49848aa71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5a933acb47347f3acfbe61dc611837f1

SHA1
0f971f7257c034fa64d9b6bcea2ea6962c48dfb7

SHA256
98f9484f576da87f1a99c6c495e2cd222e139d6867e8409cadde65ccbdb991dd

SHA512
74094c94c5864fbc99cb293d43ecd147686160c32c323ee0e3577e6d1b28b6a68c921cf3711c73c510eea5b6ce0b24268753dfc38b4f67f9a6a238bb4e8bef83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
44ae12563d9f97ac1136baee629673df

SHA1
38790549497302c43bd3ff6c5225e8c7054829e2

SHA256
b09202e29f036511a075523ebcaecef0a43ceeb4f2c8029e5c7931a8e2e72beb

SHA512
07cf8ed791245485aae4ee05cd6b77eb0a36c8a839da6eae1554dc0487559c270241733ae8ed184c8d38a956452a2255169a3adeb40a0da1d9e2e487864a35e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\07728b55-21a7-4391-9b06-50113e443b5b.vbs

Filesize
723B

MD5
745496c4b3f1e4ddf0c5fdf383b27e83

SHA1
96e4cbe8e310a4821c208e11aaee76c2068e6572

SHA256
1deb2ca633151a68a3380f1fc05a169f043e38d8c85c3dfc4e5dd81131f8ca62

SHA512
7d8954e5aa34fbec08046feb500921b6b6da1ea15821fa66d7b8be26bd1abd65726a939c878c253f514d90fe4429f23eb15479265ecc5d73007901525d3be4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\14e49429-c160-4208-ada5-444996284720.vbs

Filesize
723B

MD5
63981e8496a1fbdacb99b1dbf537b095

SHA1
2c8fb10763817f9b955d60a9bcb447d7dd5a9c28

SHA256
b59c896c291a6386766c63ddac390c60e26d93a039bd0802a26dfa31312f989c

SHA512
4adb93541339d3b973ce0480839167dc9bd17424fbf5db050c895890c929c992097a9561d0c92a587e1ff6457b7ff9201a4416cbdae688d0bbcc44eabb9cc013

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f618555-027d-4221-aa7e-15578fb980da.vbs

Filesize
723B

MD5
b360c16c40c490f3eece5e954f79170c

SHA1
416aff5ba43b3fae2c4655cbf8d73a6e20bcc215

SHA256
0582e656dde0c60815beb1c8f1d0ecce40433a073ac94a0bb242ce667a0cfa47

SHA512
234e01a5e5e66620e5c0697f553a15ac6dc54c2323bf949c0bb6fdb5f9a87c6927cee3f2294d26dbd00affa9e9f29c36fddf6c8fa3d77505efc8229de2825661

Download Submit
C:\Users\Admin\AppData\Local\Temp\340b0cb9-c4c2-4250-b3ab-e178ce032037.vbs

Filesize
723B

MD5
32c34a2683d21ad35a4ef5822282f10b

SHA1
2a32210b476eb6975947d827152f86b323d918d1

SHA256
9557b84ea33ac3709a40a8baf1551dd1a178de799b1862d1f8e3fe9e241b4279

SHA512
564a6c066ff02f19622afa001efc26d8f467b36459b88bbe34ed717763576b256601deece04358af4a376f7d6db711f20d271b0e68ebeeb94e0c321b69b3726a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c4bfcbd-00cc-4b5c-b8d0-1835f29bb167.vbs

Filesize
723B

MD5
3310451ece459fc2034eda0f57b5d9b6

SHA1
18c36e4482a661cc7a1d32770afe96112789fe4e

SHA256
d14933c9478a4dec126b3f7df0fc7aab0c57b7650744b31805ce5831dd835f10

SHA512
3b241faf0cf09e2627a1b7c5f3e1a6fbdca7d330ac1c63f8a5b786b3fa6554543cebf4ccb5927184914a83d51595b9e907a4cd6b7be8a4df2ae4e3c853ce9413

Download Submit
C:\Users\Admin\AppData\Local\Temp\4bebe11a-9ce1-4918-b181-f7a43a10e3b0.vbs

Filesize
723B

MD5
ac2200a06e63b409ea4b6ce887c6d718

SHA1
9cabb74299d7e0bb0f18828a41965439267c6d50

SHA256
bc129ffb6a949cebaf3d570ce8653c6f4fee22fb9ed027393b8817470b21dff1

SHA512
dbb22b66c29cbeeb23d3edbbf57aedf2fe6c1ba45430a31addcc50865cd1c6f9e62a9c53d9b8ed7f6318476f9c56ff522295ab36f44e571ab807d73fb378d6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\54f412022f053fb088d479752426ea8b7b52e5de.exe

Filesize
1.6MB

MD5
99fd36b31591c1811dc4e8d185995bb0

SHA1
338abdc6922b2a5ff0ff36407099a737fb351929

SHA256
be72a05d531d161328e4af6914c55249c454255af6e1aaffb818af0f8d5917ed

SHA512
cdf67f1221bfce57d0c780fe3bf96ba27fd9dc2766cda2a700890997fea782e7d022684ae4dd7f7a4526324baabd56df0abf0aab4e042216592d916c74306766

Download Submit
C:\Users\Admin\AppData\Local\Temp\67a3062f-0093-4faf-8f8e-e8307934edfb.vbs

Filesize
723B

MD5
19e124dbcdc763382a3e34dee9c89b0b

SHA1
bd38617ba34048b652690fb0684c684bec93d608

SHA256
7b14c8097ef13a8686e70f4764bd45f759641653ec81af79b0da687ee55997fa

SHA512
af2cf1ce1c9e57edf543542e721898f66907ee174cc4ae5399cb4eb0e0e2db8a94ba1910d19f53aa29d0909bcb7ae669574b398f43b77fe03455a7ca02c21244

Download Submit
C:\Users\Admin\AppData\Local\Temp\81894983-a75d-4e5c-a08c-f1cda0f7fe95.vbs

Filesize
499B

MD5
9b339fce59cd559b45c339ec645ff652

SHA1
2063788a8a332b4041e1f78eab23c5914717655c

SHA256
82dd3c1f594a168f13768a3743f7d0914cf2aa6c3989a5c15610f22084b70db1

SHA512
8ebb82c71370a13a42c6953f76253b961589a0d408d64eb58ae0f757f00550746999da56b49d16891a8b8c254997cb9323aa5515fb96d8d6682fa3a8c23235d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9934ad3c-2865-484c-84f4-462c6c2a1a89.vbs

Filesize
723B

MD5
9effd2159f81fb3b8849e4dd8596e1bf

SHA1
f27475d149eb716b3ca9a1f682c948024cdf02a4

SHA256
eb6c0c8742758134b131a1d3887e7d4a25457cd9c9f4193b5c1a6c0aa0984a9f

SHA512
aa02517dfb44fd3ac7a7fb50369ddb80463093874b322dccd35297b252183c19bd48a1619cd0c5b0caa1250371d7bdf1cb913981e223ba9c8d529ccc94a716b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2bxd52f5.p4c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a08011c7-feea-45ca-856f-309e1eba1802.vbs

Filesize
723B

MD5
cc94035f54f32850d0e4328941e32a3c

SHA1
7e3686b9bac3c428d6263397c18d17fc79a533ca

SHA256
5d5bbb43ba9350be7c84e3a5352c6ecc063ae8eb9aa50d5825c74b66ed03803c

SHA512
7f6301cedbccb39a6c367df7e8bfed00d8d1bc019f733107f80fe500fba655cc11df6a92258504ad994cddc05f385bff1895dfcbb2ed6cf134942e65f6fbfd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb9f1532-5d16-47aa-86de-6b2f875005ee.vbs

Filesize
723B

MD5
22efb2ef4850eaad16c3d75ba055882e

SHA1
340129fb640eec8d9a857f16f7ba253360791b82

SHA256
e3a3bc8dccd3be72162cb283355b075555cf2e781f37088b9b5982160bd27279

SHA512
ffb0f6bb585c73df11f385615c0176aa64ca1804f18fc232a6cbf4ef344b66dc4e79045d4a689d6754102805dd48dac370c0cae38d0ae087a51b1a8e8c3bcc1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d243c922-91a8-4b41-89a8-406a802a484e.vbs

Filesize
723B

MD5
03b53a09606bcf254c7098c6a1b473ad

SHA1
845dd47fba613463525243e170ce82e3b5553b33

SHA256
854d9daeb78d30db37498f2df85c154df852a62c25da80acd0ae137d7061101b

SHA512
f58800cea03e9f980a739583dd1d29ca18d74fe6b96edf665717ed692fa169e560348f06b8fb942e64402720609653e1ec452c5923dea9fef1a0934bc6801509

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4489c06-2810-47a4-9378-0edd36b02d23.vbs

Filesize
722B

MD5
ef50d930225a603e0f66cf13f028746a

SHA1
b43ac0ddcdb15c19c53c022704f7070e61f62c8b

SHA256
522e90c5307340f3886465c7d2919aff7da465036c7bf4e625838f10191c662b

SHA512
046e985e41053a3be8753bd09b7765d53785715f0168efddb177e985ddbfa73ce6d410986fa1a3699cc40f8ef4e208b3a3b33da24a10ad60ce71450465970f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef9cdbe5-7252-4605-beff-9043b0e70182.vbs

Filesize
723B

MD5
226bfcaf9facd064c3953e1a5199ebb0

SHA1
e9d104a610bc61818fe0e6eba7a0237a5aedc9bd

SHA256
d1fe653f6f65177f680977ad574b2885af979846d2eeda7980c79b4ffeea5db8

SHA512
3e8327ceda497471908457caeddb44ec959ed6875aacf96fb9f1e883001ae831ca3755d31b2e68258da1f91668405fbceef2f3453594821e8eee9e950493c42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb6500de-92f8-4380-8ab4-2fc3388eaa43.vbs

Filesize
723B

MD5
8b70776dab762cc214b73b78277e69aa

SHA1
dd5c6300bd454d6ee450f428b6c8a80eb8260899

SHA256
90d65c89f6deba527c5240cd7ca80877079673ee74f058362b35f1cadf142ae3

SHA512
80160947325cad13067917374980a4ad28e80bfa886c89a1ae33cbaa68396fe67b58deebc0a9c045f8a264cb4a7c167280e83289bbb65f68f171f9acf9174583

Download Submit
C:\Users\Admin\AppData\Local\Temp\roA8lMYOd0.bat

Filesize
193B

MD5
2fe80cab02ec1c059ecf86b98b2fe5a5

SHA1
905f337ccb9cd73ae33c57f89f60ee788023fff0

SHA256
35f951e010b9da4d4b6355bebbf888deb7d1d34cded31dcc42197efb014a382b

SHA512
7988b21cff7a4a8e712746fe92d34c2c7061f314d265ca772de89ebe9dbaea1eb04ac588501a3515249551c5b7174f33966ec4529f9f06b5e2203279246c9dd4

Download Submit
memory/808-155-0x0000023AF3DC0000-0x0000023AF3DE2000-memory.dmp

Filesize
136KB

Download
memory/3260-10-0x000000001C070000-0x000000001C07C000-memory.dmp

Filesize
48KB

Download
memory/3260-8-0x000000001C050000-0x000000001C060000-memory.dmp

Filesize
64KB

Download
memory/3260-169-0x00007FFA83FD0000-0x00007FFA84A91000-memory.dmp

Filesize
10.8MB

Download
memory/3260-17-0x000000001C2D0000-0x000000001C2DC000-memory.dmp

Filesize
48KB

Download
memory/3260-14-0x000000001C2B0000-0x000000001C2B8000-memory.dmp

Filesize
32KB

Download
memory/3260-15-0x000000001C2C0000-0x000000001C2C8000-memory.dmp

Filesize
32KB

Download
memory/3260-16-0x000000001C3D0000-0x000000001C3DA000-memory.dmp

Filesize
40KB

Download
memory/3260-12-0x000000001C290000-0x000000001C29A000-memory.dmp

Filesize
40KB

Download
memory/3260-0-0x00007FFA83FD3000-0x00007FFA83FD5000-memory.dmp

Filesize
8KB

Download
memory/3260-1-0x0000000000C20000-0x0000000000DC2000-memory.dmp

Filesize
1.6MB

Download
memory/3260-6-0x000000001B9D0000-0x000000001B9E6000-memory.dmp

Filesize
88KB

Download
memory/3260-9-0x000000001C060000-0x000000001C068000-memory.dmp

Filesize
32KB

Download
memory/3260-11-0x000000001C080000-0x000000001C08C000-memory.dmp

Filesize
48KB

Download
memory/3260-13-0x000000001C2A0000-0x000000001C2AE000-memory.dmp

Filesize
56KB

Download
memory/3260-7-0x000000001C040000-0x000000001C048000-memory.dmp

Filesize
32KB

Download
memory/3260-5-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

Filesize
64KB

Download
memory/3260-4-0x000000001C090000-0x000000001C0E0000-memory.dmp

Filesize
320KB

Download
memory/3260-3-0x000000001B940000-0x000000001B95C000-memory.dmp

Filesize
112KB

Download
memory/3260-2-0x00007FFA83FD0000-0x00007FFA84A91000-memory.dmp

Filesize
10.8MB

Download
memory/5776-266-0x0000000000C00000-0x0000000000DA2000-memory.dmp

Filesize
1.6MB

Download