Analysis
-
max time kernel
172s -
max time network
273s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 12:21
Behavioral task
behavioral1
Sample
Nursultan client.exe
Resource
win10v2004-20240508-en
General
-
Target
Nursultan client.exe
-
Size
63KB
-
MD5
fe07501d3d052f3240fa2d9da7c2c82e
-
SHA1
5de5b5464823f238a307f275e5b3f76538ed3405
-
SHA256
234e2fcf0ebc371b24ab62bba7a3387476c231181b22d501b3fe2540d89764ff
-
SHA512
d4002ae6fc0fd8bb9476b2689657797f18cc350062da3c66f56d6049cad5dd34949e2d03e6ba180b2dc131792f310f0ac3ab77b8cae479a1f5106a002457d129
-
SSDEEP
1536:m3TWTAuDrpLgRpy6oNrkbzNwK4gckS6ImUR7Dq79VkpOuRxDGE:m3TWlcg6ikbzNHKx2PwOaxDGE
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
Runtime Broker.exe
-
pastebin_url
https://pastebin.com/raw/kYPYyCCf
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2208-1-0x00000000002B0000-0x00000000002C6000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Runtime Broker.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3160 powershell.exe 208 powershell.exe 4652 powershell.exe 3632 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Nursultan client.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Nursultan client.exe -
Drops startup file 2 IoCs
Processes:
Nursultan client.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk Nursultan client.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk Nursultan client.exe -
Executes dropped EXE 3 IoCs
Processes:
Runtime Broker.exeRuntime Broker.exeRuntime Broker.exepid process 3924 Runtime Broker.exe 5004 Runtime Broker.exe 2004 Runtime Broker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nursultan client.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe" Nursultan client.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3612 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615454195715151" chrome.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exechrome.exepid process 4652 powershell.exe 4652 powershell.exe 3632 powershell.exe 3632 powershell.exe 3160 powershell.exe 3160 powershell.exe 208 powershell.exe 208 powershell.exe 3004 chrome.exe 3004 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
chrome.exepid process 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Nursultan client.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntime Broker.exeRuntime Broker.exechrome.exeRuntime Broker.exedescription pid process Token: SeDebugPrivilege 2208 Nursultan client.exe Token: SeDebugPrivilege 4652 powershell.exe Token: SeDebugPrivilege 3632 powershell.exe Token: SeDebugPrivilege 3160 powershell.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeDebugPrivilege 2208 Nursultan client.exe Token: SeDebugPrivilege 3924 Runtime Broker.exe Token: SeDebugPrivilege 5004 Runtime Broker.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeDebugPrivilege 2004 Runtime Broker.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe Token: SeCreatePagefilePrivilege 3004 chrome.exe Token: SeShutdownPrivilege 3004 chrome.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exepid process 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe 3004 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Nursultan client.exechrome.exedescription pid process target process PID 2208 wrote to memory of 4652 2208 Nursultan client.exe powershell.exe PID 2208 wrote to memory of 4652 2208 Nursultan client.exe powershell.exe PID 2208 wrote to memory of 3632 2208 Nursultan client.exe powershell.exe PID 2208 wrote to memory of 3632 2208 Nursultan client.exe powershell.exe PID 2208 wrote to memory of 3160 2208 Nursultan client.exe powershell.exe PID 2208 wrote to memory of 3160 2208 Nursultan client.exe powershell.exe PID 2208 wrote to memory of 208 2208 Nursultan client.exe powershell.exe PID 2208 wrote to memory of 208 2208 Nursultan client.exe powershell.exe PID 2208 wrote to memory of 4356 2208 Nursultan client.exe schtasks.exe PID 2208 wrote to memory of 4356 2208 Nursultan client.exe schtasks.exe PID 3004 wrote to memory of 3920 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 3920 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 4776 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 2832 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 2832 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe PID 3004 wrote to memory of 536 3004 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan client.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan client.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"2⤵
- Creates scheduled task(s)
PID:4356
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"2⤵PID:4268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD2B7.tmp.bat""2⤵PID:2356
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3612
-
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xbc,0x128,0x7ffd4b5dab58,0x7ffd4b5dab68,0x7ffd4b5dab782⤵PID:3920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:22⤵PID:4776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:82⤵PID:2832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2300 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:82⤵PID:536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:12⤵PID:2084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3112 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:12⤵PID:4832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3948 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:12⤵PID:3568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:82⤵PID:2072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:82⤵PID:1944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:82⤵PID:1268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4640 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:82⤵PID:4784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:82⤵PID:4212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4152 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:12⤵PID:1084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:82⤵PID:2868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:82⤵PID:3244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:82⤵PID:4804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2440 --field-trial-handle=1988,i,14448444739610129621,9129232646004709726,131072 /prefetch:12⤵PID:3428
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:5112
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
960B
MD51b940a0efe6dae503facc2caa7298ee7
SHA1f9337e09ba32c5f57ff013a7d223076d9ca6b8d4
SHA256627b01a98e7f2cdf440f0738131482cd7c2f4aabd6e0d42570d914103b668f03
SHA512e4052a21abc499f124fa5dfcfa31456fa0713351944e29948721760e9e626979319849d8ceb97d460c899f81d5933912a33e91f34fb178db0155e10434595a95
-
Filesize
168B
MD54e2882c2075639b2ed6814503754606d
SHA10a44179359bbc8890a892ff6e9f701d3082b5d66
SHA25670b4ae9025ff150ff7503ef8345b20abf97c2a7c2fcacec101ac44a61232dfc0
SHA512015de2ee70733fd8c3c3767d53e3acf49badda262783da2e89760a038069323c5e3df6322def0b6e2a6976c0e97be8b3de5d5fa16e4f52828ad31efb5ea219c7
-
Filesize
264KB
MD5f08fc6b93a999076ea8bf83028e84d1b
SHA1a568f191d2382cf31308004618e42715575d6346
SHA256d6aa72fafb258b5911ab21ff296d0d7bfc95d76d1243b9a6c3193b9676e64eee
SHA512cf2ae01966a4160ab48363baac5cbae3cec3f765e7e1072990e8ea14e1cae62c1baaa39d798f88368fa1e1d9a9b94858bfec061dc5c9e5192b104076d5d4ffca
-
Filesize
3KB
MD503cb5ba84e849e1dc4e3c7b90b0c2696
SHA1087ce3ceea2eac4e21451bf5ddbb2496d20bcecd
SHA256db6ef7fcc0b68ab9bacec88da4a581c5a34491fb8df6edeae1c2163fcdfb68fe
SHA512a8743088c1c6bf144cd8bc798c2d0cc31f5ab034928744e20ec95ccebf9dd30d0a29a2743400589ed47191b4c9bdf598163cf8b1a7a52b9b37922b185136243c
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD5f25d23383e8abcf3380529a73725efa9
SHA1a8af71b5fadfc3c372c025b11b944a5e2e625ae3
SHA256bdf134242d5c99b2fca284bb945eab3e79759206a2e815cc59887edd90353c80
SHA51205bd47ffe9a49b2c6cb2ddd428fe26dc6e24f447be8eab50eb9e1c9217f6204da79867aaefd620ba74ff8f5ad3e20d686d80107c625e43da80f63b055937419e
-
Filesize
524B
MD5cbb19afbf6bbf054175b1fc621bb5789
SHA137388b39e22d42fa9419d79cd910f0edcc310ffd
SHA256d39517e01eddb226f6be41a2be1bba432b78762154e784264c00a636caa912b4
SHA5121c5ced4d2fce942d59a73c3032999e26ca1365892512118158269624894862389d34e016612de51d91b8880964ef4539df682ec9455f40d7c6481e42122f1fbe
-
Filesize
7KB
MD52baacff9c1e483ce541601cf28d4ca4a
SHA157d1de8e259066c76f11d619de22d52a135bd742
SHA25644c4b6788438264c0bca8994fa0a058eb03ed0d6fb9ddcbe0281838784ede037
SHA51237fcb003aa581c82204d5cb59ec89772b36b91ca6bbe83d72fba2c36ebde4a425481bbd31c2c8f4551013ce053eb15cd85f2105ce5954ea9a75ac701fec83562
-
Filesize
7KB
MD5d09835d4d66add17832fe8fc1277a005
SHA131bba0582024c260ccd2b65b79ec53413f813277
SHA25663b942b7c0da87f0761e1cd716394586a12e23140c0c53a7a7a212177837f228
SHA512de170a2594e751a52b13e63b0e4a466af3a61a0e24509c13b8ae303816a1af351dc8d4d56f87a07bfd2c0d3d556cff220c103e324329674bd8c8d2dcd59916fa
-
Filesize
6KB
MD52179b4455d8690a31d9a3d1c2cae92e0
SHA10537be8009573b0875183d96283a62da32022829
SHA2567134d48811891691aedda853f7ec2e43703ec41799d3df5ef4e4d0a076314ec4
SHA5123f447dc03320145745490190e7af48d04c31790095a6bcaf71bf3d59609bacbb460804ab1479715decfb64470e7da808e9f3f5b2c78373b0ec38948b59c7d8de
-
Filesize
16KB
MD5d3735f4ca81b46a66bbc88a56854949c
SHA1ecb1255028815ccae482eea562a7f136013c9553
SHA256aa2c6d785a60ad23da8ac9e23ae4862859ff1583ee97d43cde7328825cfe3e65
SHA51265502d2675a223e3278e5d20a7faeecaad47cd4e090196624423a06097ca3cfa1cab1c8bd31dcc8e44348813575a3d97f4f422d58d02e3e623985429e288b5c8
-
Filesize
262KB
MD540b616af43491d68a083c91f121a33e3
SHA1d9f4e84c744b8fbc0889926264e9559ead79accc
SHA256e9682bdc629a665e774668e5c0062fbef5c777c53006fa3485df7c6ac1ea98eb
SHA5128ceec5ce9025901856642940f520645c6111dfd00dfcbcb150929915eae2a425f65ae3aa9751290ad267b47ca1ee80f6e128a22e4fa8be56d62457ef58e3f680
-
Filesize
262KB
MD5af5a0aa28acfceacc42589429c09f04b
SHA152cc349934dc92444798f553ea5aa1b185319bd9
SHA256b57a1a96c5a7aaf34bfb61b541b2eee609c3df1ef318aa16c490023fc4cd0101
SHA512ae6875cd731a639e1db96ef56d5478d4cb2c1f84161dc5b36ca22f86563cd2b1414945432468834c408bd98bd02464b76778fc9bc8fb1cd1af0cfdf1169e0229
-
Filesize
257KB
MD5583c5525813d9d9f74b76ed066fa1d61
SHA1f65c48fa13aa2400666c4f6dda7f1592438302e2
SHA256d452e9cbb5d2716f4bfdee3a071ffb9b7ffabb20237b856437497e05ef962598
SHA5127e8a0e9e4492696b8f0e76d1c9104f24045842bc1b76bf0356bfc9491ebc7138d22c8dc97bdb09ea42f010c4ee62b6589d7ca75be2bef74217aae02061c1aacb
-
Filesize
92KB
MD544dbf3a7f855833cdd60bea73ca33e94
SHA19b4cc050716ba0933cf5fbc82b0d72f18ac71067
SHA2569591018f5272f79a21b6d8d0cc8738e8b5bebbc6173ea02ecabc979cb33219ff
SHA512e21360e75bb8388efafe17baf65e8255cdd05b5d422f8e8f63c83352c3a0745ab38992465099227287bcf7add7de0eeaaab145307f2f572fcb15194f7e08faaf
-
Filesize
89KB
MD593708ebdb4f047e921a2d2c0cac25f09
SHA1ca3c73dc54cb5caa70a4eb52abd68d31d2f56320
SHA256de055871c93692dbfb5ab83854148eb0594711e6550d03d63144e49b38002ec8
SHA5125d25174a2331f6916b8d19d999d14a516bd499d35b14bb6f34aba062cad1026d4fa04325ae126c7d0c95e8594a57f1862934ddac70c8e92262882458d26b39e1
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD50b72469ca0585278ca9c240a42085ad7
SHA1dd0371aab5740e6d5f44d75f02f5f2d0a16089b2
SHA2569e9693e3e021a1a0aeac855d0c2fd330568225282ed4e2d8ea1d876457efa0db
SHA51277929ab5f47ec18e78e9e57f0cb9a41dd02e8974b59f692175fefdd69a6e84c6c289a8e4cb563fb064857f2c3cf6ce330e8efa7dcb352691fdbd662c90c3b577
-
Filesize
944B
MD5dd1d0b083fedf44b482a028fb70b96e8
SHA1dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA51296bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
168B
MD5595524ce09d8b66ac31139fda7fdd631
SHA180c5a6f38a24a7c1178021a0db2f65466a0758da
SHA256be2ecc6ac955e454f0af20970adbc59d279435d0171a7dc50cb36c77ef6c4cb1
SHA5125c1f0a2a9fd76fe849033ac054bb8bebf0b37f41e53255e21d4668d335f3e48100e4bd302ce2a393546f19c1510f90a53d8b676960df327af64ab34784dd92bc
-
Filesize
63KB
MD5fe07501d3d052f3240fa2d9da7c2c82e
SHA15de5b5464823f238a307f275e5b3f76538ed3405
SHA256234e2fcf0ebc371b24ab62bba7a3387476c231181b22d501b3fe2540d89764ff
SHA512d4002ae6fc0fd8bb9476b2689657797f18cc350062da3c66f56d6049cad5dd34949e2d03e6ba180b2dc131792f310f0ac3ab77b8cae479a1f5106a002457d129
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e