Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 06:29
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RuntimeBroker.exe
Resource
win10v2004-20241007-en
General
-
Target
RuntimeBroker.exe
-
Size
3.1MB
-
MD5
b77d847b1d41cde07f81168c7addbb10
-
SHA1
2d5c614efdef7ab59fa5fb665d6ed1a79502b97f
-
SHA256
492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c
-
SHA512
6fff7c253c543e370dcb459f0cc66003f57fbc35f40af5744deca97a2c593bf0881f96c845bbc15963e9eb81a652aec78a500ea41f2d1af5fbb5f0ec04c6c9f6
-
SSDEEP
49152:nvelL26AaNeWgPhlmVqvMQ7XSKqaRJ61bR3LoGdEjTHHB72eh2NT:nvOL26AaNeWgPhlmVqkQ7XSKqaRJ6H
Malware Config
Extracted
quasar
1.4.1
RuntimeBroker
siembonik-44853.portmap.host:44853
df483a08-855b-4bf5-bdcb-174788919889
-
encryption_key
A8573AD4438B1D5F6207F7C03CCC7F1E2D4B13DF
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
am1
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral2/memory/4860-1-0x0000000000BB0000-0x0000000000ED4000-memory.dmp family_quasar behavioral2/files/0x0007000000023cb6-5.dat family_quasar -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation RuntimeBroker.exe -
Executes dropped EXE 15 IoCs
pid Process 2492 RuntimeBroker.exe 3756 RuntimeBroker.exe 1164 RuntimeBroker.exe 4872 RuntimeBroker.exe 2300 RuntimeBroker.exe 220 RuntimeBroker.exe 3736 RuntimeBroker.exe 3204 RuntimeBroker.exe 4872 RuntimeBroker.exe 5084 RuntimeBroker.exe 1988 RuntimeBroker.exe 5000 RuntimeBroker.exe 436 RuntimeBroker.exe 3076 RuntimeBroker.exe 4436 RuntimeBroker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2860 PING.EXE 4308 PING.EXE 404 PING.EXE 1552 PING.EXE 996 PING.EXE 2700 PING.EXE 2152 PING.EXE 1124 PING.EXE 3456 PING.EXE 5064 PING.EXE 1592 PING.EXE 4932 PING.EXE 2056 PING.EXE 2668 PING.EXE 3172 PING.EXE -
Runs ping.exe 1 TTPs 15 IoCs
pid Process 2668 PING.EXE 996 PING.EXE 1124 PING.EXE 5064 PING.EXE 1592 PING.EXE 4932 PING.EXE 404 PING.EXE 2152 PING.EXE 3456 PING.EXE 4308 PING.EXE 2700 PING.EXE 3172 PING.EXE 2056 PING.EXE 1552 PING.EXE 2860 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 16 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3076 schtasks.exe 4292 schtasks.exe 2700 schtasks.exe 220 schtasks.exe 4312 schtasks.exe 4600 schtasks.exe 3308 schtasks.exe 4272 schtasks.exe 2532 schtasks.exe 5076 schtasks.exe 2136 schtasks.exe 1320 schtasks.exe 4864 schtasks.exe 628 schtasks.exe 3712 schtasks.exe 4432 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 4860 RuntimeBroker.exe Token: SeDebugPrivilege 2492 RuntimeBroker.exe Token: SeDebugPrivilege 3756 RuntimeBroker.exe Token: SeDebugPrivilege 1164 RuntimeBroker.exe Token: SeDebugPrivilege 4872 RuntimeBroker.exe Token: SeDebugPrivilege 2300 RuntimeBroker.exe Token: SeDebugPrivilege 220 RuntimeBroker.exe Token: SeDebugPrivilege 3736 RuntimeBroker.exe Token: SeDebugPrivilege 3204 RuntimeBroker.exe Token: SeDebugPrivilege 4872 RuntimeBroker.exe Token: SeDebugPrivilege 5084 RuntimeBroker.exe Token: SeDebugPrivilege 1988 RuntimeBroker.exe Token: SeDebugPrivilege 5000 RuntimeBroker.exe Token: SeDebugPrivilege 436 RuntimeBroker.exe Token: SeDebugPrivilege 3076 RuntimeBroker.exe Token: SeDebugPrivilege 4436 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4860 wrote to memory of 628 4860 RuntimeBroker.exe 83 PID 4860 wrote to memory of 628 4860 RuntimeBroker.exe 83 PID 4860 wrote to memory of 2492 4860 RuntimeBroker.exe 85 PID 4860 wrote to memory of 2492 4860 RuntimeBroker.exe 85 PID 2492 wrote to memory of 2700 2492 RuntimeBroker.exe 86 PID 2492 wrote to memory of 2700 2492 RuntimeBroker.exe 86 PID 2492 wrote to memory of 404 2492 RuntimeBroker.exe 88 PID 2492 wrote to memory of 404 2492 RuntimeBroker.exe 88 PID 404 wrote to memory of 3620 404 cmd.exe 90 PID 404 wrote to memory of 3620 404 cmd.exe 90 PID 404 wrote to memory of 1592 404 cmd.exe 91 PID 404 wrote to memory of 1592 404 cmd.exe 91 PID 404 wrote to memory of 3756 404 cmd.exe 101 PID 404 wrote to memory of 3756 404 cmd.exe 101 PID 3756 wrote to memory of 220 3756 RuntimeBroker.exe 105 PID 3756 wrote to memory of 220 3756 RuntimeBroker.exe 105 PID 3756 wrote to memory of 4152 3756 RuntimeBroker.exe 107 PID 3756 wrote to memory of 4152 3756 RuntimeBroker.exe 107 PID 4152 wrote to memory of 4480 4152 cmd.exe 109 PID 4152 wrote to memory of 4480 4152 cmd.exe 109 PID 4152 wrote to memory of 4308 4152 cmd.exe 110 PID 4152 wrote to memory of 4308 4152 cmd.exe 110 PID 4152 wrote to memory of 1164 4152 cmd.exe 113 PID 4152 wrote to memory of 1164 4152 cmd.exe 113 PID 1164 wrote to memory of 3712 1164 RuntimeBroker.exe 114 PID 1164 wrote to memory of 3712 1164 RuntimeBroker.exe 114 PID 1164 wrote to memory of 3296 1164 RuntimeBroker.exe 117 PID 1164 wrote to memory of 3296 1164 RuntimeBroker.exe 117 PID 3296 wrote to memory of 1400 3296 cmd.exe 119 PID 3296 wrote to memory of 1400 3296 cmd.exe 119 PID 3296 wrote to memory of 4932 3296 cmd.exe 120 PID 3296 wrote to memory of 4932 3296 cmd.exe 120 PID 3296 wrote to memory of 4872 3296 cmd.exe 124 PID 3296 wrote to memory of 4872 3296 cmd.exe 124 PID 4872 wrote to memory of 4432 4872 RuntimeBroker.exe 125 PID 4872 wrote to memory of 4432 4872 RuntimeBroker.exe 125 PID 4872 wrote to memory of 1384 4872 RuntimeBroker.exe 128 PID 4872 wrote to memory of 1384 4872 RuntimeBroker.exe 128 PID 1384 wrote to memory of 2124 1384 cmd.exe 130 PID 1384 wrote to memory of 2124 1384 cmd.exe 130 PID 1384 wrote to memory of 2700 1384 cmd.exe 131 PID 1384 wrote to memory of 2700 1384 cmd.exe 131 PID 1384 wrote to memory of 2300 1384 cmd.exe 134 PID 1384 wrote to memory of 2300 1384 cmd.exe 134 PID 2300 wrote to memory of 4312 2300 RuntimeBroker.exe 135 PID 2300 wrote to memory of 4312 2300 RuntimeBroker.exe 135 PID 2300 wrote to memory of 2684 2300 RuntimeBroker.exe 137 PID 2300 wrote to memory of 2684 2300 RuntimeBroker.exe 137 PID 2684 wrote to memory of 1592 2684 cmd.exe 140 PID 2684 wrote to memory of 1592 2684 cmd.exe 140 PID 2684 wrote to memory of 404 2684 cmd.exe 141 PID 2684 wrote to memory of 404 2684 cmd.exe 141 PID 2684 wrote to memory of 220 2684 cmd.exe 142 PID 2684 wrote to memory of 220 2684 cmd.exe 142 PID 220 wrote to memory of 2136 220 RuntimeBroker.exe 143 PID 220 wrote to memory of 2136 220 RuntimeBroker.exe 143 PID 220 wrote to memory of 3124 220 RuntimeBroker.exe 146 PID 220 wrote to memory of 3124 220 RuntimeBroker.exe 146 PID 3124 wrote to memory of 4764 3124 cmd.exe 148 PID 3124 wrote to memory of 4764 3124 cmd.exe 148 PID 3124 wrote to memory of 1552 3124 cmd.exe 149 PID 3124 wrote to memory of 1552 3124 cmd.exe 149 PID 3124 wrote to memory of 3736 3124 cmd.exe 152 PID 3124 wrote to memory of 3736 3124 cmd.exe 152 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
PID:628
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2700
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hcl0c2JzIpbd.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:3620
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1592
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
PID:220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Jc4OE4Ez7G3.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\system32\chcp.comchcp 650016⤵PID:4480
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4308
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
PID:3712
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7EKLCHLGyvP7.bat" "7⤵
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\system32\chcp.comchcp 650018⤵PID:1400
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4932
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
PID:4432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\n9SIcI3rfF5v.bat" "9⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\chcp.comchcp 6500110⤵PID:2124
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2700
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
PID:4312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GeZtpnEX9w4m.bat" "11⤵
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1592
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:404
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
PID:2136
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aQBSuqOy7cua.bat" "13⤵
- Suspicious use of WriteProcessMemory
PID:3124 -
C:\Windows\system32\chcp.comchcp 6500114⤵PID:4764
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1552
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3736 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
PID:4272
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dYFeA3FEfzKw.bat" "15⤵PID:2348
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:4532
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2152
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3204 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
PID:1320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nFsHxgGnD9h5.bat" "17⤵PID:1820
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:4884
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2668
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4872 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
PID:3076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4iQoHRGzhjJF.bat" "19⤵PID:4464
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:2156
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:996
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
PID:2532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P5UpjWJKGyFW.bat" "21⤵PID:4488
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:1908
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1124
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1988 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
PID:5076
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5JmnJeyuQxRd.bat" "23⤵PID:4968
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:4816
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2860
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
PID:4600
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YnePu7XKmArO.bat" "25⤵PID:2044
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:4328
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3456
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f27⤵
- Scheduled Task/Job: Scheduled Task
PID:4292
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rENUAy4uYWwl.bat" "27⤵PID:4148
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:2464
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3172
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3076 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f29⤵
- Scheduled Task/Job: Scheduled Task
PID:4864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jxqjpHJBf5kB.bat" "29⤵PID:1580
-
C:\Windows\system32\chcp.comchcp 6500130⤵PID:4056
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5064
-
-
C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\am1\RuntimeBroker.exe" /rl HIGHEST /f31⤵
- Scheduled Task/Job: Scheduled Task
PID:3308
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zC6gFn275p2m.bat" "31⤵PID:3708
-
C:\Windows\system32\chcp.comchcp 6500132⤵PID:4412
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2056
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
211B
MD50e121189428afa1358125ad6633655b9
SHA17798a51eb402b1c0be5fbda1c0beb9214b16e5e4
SHA25681353b71cc716709f85bfcfe04b033c1c5fa1d7f3a21c9d92c8522e66b0983ec
SHA5123c7c4d5a7c90957a7e0eef3cfc34f2fcb5525b36c6460aae1cab7feb240fedf920c5b88dd8005eeae28712fdd81c631d473812e3a8272a6abce0cfff7d259806
-
Filesize
211B
MD5d13538f18f6dca9c7ff2b3fb4447df05
SHA1179b292bbc224e85304e43f2ebfbed29abe276c0
SHA256ec7fc28981d549f3f9e9a92b89f739ae1b13b59c76c1679056c26bf1a02b8ef6
SHA5127add0035c975b61520abee87464c0f22acb70e76b92f701c0dd3a0a22e242f1706ae25478ec1bc63c65342701b83a26983adf2a52ae5a81a25d064be1a1df7e9
-
Filesize
211B
MD58e2b233c213e9b8d3a9fa1d6073eae48
SHA1b43b090503e587bfebd4fbfd6ed7c252e64cfe42
SHA25631d2cdc8c9967863cabb22ec11d4760d7c1d184ae8e4a12d3b43deb0b025a9dd
SHA512b28f4fee1637aed7c05877b2d2076ca99cba9f7a1f83d083ce0c936e06516aab677265904898da9e2f8782dc6d12438417650ecc3f68ba46af078523de669cd6
-
Filesize
211B
MD58d88d06ebdb0f965f7d61c0962bf035a
SHA106548e9ce96e4fd37f77355564c6a2e2d6b3f19a
SHA256b560ab56c667c2676f24c9f11ad1f23b1c814ed72907ea38a966194e9a2a72d8
SHA512c342aa66b099fce4146635e07c1de473c7dd01b6012243b9ea77814b8e63401a4d37eb9374ab5004707f57abdcd2e880063212bf9e3bd3b6f9d7e519f17d4e57
-
Filesize
211B
MD51c118f763cdc4422488fcd362295cce7
SHA101d862886952536e3dae3347a1c7af137b32e6b2
SHA25678256db585bf524d1d0d170457b08e801a9f88a2648a64f308040e9d4f66db91
SHA5125e5bfb8928e9516c979c87643c9f5fd3d5b1e9e3157a75b47fecfc8552348069f4ed2dc50b884a6b866d2a3d6e40727d61b79a7ebcb8301be3d1cb41c77beec0
-
Filesize
211B
MD5f1b880891fc921e9d0c8856ec0179836
SHA1cd3eb4e0e84444140e1a49af5389450ecc10168d
SHA25690dde1e9bdce93bca8506c37403f3f78f066c71356a2b9e682d233b7ea2907b1
SHA512de95a497ab3779d0ee83e8bed525071f17fdb2b542cb779cdc1c52a5ffa6fbb14eae6f27cc97878b89134457f03663a483646157d089284fb0e5220fe8eea54e
-
Filesize
211B
MD51c004cbc1e20b6813161f6390392507f
SHA1ecfebf60cd7f59e2276e640757cdc467d2e8be3e
SHA256abd3e61f4af9190b887cd1b7adb38f470ab2ac674e094359e1d0d44cbcf9e6d3
SHA512b9c4107763632b4e11681b3b1b7599f57b931acc9621ab8a190163be4f96266ed337c03f2a6b3136519ebdd01aa61aca6cbc93cc98795ec5e35b846e28d4edd7
-
Filesize
211B
MD5fca04172b108c604dc5e4c446158af43
SHA18f96f383eb4299a31ded035dd6bf02138cfcaa8d
SHA2561f61cf5318a34b16a4b6f2c315729fc4b48617008a5162c058bf0461854db0f1
SHA5129fc0998cb2fe37dada74cebabb3c237100faa8db948ef559a90c5e42a731a1f0172df3dd37b43b483a071979bd7cbd77039163889a83e69031c4a1b1292bfcff
-
Filesize
211B
MD5d16a7bcf41bb411c1b451c2cee03de28
SHA11c6743d5777509e9f799d798053c7c3d01d0e776
SHA256f3603156262fb879442d1b303dbfe60e98f1b7fb7ebd6ef7df1157680166c383
SHA512bfdf88f012f01c954632ac419896590af2f26618047eb2963628c0add610226b22489ba566a1cdad1459abbf5b6672c0ee664a5d1822e1c069aaefb98d2f54df
-
Filesize
211B
MD59749802fb8886ba1452ad7587ec95b97
SHA15cfc1ddac9236d5d13f7682de5b80d7c7a99ba73
SHA256b00a6ad43812768fc6bf9a3e2780b5f3bb526af6f69f2477fa36c82370927d7b
SHA5120df09516957a252d16f9bcc5b21efb4815c8c9811cdc633083933da607cf02eea1c790b369fc0b43a03997ba24932ba0aec581643dc0e5b856abef446de89795
-
Filesize
211B
MD5ff0c75ff67bdf5b832a4884622d8a49e
SHA108d86e77036df1ad146aa88e109bba3a4fe3c017
SHA256ed5169705b12d0a07d547ce2588c8ef31dea81d62641c04903d66c0d525d3d5a
SHA5121453b36faaf3eecda2354235877aec46c21fb1ca814b0287ecbf834c8c3482cb68f8bcba21d64668a9cdbc2c18999bcfe7548ba780f1f805f3f8d1d3fec4d8aa
-
Filesize
211B
MD5c9a1d9c9478297fed35cf7ff02fe399c
SHA1c5fc4b08f9aca1c8695ddd4154113a295cb72d52
SHA256a345a9d235db8ffee440c603b0a293ca99a78d5ac26b9c64cf27169a4155015f
SHA512ddcbc26b5dc9e8afd9e745e9c2aadd9450686e7a79daa68547077db58ce7c6343ac10c68326195b39e0b319aba05bceda2c3031f61e90453cfc533b31fdee5a9
-
Filesize
211B
MD50a6511222ddf2e1f9ff99348fc2d7083
SHA1eaf420729fc899ff3ddff480f77a94134c929209
SHA2567f235232d06e36acb61b0607b0050ac83013c0c0a0b69bb051a4d2e1ce603484
SHA512e7f95124a07321ce06b628768124f2adc0be03e10c54530c1b5910867bad5773a1ddc161d265752b30fed38dfbe6efa98e136faf0aab53ff6ddd9ddc5d47f57e
-
Filesize
211B
MD57f12574ef9731baeaa247f4247a1bead
SHA13315d3e0f72b8f4bfff120bee02325f209d1d821
SHA2569d26175dba7fac164164b4f2d710aef97944858628f1b5a1536f96f28697c7f2
SHA5120533ed3ec9180af77909719ef26b50bab92d5a2f7d38e9712a0b00aed17abe1996a3e4374c2d22844b1025440d017fb2abf8ba6a178f556d473ac63fc77fa6ed
-
Filesize
211B
MD501bdabfe6e5425d993371b530f773675
SHA1f7d4ed7677e5df6f923ffbb8c9f86f049a2a4773
SHA256f232c251fc8ff3249cdf99463247db295dafdfd328cf60facbd4d8d7efdc1607
SHA5123777ba5974ab9aaea8374ee608349529d191e3e94e302f77aeec3d5b791092a1695ef28b3232d0e82bfa39c5d72dd91a819acaac39c5a9c6359613fb1c95247e
-
Filesize
3.1MB
MD5b77d847b1d41cde07f81168c7addbb10
SHA12d5c614efdef7ab59fa5fb665d6ed1a79502b97f
SHA256492a651e5ae2020b3b7fd51861adf68402089d050e083c3a9ef1a9866256000c
SHA5126fff7c253c543e370dcb459f0cc66003f57fbc35f40af5744deca97a2c593bf0881f96c845bbc15963e9eb81a652aec78a500ea41f2d1af5fbb5f0ec04c6c9f6